Page Menu
Home
ClusterLabs Projects
Search
Configure Global Search
Log In
Files
F4639457
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
156 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/cts/cli/regression.acls.exp b/cts/cli/regression.acls.exp
index be91b93455..8c263309e4 100644
--- a/cts/cli/regression.acls.exp
+++ b/cts/cli/regression.acls.exp
@@ -1,2875 +1,2875 @@
=#=#=#= Begin test: Configure some ACLs =#=#=#=
=#=#=#= Current cib after: Configure some ACLs =#=#=#=
<cib epoch="2" num_updates="0" admin_epoch="0">
<configuration>
<crm_config/>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Configure some ACLs - OK (0) =#=#=#=
* Passed: cibadmin - Configure some ACLs
=#=#=#= Begin test: Enable ACLs =#=#=#=
=#=#=#= Current cib after: Enable ACLs =#=#=#=
<cib epoch="3" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Enable ACLs - OK (0) =#=#=#=
* Passed: crm_attribute - Enable ACLs
=#=#=#= Begin test: Set cluster option =#=#=#=
=#=#=#= Current cib after: Set cluster option =#=#=#=
<cib epoch="4" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Set cluster option - OK (0) =#=#=#=
* Passed: crm_attribute - Set cluster option
=#=#=#= Begin test: New ACL role =#=#=#=
=#=#=#= Current cib after: New ACL role =#=#=#=
<cib epoch="5" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: New ACL role - OK (0) =#=#=#=
* Passed: cibadmin - New ACL role
=#=#=#= Begin test: New ACL target =#=#=#=
=#=#=#= Current cib after: New ACL target =#=#=#=
<cib epoch="6" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: New ACL target - OK (0) =#=#=#=
* Passed: cibadmin - New ACL target
=#=#=#= Begin test: Another ACL role =#=#=#=
=#=#=#= Current cib after: Another ACL role =#=#=#=
<cib epoch="7" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Another ACL role - OK (0) =#=#=#=
* Passed: cibadmin - Another ACL role
=#=#=#= Begin test: Another ACL target =#=#=#=
=#=#=#= Current cib after: Another ACL target =#=#=#=
<cib epoch="8" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Another ACL target - OK (0) =#=#=#=
* Passed: cibadmin - Another ACL target
=#=#=#= Begin test: Updated ACL =#=#=#=
=#=#=#= Current cib after: Updated ACL =#=#=#=
<cib epoch="9" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Updated ACL - OK (0) =#=#=#=
* Passed: cibadmin - Updated ACL
=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - unknownguy: Query configuration
=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
crm_attribute: Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - unknownguy: Set enable-acl
=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
crm_attribute: Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - unknownguy: Set stonith-enabled
=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__check_acl trace: Lack of ACL denies user 'unknownguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
Call failed: Permission denied
=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - unknownguy: Create a resource
=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - l33t-haxor: Query configuration
=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
crm_attribute: Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set enable-acl
=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
crm_attribute: Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - l33t-haxor: Create a resource
=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
<cib epoch="9" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - niceguy: Query configuration
=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
crm_attribute: Error performing operation: Permission denied
=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - niceguy: Set enable-acl
=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-stonith-enabled"
=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
<cib epoch="10" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - niceguy: Set stonith-enabled
=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
Call failed: Permission denied
=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Create a resource
=#=#=#= Begin test: root: Query configuration =#=#=#=
<cib epoch="10" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - root: Query configuration
=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
<cib epoch="11" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - root: Set stonith-enabled
=#=#=#= Begin test: root: Create a resource =#=#=#=
=#=#=#= Current cib after: root: Create a resource =#=#=#=
<cib epoch="12" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
* Passed: cibadmin - root: Create a resource
=#=#=#= Begin test: root: Create another resource (with description) =#=#=#=
=#=#=#= Current cib after: root: Create another resource (with description) =#=#=#=
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Create another resource (with description) - OK (0) =#=#=#=
* Passed: cibadmin - root: Create another resource (with description)
=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
Could not obtain the current CIB: Permission denied
crm_resource: Error performing operation: Insufficient privileges
=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
Could not obtain the current CIB: Permission denied
crm_resource: Error performing operation: Insufficient privileges
=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
Could not obtain the current CIB: Permission denied
crm_resource: Error performing operation: Insufficient privileges
=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
Stopped
=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Query a resource meta attribute
=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
<cib epoch="15" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes"/>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="16" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
* Passed: cibadmin - badidea: Query configuration - implied deny
=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
* Passed: cibadmin - betteridea: Query configuration - explicit deny
<cib epoch="17" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - remove acls
<cib epoch="17" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2"
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create resource
<cib epoch="17" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
<cib epoch="17" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy_desc']
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
<cib epoch="17" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create attribute (deny)
<cib epoch="17" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - create attribute (direct allow)
<cib epoch="18" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - modify attribute (direct allow)
<cib epoch="19" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - delete attribute (direct allow)
<cib epoch="20" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
* Passed: cibadmin - joe: Replace - create attribute (inherited allow)
<cib epoch="21" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
* Passed: cibadmin - joe: Replace - modify attribute (inherited allow)
<cib epoch="22" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
* Passed: cibadmin - joe: Replace - delete attribute (inherited allow)
<cib epoch="23" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
* Passed: cibadmin - mike: Replace - create attribute (allow overrides deny)
<cib epoch="24" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
* Passed: cibadmin - mike: Replace - modify attribute (allow overrides deny)
<cib epoch="25" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
* Passed: cibadmin - mike: Replace - delete attribute (allow overrides deny)
<cib epoch="25" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: mike: Create another resource =#=#=#=
pcmk__apply_creation_acl trace: ACLs allow creation of <primitive> with id="dummy2"
=#=#=#= Current cib after: mike: Create another resource =#=#=#=
<cib epoch="26" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: mike: Create another resource - OK (0) =#=#=#=
* Passed: cibadmin - mike: Create another resource
<cib epoch="27" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
Call failed: Permission denied
=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - chris: Replace - create attribute (deny overrides allow)
<cib epoch="27" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
Call failed: Permission denied
=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - chris: Replace - modify attribute (deny overrides allow)
<cib epoch="27" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
<primitive id="dummy_desc" class="ocf" provider="pacemaker" type="Dummy" description="resource with description"/>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="nothing"/>
</acl_target>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_target id="joe">
<role id="super_user"/>
</acl_target>
<acl_target id="mike">
<role id="rsc_writer"/>
</acl_target>
<acl_target id="chris">
<role id="rsc_denied"/>
</acl_target>
<acl_role id="nothing">
<acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
</acl_role>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="super_user">
<acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
</acl_role>
<acl_role id="rsc_writer">
<acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
<acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_role id="rsc_denied">
<acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
<acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
</acl_role>
<acl_role id="badidea-role">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="badidea">
<role id="badidea-role"/>
</acl_target>
<acl_role id="betteridea-role">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="betteridea-role"/>
</acl_target>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
Call failed: Permission denied
=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - chris: Replace - delete attribute (deny overrides allow)
diff --git a/lib/common/acl.c b/lib/common/acl.c
index 1360e9d22f..0c39395571 100644
--- a/lib/common/acl.c
+++ b/lib/common/acl.c
@@ -1,939 +1,917 @@
/*
* Copyright 2004-2025 the Pacemaker project contributors
*
* The version control history for this file may have further details.
*
* This source code is licensed under the GNU Lesser General Public License
* version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
*/
#include <crm_internal.h>
#include <stdio.h>
#include <sys/types.h>
#include <pwd.h>
#include <string.h>
#include <stdlib.h>
#include <stdarg.h>
#include <libxml/tree.h>
#include <libxml/xpath.h> // xmlXPathObject, etc.
#include <crm/crm.h>
#include <crm/common/xml.h>
#include <crm/common/xml_internal.h>
#include "crmcommon_private.h"
typedef struct xml_acl_s {
enum xml_private_flags mode;
gchar *xpath;
} xml_acl_t;
static void
free_acl(void *data)
{
if (data) {
xml_acl_t *acl = data;
g_free(acl->xpath);
free(acl);
}
}
void
pcmk__free_acls(GList *acls)
{
g_list_free_full(acls, free_acl);
}
static GList *
create_acl(const xmlNode *xml, GList *acls, enum xml_private_flags mode)
{
xml_acl_t *acl = NULL;
const char *tag = crm_element_value(xml, PCMK_XA_OBJECT_TYPE);
const char *ref = crm_element_value(xml, PCMK_XA_REFERENCE);
const char *xpath = crm_element_value(xml, PCMK_XA_XPATH);
const char *attr = crm_element_value(xml, PCMK_XA_ATTRIBUTE);
if ((tag == NULL) && (ref == NULL) && (xpath == NULL)) {
// Schema should prevent this, but to be safe ...
crm_trace("Ignoring ACL <%s> element without selection criteria",
xml->name);
return NULL;
}
acl = pcmk__assert_alloc(1, sizeof (xml_acl_t));
acl->mode = mode;
if (xpath) {
acl->xpath = g_strdup(xpath);
crm_trace("Unpacked ACL <%s> element using xpath: %s",
xml->name, acl->xpath);
} else {
GString *buf = g_string_sized_new(128);
if ((ref != NULL) && (attr != NULL)) {
// NOTE: schema currently does not allow this
pcmk__g_strcat(buf, "//", pcmk__s(tag, "*"), "[@" PCMK_XA_ID "='",
ref, "' and @", attr, "]", NULL);
} else if (ref != NULL) {
pcmk__g_strcat(buf, "//", pcmk__s(tag, "*"), "[@" PCMK_XA_ID "='",
ref, "']", NULL);
} else if (attr != NULL) {
pcmk__g_strcat(buf, "//", pcmk__s(tag, "*"), "[@", attr, "]", NULL);
} else {
pcmk__g_strcat(buf, "//", pcmk__s(tag, "*"), NULL);
}
acl->xpath = buf->str;
g_string_free(buf, FALSE);
crm_trace("Unpacked ACL <%s> element as xpath: %s",
xml->name, acl->xpath);
}
return g_list_append(acls, acl);
}
/*!
* \internal
* \brief Unpack a user, group, or role subtree of the ACLs section
*
* \param[in] acl_top XML of entire ACLs section
* \param[in] acl_entry XML of ACL element being unpacked
* \param[in,out] acls List of ACLs unpacked so far
*
* \return New head of (possibly modified) acls
*
* \note This function is recursive
*/
static GList *
parse_acl_entry(const xmlNode *acl_top, const xmlNode *acl_entry, GList *acls)
{
for (const xmlNode *child = pcmk__xe_first_child(acl_entry, NULL, NULL,
NULL);
child != NULL; child = pcmk__xe_next(child, NULL)) {
if (pcmk__xe_is(child, PCMK_XE_ACL_PERMISSION)) {
const char *kind = crm_element_value(child, PCMK_XA_KIND);
pcmk__assert(kind != NULL);
crm_trace("Unpacking <" PCMK_XE_ACL_PERMISSION "> element of "
"kind '%s'",
kind);
if (pcmk__str_eq(kind, PCMK_VALUE_READ, pcmk__str_none)) {
acls = create_acl(child, acls, pcmk__xf_acl_read);
} else if (pcmk__str_eq(kind, PCMK_VALUE_WRITE, pcmk__str_none)) {
acls = create_acl(child, acls, pcmk__xf_acl_write);
} else if (pcmk__str_eq(kind, PCMK_VALUE_DENY, pcmk__str_none)) {
acls = create_acl(child, acls, pcmk__xf_acl_deny);
} else {
crm_warn("Ignoring unknown ACL kind '%s'", kind);
}
} else if (pcmk__xe_is(child, PCMK_XE_ROLE)) {
const char *ref_role = crm_element_value(child, PCMK_XA_ID);
crm_trace("Unpacking <" PCMK_XE_ROLE "> element");
if (ref_role == NULL) {
continue;
}
for (xmlNode *role = pcmk__xe_first_child(acl_top, NULL, NULL,
NULL);
role != NULL; role = pcmk__xe_next(role, NULL)) {
const char *role_id = NULL;
if (!pcmk__xe_is(role, PCMK_XE_ACL_ROLE)) {
continue;
}
role_id = crm_element_value(role, PCMK_XA_ID);
if (pcmk__str_eq(ref_role, role_id, pcmk__str_none)) {
crm_trace("Unpacking referenced role '%s' in <%s> element",
role_id, acl_entry->name);
acls = parse_acl_entry(acl_top, role, acls);
break;
}
}
}
}
return acls;
}
/*
<acls>
<acl_target id="l33t-haxor"><role id="auto-l33t-haxor"/></acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_target id="badidea"><role id="auto-badidea"/></acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
<acl_permission id="badidea-resources-2" kind="deny" reference="dummy-meta_attributes"/>
</acl_role>
</acls>
*/
static const char *
acl_to_text(enum xml_private_flags flags)
{
if (pcmk_is_set(flags, pcmk__xf_acl_deny)) {
return "deny";
} else if (pcmk_any_flags_set(flags, pcmk__xf_acl_write|pcmk__xf_acl_create)) {
return "read/write";
} else if (pcmk_is_set(flags, pcmk__xf_acl_read)) {
return "read";
}
return "none";
}
void
pcmk__apply_acl(xmlNode *xml)
{
GList *aIter = NULL;
xml_doc_private_t *docpriv = xml->doc->_private;
xml_node_private_t *nodepriv;
xmlXPathObject *xpathObj = NULL;
if (!xml_acl_enabled(xml)) {
crm_trace("Skipping ACLs for user '%s' because not enabled for this XML",
docpriv->user);
return;
}
for (aIter = docpriv->acls; aIter != NULL; aIter = aIter->next) {
int max = 0, lpc = 0;
xml_acl_t *acl = aIter->data;
xpathObj = pcmk__xpath_search(xml->doc, acl->xpath);
max = pcmk__xpath_num_results(xpathObj);
for (lpc = 0; lpc < max; lpc++) {
xmlNode *match = pcmk__xpath_result(xpathObj, lpc);
if (match == NULL) {
continue;
}
/* @COMPAT If the ACL's XPath matches a node that is neither an
* element nor a document, we apply the ACL to the parent element
* rather than to the matched node. For example, if the XPath
* matches a "score" attribute, then it applies to every element
* that contains a "score" attribute. That is, the XPath expression
* "//@score" matches all attributes named "score", but we apply the
* ACL to all elements containing such an attribute.
*
* This behavior is incorrect from an XPath standpoint and is thus
* confusing and counterintuitive. The correct way to match all
* elements containing a "score" attribute is to use an XPath
* predicate: "// *[@score]". (Space inserted after slashes so that
* GCC doesn't throw an error about nested comments.)
*
* Additionally, if an XPath expression matches the entire document
* (for example, "/"), then the ACL applies to the document's root
* element if it exists.
*
* These behaviors should be changed so that the ACL applies to the
* nodes matched by the XPath expression, or so that it doesn't
* apply at all if applying an ACL to an attribute doesn't make
* sense.
*
* Unfortunately, we document in Pacemaker Explained that matching
* attributes is a valid way to match elements: "Attributes may be
* specified in the XPath to select particular elements, but the
* permissions apply to the entire element."
*
* So we have to keep this behavior at least until a compatibility
* break. Even then, it's not feasible in the general case to
* transform such XPath expressions using XSLT.
*/
match = pcmk__xpath_match_element(match);
if (match == NULL) {
continue;
}
nodepriv = match->_private;
pcmk__set_xml_flags(nodepriv, acl->mode);
// Build a GString only if tracing is enabled
pcmk__if_tracing(
{
GString *path = pcmk__element_xpath(match);
crm_trace("Applying %s ACL to %s matched by %s",
acl_to_text(acl->mode), path->str, acl->xpath);
g_string_free(path, TRUE);
},
{}
);
}
crm_trace("Applied %s ACL %s (%d match%s)",
acl_to_text(acl->mode), acl->xpath, max,
((max == 1)? "" : "es"));
xmlXPathFreeObject(xpathObj);
}
}
/*!
* \internal
* \brief Unpack ACLs for a given user into the
* metadata of the target XML tree
*
* Taking the description of ACLs from the source XML tree and
* marking up the target XML tree with access information for the
* given user by tacking it onto the relevant nodes
*
* \param[in] source XML with ACL definitions
* \param[in,out] target XML that ACLs will be applied to
* \param[in] user Username whose ACLs need to be unpacked
*/
void
pcmk__unpack_acl(xmlNode *source, xmlNode *target, const char *user)
{
xml_doc_private_t *docpriv = NULL;
if ((target == NULL) || (target->doc == NULL)
|| (target->doc->_private == NULL)) {
return;
}
docpriv = target->doc->_private;
if (!pcmk_acl_required(user)) {
crm_trace("Not unpacking ACLs because not required for user '%s'",
user);
} else if (docpriv->acls == NULL) {
xmlNode *acls = get_xpath_object("//" PCMK_XE_ACLS, source, LOG_NEVER);
pcmk__str_update(&docpriv->user, user);
if (acls) {
xmlNode *child = NULL;
for (child = pcmk__xe_first_child(acls, NULL, NULL, NULL);
child != NULL; child = pcmk__xe_next(child, NULL)) {
if (pcmk__xe_is(child, PCMK_XE_ACL_TARGET)) {
const char *id = crm_element_value(child, PCMK_XA_NAME);
if (id == NULL) {
id = crm_element_value(child, PCMK_XA_ID);
}
if (id && strcmp(id, user) == 0) {
crm_debug("Unpacking ACLs for user '%s'", id);
docpriv->acls = parse_acl_entry(acls, child, docpriv->acls);
}
} else if (pcmk__xe_is(child, PCMK_XE_ACL_GROUP)) {
const char *id = crm_element_value(child, PCMK_XA_NAME);
if (id == NULL) {
id = crm_element_value(child, PCMK_XA_ID);
}
if (id && pcmk__is_user_in_group(user,id)) {
crm_debug("Unpacking ACLs for group '%s'", id);
docpriv->acls = parse_acl_entry(acls, child, docpriv->acls);
}
}
}
}
}
}
/*!
* \internal
* \brief Copy source to target and set xf_acl_enabled flag in target
*
* \param[in] acl_source XML with ACL definitions
* \param[in,out] target XML that ACLs will be applied to
* \param[in] user Username whose ACLs need to be set
*/
void
pcmk__enable_acl(xmlNode *acl_source, xmlNode *target, const char *user)
{
pcmk__unpack_acl(acl_source, target, user);
pcmk__set_xml_doc_flag(target, pcmk__xf_acl_enabled);
pcmk__apply_acl(target);
}
static inline bool
test_acl_mode(enum xml_private_flags allowed, enum xml_private_flags requested)
{
if (pcmk_is_set(allowed, pcmk__xf_acl_deny)) {
return false;
} else if (pcmk_all_flags_set(allowed, requested)) {
return true;
} else if (pcmk_is_set(requested, pcmk__xf_acl_read)
&& pcmk_is_set(allowed, pcmk__xf_acl_write)) {
return true;
} else if (pcmk_is_set(requested, pcmk__xf_acl_create)
&& pcmk_any_flags_set(allowed, pcmk__xf_acl_write|pcmk__xf_created)) {
return true;
}
return false;
}
/*!
* \internal
* \brief Rid XML tree of all unreadable nodes and node properties
*
* \param[in,out] xml Root XML node to be purged of attributes
*
* \return true if this node or any of its children are readable
* if false is returned, xml will be freed
*
* \note This function is recursive
*/
static bool
purge_xml_attributes(xmlNode *xml)
{
xmlNode *child = NULL;
xmlAttr *xIter = NULL;
bool readable_children = false;
xml_node_private_t *nodepriv = xml->_private;
if (test_acl_mode(nodepriv->flags, pcmk__xf_acl_read)) {
crm_trace("%s[@" PCMK_XA_ID "=%s] is readable",
xml->name, pcmk__xe_id(xml));
return true;
}
xIter = xml->properties;
while (xIter != NULL) {
xmlAttr *tmp = xIter;
const char *prop_name = (const char *)xIter->name;
xIter = xIter->next;
if (strcmp(prop_name, PCMK_XA_ID) == 0) {
continue;
}
pcmk__xa_remove(tmp, true);
}
child = pcmk__xml_first_child(xml);
while ( child != NULL ) {
xmlNode *tmp = child;
child = pcmk__xml_next(child);
readable_children |= purge_xml_attributes(tmp);
}
if (!readable_children) {
// Nothing readable under here, so purge completely
pcmk__xml_free(xml);
}
return readable_children;
}
/*!
* \brief Copy ACL-allowed portions of specified XML
*
* \param[in] user Username whose ACLs should be used
* \param[in] acl_source XML containing ACLs
* \param[in] xml XML to be copied
* \param[out] result Copy of XML portions readable via ACLs
*
* \return true if xml exists and ACLs are required for user, false otherwise
* \note If this returns true, caller should use \p result rather than \p xml
*/
bool
xml_acl_filtered_copy(const char *user, xmlNode *acl_source, xmlNode *xml,
xmlNode **result)
{
GList *aIter = NULL;
xmlNode *target = NULL;
xml_doc_private_t *docpriv = NULL;
*result = NULL;
if ((xml == NULL) || !pcmk_acl_required(user)) {
crm_trace("Not filtering XML because ACLs not required for user '%s'",
user);
return false;
}
crm_trace("Filtering XML copy using user '%s' ACLs", user);
target = pcmk__xml_copy(NULL, xml);
if (target == NULL) {
return true;
}
pcmk__enable_acl(acl_source, target, user);
docpriv = target->doc->_private;
for(aIter = docpriv->acls; aIter != NULL && target; aIter = aIter->next) {
int max = 0;
xml_acl_t *acl = aIter->data;
if (acl->mode != pcmk__xf_acl_deny) {
/* Nothing to do */
} else if (acl->xpath) {
int lpc = 0;
xmlXPathObject *xpathObj = pcmk__xpath_search(target->doc,
acl->xpath);
max = pcmk__xpath_num_results(xpathObj);
for(lpc = 0; lpc < max; lpc++) {
xmlNode *match = pcmk__xpath_result(xpathObj, lpc);
if (match == NULL) {
continue;
}
// @COMPAT See COMPAT comment in pcmk__apply_acl()
match = pcmk__xpath_match_element(match);
if (match == NULL) {
continue;
}
if (!purge_xml_attributes(match) && (match == target)) {
crm_trace("ACLs deny user '%s' access to entire XML document",
user);
xmlXPathFreeObject(xpathObj);
return true;
}
}
crm_trace("ACLs deny user '%s' access to %s (%d %s)",
user, acl->xpath, max,
pcmk__plural_alt(max, "match", "matches"));
xmlXPathFreeObject(xpathObj);
}
}
if (!purge_xml_attributes(target)) {
crm_trace("ACLs deny user '%s' access to entire XML document", user);
return true;
}
if (docpriv->acls) {
g_list_free_full(docpriv->acls, free_acl);
docpriv->acls = NULL;
} else {
crm_trace("User '%s' without ACLs denied access to entire XML document",
user);
pcmk__xml_free(target);
target = NULL;
}
if (target) {
*result = target;
}
return true;
}
/*!
* \internal
* \brief Check whether creation of an XML element is implicitly allowed
*
* Check whether XML is a "scaffolding" element whose creation is implicitly
* allowed regardless of ACLs (that is, it is not in the ACL section and has
* no attributes other than \c PCMK_XA_ID).
*
* \param[in] xml XML element to check
*
* \return true if XML element is implicitly allowed, false otherwise
*/
static bool
implicitly_allowed(const xmlNode *xml)
{
GString *path = NULL;
for (xmlAttr *prop = xml->properties; prop != NULL; prop = prop->next) {
if (strcmp((const char *) prop->name, PCMK_XA_ID) != 0) {
return false;
}
}
path = pcmk__element_xpath(xml);
pcmk__assert(path != NULL);
if (strstr((const char *) path->str, "/" PCMK_XE_ACLS "/") != NULL) {
g_string_free(path, TRUE);
return false;
}
g_string_free(path, TRUE);
return true;
}
#define display_id(xml) pcmk__s(pcmk__xe_id(xml), "<unset>")
/*!
* \internal
* \brief Drop XML nodes created in violation of ACLs
*
* Given an XML element, free all of its descendant nodes created in violation
* of ACLs, with the exception of allowing "scaffolding" elements (i.e. those
* that aren't in the ACL section and don't have any attributes other than
* \c PCMK_XA_ID).
*
* \param[in,out] xml XML to check
* \param[in] check_top Whether to apply checks to argument itself
* (if true, xml might get freed)
*
* \note This function is recursive
*/
void
pcmk__apply_creation_acl(xmlNode *xml, bool check_top)
{
xml_node_private_t *nodepriv = xml->_private;
if (pcmk_is_set(nodepriv->flags, pcmk__xf_created)) {
if (implicitly_allowed(xml)) {
crm_trace("Creation of <%s> scaffolding with " PCMK_XA_ID "=\"%s\""
" is implicitly allowed",
xml->name, display_id(xml));
} else if (pcmk__check_acl(xml, NULL, pcmk__xf_acl_write)) {
crm_trace("ACLs allow creation of <%s> with " PCMK_XA_ID "=\"%s\"",
xml->name, display_id(xml));
} else if (check_top) {
/* is_root=true should be impossible with check_top=true, but check
* for sanity
*/
bool is_root = (xmlDocGetRootElement(xml->doc) == xml);
xml_doc_private_t *docpriv = xml->doc->_private;
crm_trace("ACLs disallow creation of %s<%s> with "
PCMK_XA_ID "=\"%s\"",
(is_root? "root element " : ""), xml->name,
display_id(xml));
// pcmk__xml_free() checks ACLs if enabled, which would fail
pcmk__clear_xml_flags(docpriv, pcmk__xf_acl_enabled);
pcmk__xml_free(xml);
if (!is_root) {
// If root, the document was freed. Otherwise re-enable ACLs.
pcmk__set_xml_flags(docpriv, pcmk__xf_acl_enabled);
}
return;
} else {
crm_notice("ACLs would disallow creation of %s<%s> with "
PCMK_XA_ID "=\"%s\"",
((xml == xmlDocGetRootElement(xml->doc))? "root element " : ""),
xml->name, display_id(xml));
}
}
for (xmlNode *cIter = pcmk__xml_first_child(xml); cIter != NULL; ) {
xmlNode *child = cIter;
cIter = pcmk__xml_next(cIter); /* In case it is free'd */
pcmk__apply_creation_acl(child, true);
}
}
/*!
* \brief Check whether or not an XML node is ACL-denied
*
* \param[in] xml node to check
*
* \return true if XML node exists and is ACL-denied, false otherwise
*/
bool
xml_acl_denied(const xmlNode *xml)
{
if (xml && xml->doc && xml->doc->_private){
xml_doc_private_t *docpriv = xml->doc->_private;
return pcmk_is_set(docpriv->flags, pcmk__xf_acl_denied);
}
return false;
}
void
xml_acl_disable(xmlNode *xml)
{
if (xml_acl_enabled(xml)) {
xml_doc_private_t *docpriv = xml->doc->_private;
/* Catch anything that was created but shouldn't have been */
pcmk__apply_acl(xml);
pcmk__apply_creation_acl(xml, false);
pcmk__clear_xml_flags(docpriv, pcmk__xf_acl_enabled);
}
}
/*!
* \brief Check whether or not an XML node is ACL-enabled
*
* \param[in] xml node to check
*
* \return true if XML node exists and is ACL-enabled, false otherwise
*/
bool
xml_acl_enabled(const xmlNode *xml)
{
if (xml && xml->doc && xml->doc->_private){
xml_doc_private_t *docpriv = xml->doc->_private;
return pcmk_is_set(docpriv->flags, pcmk__xf_acl_enabled);
}
return false;
}
+/*!
+ * \internal
+ * \brief Deny access to an XML tree's document based on ACLs
+ *
+ * \param[in,out] xml XML tree
+ * \param[in] attr_name Name of attribute being accessed in \p xml (for
+ * logging only)
+ * \param[in] prefix Prefix describing ACL that denied access (for
+ * logging only)
+ * \param[in] user User accessing \p xml (for logging only)
+ * \param[in] mode Access mode
+ */
+#define check_acl_deny(xml, attr_name, prefix, user, mode) do { \
+ xmlNode *tree = xml; \
+ \
+ pcmk__set_xml_doc_flag(tree, pcmk__xf_acl_denied); \
+ pcmk__if_tracing( \
+ { \
+ GString *xpath = pcmk__element_xpath(tree); \
+ \
+ if ((attr_name) != NULL) { \
+ pcmk__g_strcat(xpath, "[@", attr_name, "]", NULL); \
+ } \
+ qb_log_from_external_source(__func__, __FILE__, \
+ "%sACL denies user '%s' %s " \
+ "access to %s", \
+ LOG_TRACE, __LINE__, 0 , \
+ prefix, user, \
+ acl_to_text(mode), xpath->str); \
+ g_string_free(xpath, TRUE); \
+ }, \
+ {} \
+ ); \
+ } while (false);
+
bool
pcmk__check_acl(xmlNode *xml, const char *attr_name,
enum xml_private_flags mode)
{
xml_doc_private_t *docpriv = NULL;
pcmk__assert((xml != NULL) && (xml->doc->_private != NULL));
if (!pcmk__tracking_xml_changes(xml, false) || !xml_acl_enabled(xml)) {
return true;
}
docpriv = xml->doc->_private;
-
if (docpriv->acls == NULL) {
- pcmk__set_xml_doc_flag(xml, pcmk__xf_acl_denied);
-
- pcmk__if_tracing(
- {
- GString *xpath = pcmk__element_xpath(xml);
-
- if (attr_name != NULL) {
- pcmk__g_strcat(xpath, "[@", attr_name, "]", NULL);
- }
-
- qb_log_from_external_source(__func__, __FILE__,
- "User '%s' without ACLs denied %s "
- "access to %s",
- LOG_TRACE, __LINE__, 0,
- docpriv->user, acl_to_text(mode),
- xpath->str);
- g_string_free(xpath, TRUE);
- },
- {}
- );
+ check_acl_deny(xml, attr_name, "Lack of ", docpriv->user, mode);
return false;
}
/* Walk the tree upwards looking for xml_acl_* flags
* - Creating an attribute requires write permissions for the node
* - Creating a child requires write permissions for the parent
*/
if (attr_name != NULL) {
xmlAttr *attr = xmlHasProp(xml, (pcmkXmlStr) attr_name);
if ((attr != NULL) && (mode == pcmk__xf_acl_create)) {
mode = pcmk__xf_acl_write;
}
}
for (const xmlNode *parent = xml;
(parent != NULL) && (parent->_private != NULL);
parent = parent->parent) {
const xml_node_private_t *nodepriv = parent->_private;
if (test_acl_mode(nodepriv->flags, mode)) {
return true;
}
if (pcmk_is_set(nodepriv->flags, pcmk__xf_acl_deny)) {
- pcmk__set_xml_doc_flag(xml, pcmk__xf_acl_denied);
-
- pcmk__if_tracing(
- {
- GString *xpath = pcmk__element_xpath(xml);
-
- if (attr_name != NULL) {
- pcmk__g_strcat(xpath, "[@", attr_name, "]", NULL);
- }
+ const char *pfx = (parent != xml)? "Parent " : "";
- qb_log_from_external_source(__func__, __FILE__,
- "%sACL denies user '%s' %s "
- "access to %s",
- LOG_TRACE, __LINE__, 0,
- (parent != xml)? "Parent ": "",
- docpriv->user,
- acl_to_text(mode), xpath->str);
- g_string_free(xpath, TRUE);
- },
- {}
- );
+ check_acl_deny(xml, attr_name, pfx, docpriv->user, mode);
return false;
}
}
- pcmk__set_xml_doc_flag(xml, pcmk__xf_acl_denied);
-
- pcmk__if_tracing(
- {
- GString *xpath = pcmk__element_xpath(xml);
-
- if (attr_name != NULL) {
- pcmk__g_strcat(xpath, "[@", attr_name, "]", NULL);
- }
-
- qb_log_from_external_source(__func__, __FILE__,
- "Default ACL denies user '%s' %s "
- "access to %s",
- LOG_TRACE, __LINE__, 0,
- docpriv->user, acl_to_text(mode),
- xpath->str);
- g_string_free(xpath, TRUE);
- },
- {}
- );
+ check_acl_deny(xml, attr_name, "Default ", docpriv->user, mode);
return false;
}
/*!
* \brief Check whether ACLs are required for a given user
*
* \param[in] User name to check
*
* \return true if the user requires ACLs, false otherwise
*/
bool
pcmk_acl_required(const char *user)
{
if (pcmk__str_empty(user)) {
crm_trace("ACLs not required because no user set");
return false;
} else if (!strcmp(user, CRM_DAEMON_USER) || !strcmp(user, "root")) {
crm_trace("ACLs not required for privileged user %s", user);
return false;
}
crm_trace("ACLs required for %s", user);
return true;
}
char *
pcmk__uid2username(uid_t uid)
{
struct passwd *pwent = getpwuid(uid);
if (pwent == NULL) {
crm_perror(LOG_INFO, "Cannot get user details for user ID %d", uid);
return NULL;
}
return pcmk__str_copy(pwent->pw_name);
}
/*!
* \internal
* \brief Set the ACL user field properly on an XML request
*
* Multiple user names are potentially involved in an XML request: the effective
* user of the current process; the user name known from an IPC client
* connection; and the user name obtained from the request itself, whether by
* the current standard XML attribute name or an older legacy attribute name.
* This function chooses the appropriate one that should be used for ACLs, sets
* it in the request (using the standard attribute name, and the legacy name if
* given), and returns it.
*
* \param[in,out] request XML request to update
* \param[in] field Alternate name for ACL user name XML attribute
* \param[in] peer_user User name as known from IPC connection
*
* \return ACL user name actually used
*/
const char *
pcmk__update_acl_user(xmlNode *request, const char *field,
const char *peer_user)
{
static const char *effective_user = NULL;
const char *requested_user = NULL;
const char *user = NULL;
if (effective_user == NULL) {
effective_user = pcmk__uid2username(geteuid());
if (effective_user == NULL) {
effective_user = pcmk__str_copy("#unprivileged");
crm_err("Unable to determine effective user, assuming unprivileged for ACLs");
}
}
requested_user = crm_element_value(request, PCMK__XA_ACL_TARGET);
if (requested_user == NULL) {
/* Currently, different XML attribute names are used for the ACL user in
* different contexts (PCMK__XA_ATTR_USER, PCMK__XA_CIB_USER, etc.).
* The caller may specify that name as the field argument.
*
* @TODO Standardize on PCMK__XA_ACL_TARGET and eventually drop the
* others once rolling upgrades from versions older than that are no
* longer supported.
*/
requested_user = crm_element_value(request, field);
}
if (!pcmk__is_privileged(effective_user)) {
/* We're not running as a privileged user, set or overwrite any existing
* value for PCMK__XA_ACL_TARGET
*/
user = effective_user;
} else if (peer_user == NULL && requested_user == NULL) {
/* No user known or requested, use 'effective_user' and make sure one is
* set for the request
*/
user = effective_user;
} else if (peer_user == NULL) {
/* No user known, trusting 'requested_user' */
user = requested_user;
} else if (!pcmk__is_privileged(peer_user)) {
/* The peer is not a privileged user, set or overwrite any existing
* value for PCMK__XA_ACL_TARGET
*/
user = peer_user;
} else if (requested_user == NULL) {
/* Even if we're privileged, make sure there is always a value set */
user = peer_user;
} else {
/* Legal delegation to 'requested_user' */
user = requested_user;
}
// This requires pointer comparison, not string comparison
if (user != crm_element_value(request, PCMK__XA_ACL_TARGET)) {
crm_xml_add(request, PCMK__XA_ACL_TARGET, user);
}
if (field != NULL && user != crm_element_value(request, field)) {
crm_xml_add(request, field, user);
}
return requested_user;
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Thu, Jul 10, 3:01 AM (1 d, 22 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2009833
Default Alt Text
(156 KB)
Attached To
Mode
rP Pacemaker
Attached
Detach File
Event Timeline
Log In to Comment