Page MenuHomeClusterLabs Projects
Create Task
Maniphest T802

cibadmin --show-access on live cluster gives incorrect results for ACL-restricted user
Open, NormalPublic
Actions

Assigned To
None
Authored By
nrwahl2
Apr 1 2024, 5:53 PM
Tags
  • Restricted Project
  • Restricted Project
  • Restricted Project
Referenced Files
None
Subscribers
nrwahl2

Description

Almost all the discussion in CLPR#3404 is about this issue.

This issue is not present when running against a CIB file. Ken said:

I vaguely remember that ACLs don't matter for CIB_file, since the user's file system permissions override anything we do.

This bug goes all the way back to 2.1.3 when the access rendering feature was introduced.

Reproducer:

  1. Set the enable-acl property to true.
  2. Add the following ACLs:
<acls>
  <acl_role id="role-deny-acls-write-resources">
    <acl_permission id="deny-acls" kind="deny" xpath="/cib/configuration/acls"/>
    <acl_permission id="write-resources" kind="write" xpath="/cib/configuration/resources"/>
    <acl_permission id="read-rest" kind="read" xpath="/cib"/>
  </acl_role>
  <acl_target id="test_user">
    <role id="role-deny-acls-write-resources"/>
  </acl_target>
</acls>
  1. Run cibadmin -Q --force --show-access=namespace --user=test_user as test_user

Expected results (<acls> should be hidden because they're denied to the user running the command, but the other ACLs should be shown correctly as read and write).

<pcmk-access-readable:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr  1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-writable="http://clusterlabs.org/ns/pacemaker/access/writable" xmlns:pcmk-access-readable="http://clusterlabs.org/ns/pacemaker/access/readable" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied">
  <configuration>
    <crm_config>
      <cluster_property_set id="cib-bootstrap-options">
        <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/>
        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
        <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/>
        <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/>
        <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/>
        <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/>
      </cluster_property_set>
    </crm_config>
    <nodes>
      <node id="1" uname="laptop"/>
    </nodes>
    <pcmk-access-writable:resources/>
    <constraints/>
  </configuration>
  <status>
    <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member">
      <transient_attributes id="1">
        <instance_attributes id="status-1">
          <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/>
        </instance_attributes>
      </transient_attributes>
      <lrm id="1">
        <lrm_resources/>
      </lrm>
    </node_state>
  </status>
</pcmk-access-readable:cib>

Actual results (the entire <cib> is shown as denied, and <acls> is correctly hidden):

<pcmk-access-denied:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr  1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied">
  <configuration>
    <crm_config>
      <cluster_property_set id="cib-bootstrap-options">
        <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/>
        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
        <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/>
        <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/>
        <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/>
        <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/>
      </cluster_property_set>
    </crm_config>
    <nodes>
      <node id="1" uname="laptop"/>
    </nodes>
    <resources/>
    <constraints/>
  </configuration>
  <status>
    <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member">
      <transient_attributes id="1">
        <instance_attributes id="status-1">
          <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/>
        </instance_attributes>
      </transient_attributes>
      <lrm id="1">
        <lrm_resources/>
      </lrm>
    </node_state>
  </status>
</pcmk-access-denied:cib>

Event Timeline

nrwahl2 triaged this task as Normal priority.Apr 1 2024, 5:53 PM
nrwahl2 created this task.
nrwahl2 created this object with edit policy "Restricted Project (Project)".
kgaillot added a project: Restricted Project.Apr 1 2024, 6:06 PM
nrwahl2 updated the task description. (Show Details)Apr 2 2024, 12:58 AM