If an ACL's xpath attribute matches a node that is neither an element nor a document, we apply the ACL to the parent element rather than to the matched node. For example, if the XPath matches a score attribute, then it applies to every element that contains a score attribute. That is, the XPath expression "//@score" matches all attributes named score, but we apply the ACL to all elements containing such an attribute.

This behavior is incorrect from an XPath standpoint and is thus confusing and counterintuitive. The correct way to match all elements containing a score attribute is to use an XPath predicate: "//*[@score]".

Additionally, if an XPath expression matches the entire document (for example, "/"), then the ACL applies to the document's root element if it exists.

These behaviors should be changed so that the ACL applies to the nodes matched by the XPath expression, or so that it doesn't apply at all if applying an ACL to an attribute doesn't make sense.

Unfortunately, we document in Pacemaker Explained that matching attributes is a valid way to match elements:

Attributes may be specified in the XPath to select particular elements, but the permissions apply to the entire element.

So we have to keep this behavior at least until a compatibility break. Even then, it's not feasible in the general case to transform such XPath expressions using XSLT.