Page Menu
Home
ClusterLabs Projects
Search
Configure Global Search
Log In
Files
F4512261
regression.acls.exp
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
101 KB
Referenced Files
None
Subscribers
None
regression.acls.exp
View Options
Created new pacemaker configuration
Setting up shadow instance
A new shadow instance was created. To begin using it paste the following into your shell:
CIB_shadow=tools-regression ; export CIB_shadow
=#=#=#= Begin test: Configure some ACLs =#=#=#=
=#=#=#= Current cib after: Configure some ACLs =#=#=#=
<cib epoch="1" num_updates="0" admin_epoch="0">
<configuration>
<crm_config/>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Configure some ACLs - OK (0) =#=#=#=
* Passed: cibadmin - Configure some ACLs
=#=#=#= Begin test: Enable ACLs =#=#=#=
=#=#=#= Current cib after: Enable ACLs =#=#=#=
<cib epoch="2" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Enable ACLs - OK (0) =#=#=#=
* Passed: crm_attribute - Enable ACLs
=#=#=#= Begin test: Set cluster option =#=#=#=
=#=#=#= Current cib after: Set cluster option =#=#=#=
<cib epoch="3" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Set cluster option - OK (0) =#=#=#=
* Passed: crm_attribute - Set cluster option
=#=#=#= Begin test: New ACL =#=#=#=
=#=#=#= Current cib after: New ACL =#=#=#=
<cib epoch="4" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: New ACL - OK (0) =#=#=#=
* Passed: cibadmin - New ACL
=#=#=#= Begin test: Another ACL =#=#=#=
=#=#=#= Current cib after: Another ACL =#=#=#=
<cib epoch="5" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Another ACL - OK (0) =#=#=#=
* Passed: cibadmin - Another ACL
=#=#=#= Begin test: Updated ACL =#=#=#=
=#=#=#= Current cib after: Updated ACL =#=#=#=
<cib epoch="6" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Updated ACL - OK (0) =#=#=#=
* Passed: cibadmin - Updated ACL
=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: unknownguy: Query configuration - Permission denied (13) =#=#=#=
* Passed: cibadmin - unknownguy: Query configuration
=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set enable-acl - Permission denied (13) =#=#=#=
* Passed: crm_attribute - unknownguy: Set enable-acl
=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set stonith-enabled - Permission denied (13) =#=#=#=
* Passed: crm_attribute - unknownguy: Set stonith-enabled
=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
Call failed: Permission denied
=#=#=#= End test: unknownguy: Create a resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - unknownguy: Create a resource
=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Query configuration - Permission denied (13) =#=#=#=
* Passed: cibadmin - l33t-haxor: Query configuration
=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set enable-acl - Permission denied (13) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set enable-acl
=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set stonith-enabled - Permission denied (13) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: parent
( acl.c:NNN ) trace: pcmk__post_process_acl: Cannot add new node primitive at /cib/configuration/resources/primitive[@id='dummy']
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - l33t-haxor: Create a resource
=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
<cib epoch="6" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - niceguy: Query configuration
=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
Error performing operation: Permission denied
Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
=#=#=#= End test: niceguy: Set enable-acl - Permission denied (13) =#=#=#=
* Passed: crm_attribute - niceguy: Set enable-acl
=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of nvpair=cib-bootstrap-options-stonith-enabled is allowed
=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
<cib epoch="7" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - niceguy: Set stonith-enabled
=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: default
( acl.c:NNN ) trace: pcmk__post_process_acl: Cannot add new node primitive at /cib/configuration/resources/primitive[@id='dummy']
Call failed: Permission denied
=#=#=#= End test: niceguy: Create a resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Create a resource
=#=#=#= Begin test: root: Query configuration =#=#=#=
<cib epoch="7" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - root: Query configuration
=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
<cib epoch="8" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - root: Set stonith-enabled
=#=#=#= Begin test: root: Create a resource =#=#=#=
=#=#=#= Current cib after: root: Create a resource =#=#=#=
<cib epoch="9" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
* Passed: cibadmin - root: Create a resource
=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Permission denied (13) =#=#=#=
* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Permission denied (13) =#=#=#=
* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Permission denied (13) =#=#=#=
* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of nvpair=dummy-meta_attributes-target-role is allowed
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Stopped
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="10" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
Stopped
=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
<cib epoch="10" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Query a resource meta attribute
=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
<cib epoch="11" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes"/>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of nvpair=dummy-meta_attributes-target-role is allowed
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Started
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="12" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
* Passed: cibadmin - badidea: Query configuration - implied deny
=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
* Passed: cibadmin - betteridea: Query configuration - explicit deny
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/acls: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - remove acls - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - remove acls
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy2']: default
( acl.c:NNN ) trace: pcmk__post_process_acl: Cannot add new node primitive at /cib/configuration/resources/primitive[@id='dummy2']
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create resource
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create attribute (deny)
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - create attribute (allow)
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - modify attribute (allow)
<cib epoch="15" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - delete attribute (allow)
!#!#!#!#! Upgrading to pacemaker-2.0 and retesting !#!#!#!#!
=#=#=#= Begin test: root: Upgrade to pacemaker-2.0 =#=#=#=
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=observer-read-1 is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=observer-write-1 is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=observer-write-2 is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=admin-read-1 is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=admin-write-1 is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_target=l33t-haxor is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of role=auto-l33t-haxor is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_role=auto-l33t-haxor is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=crook-nothing is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_target=niceguy is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of role=observer is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_target=bob is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of role=admin is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_target=badidea is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of role=auto-badidea is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_role=auto-badidea is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=badidea-resources is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_target=betteridea is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of role=auto-betteridea is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_role=auto-betteridea is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=betteridea-nothing is allowed
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of acl_permission=betteridea-resources is allowed
=#=#=#= Current cib after: root: Upgrade to pacemaker-2.0 =#=#=#=
<cib epoch="2" num_updates="0" admin_epoch="1">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Upgrade to pacemaker-2.0 - OK (0) =#=#=#=
* Passed: cibadmin - root: Upgrade to pacemaker-2.0
=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: unknownguy: Query configuration - Permission denied (13) =#=#=#=
* Passed: cibadmin - unknownguy: Query configuration
=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set enable-acl - Permission denied (13) =#=#=#=
* Passed: crm_attribute - unknownguy: Set enable-acl
=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set stonith-enabled - Permission denied (13) =#=#=#=
* Passed: crm_attribute - unknownguy: Set stonith-enabled
=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs
Call failed: Permission denied
=#=#=#= End test: unknownguy: Create a resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - unknownguy: Create a resource
=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Query configuration - Permission denied (13) =#=#=#=
* Passed: cibadmin - l33t-haxor: Query configuration
=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set enable-acl - Permission denied (13) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set enable-acl
=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set stonith-enabled - Permission denied (13) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: parent
( acl.c:NNN ) trace: pcmk__post_process_acl: Cannot add new node primitive at /cib/configuration/resources/primitive[@id='dummy']
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - l33t-haxor: Create a resource
=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
<cib epoch="7" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - niceguy: Query configuration
=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
Error performing operation: Permission denied
Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
=#=#=#= End test: niceguy: Set enable-acl - Permission denied (13) =#=#=#=
* Passed: crm_attribute - niceguy: Set enable-acl
=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
<cib epoch="8" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - niceguy: Set stonith-enabled
=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: default
( acl.c:NNN ) trace: pcmk__post_process_acl: Cannot add new node primitive at /cib/configuration/resources/primitive[@id='dummy']
Call failed: Permission denied
=#=#=#= End test: niceguy: Create a resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Create a resource
=#=#=#= Begin test: root: Query configuration =#=#=#=
<cib epoch="8" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - root: Query configuration
=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
<cib epoch="9" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - root: Set stonith-enabled
=#=#=#= Begin test: root: Create a resource =#=#=#=
=#=#=#= Current cib after: root: Create a resource =#=#=#=
<cib epoch="10" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
* Passed: cibadmin - root: Create a resource
=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Permission denied (13) =#=#=#=
* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Permission denied (13) =#=#=#=
* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Permission denied (13) =#=#=#=
* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of nvpair=dummy-meta_attributes-target-role is allowed
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Stopped
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="11" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
Stopped
=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
<cib epoch="11" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Query a resource meta attribute
=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
<cib epoch="12" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes"/>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined
error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option
error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity
( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of nvpair=dummy-meta_attributes-target-role is allowed
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Started
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
* Passed: cibadmin - badidea: Query configuration - implied deny
=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
* Passed: cibadmin - betteridea: Query configuration - explicit deny
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/acls: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - remove acls - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - remove acls
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy2']: default
( acl.c:NNN ) trace: pcmk__post_process_acl: Cannot add new node primitive at /cib/configuration/resources/primitive[@id='dummy2']
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create resource - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create resource
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default
( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create attribute (deny)
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - create attribute (allow)
<cib epoch="15" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - modify attribute (allow)
<cib epoch="16" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
* Passed: cibadmin - bob: Replace - delete attribute (allow)
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Jun 25, 4:44 AM (1 d, 14 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1952196
Default Alt Text
regression.acls.exp (101 KB)
Attached To
Mode
rP Pacemaker
Attached
Detach File
Event Timeline
Log In to Comment