diff --git a/cts/cli/regression.acls.exp b/cts/cli/regression.acls.exp
index 22c2ce9f94..d9e76459ec 100644
--- a/cts/cli/regression.acls.exp
+++ b/cts/cli/regression.acls.exp
@@ -1,2348 +1,4438 @@
Created new pacemaker configuration
Setting up shadow instance
A new shadow instance was created. To begin using it paste the following into your shell:
CIB_shadow=cts-cli ; export CIB_shadow
=#=#=#= Begin test: Configure some ACLs =#=#=#=
=#=#=#= Current cib after: Configure some ACLs =#=#=#=
<cib epoch="1" num_updates="0" admin_epoch="0">
<configuration>
<crm_config/>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Configure some ACLs - OK (0) =#=#=#=
* Passed: cibadmin - Configure some ACLs
=#=#=#= Begin test: Enable ACLs =#=#=#=
=#=#=#= Current cib after: Enable ACLs =#=#=#=
<cib epoch="2" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Enable ACLs - OK (0) =#=#=#=
* Passed: crm_attribute - Enable ACLs
=#=#=#= Begin test: Set cluster option =#=#=#=
=#=#=#= Current cib after: Set cluster option =#=#=#=
<cib epoch="3" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Set cluster option - OK (0) =#=#=#=
* Passed: crm_attribute - Set cluster option
=#=#=#= Begin test: New ACL =#=#=#=
=#=#=#= Current cib after: New ACL =#=#=#=
<cib epoch="4" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: New ACL - OK (0) =#=#=#=
* Passed: cibadmin - New ACL
=#=#=#= Begin test: Another ACL =#=#=#=
=#=#=#= Current cib after: Another ACL =#=#=#=
<cib epoch="5" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Another ACL - OK (0) =#=#=#=
* Passed: cibadmin - Another ACL
=#=#=#= Begin test: Updated ACL =#=#=#=
=#=#=#= Current cib after: Updated ACL =#=#=#=
<cib epoch="6" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: Updated ACL - OK (0) =#=#=#=
* Passed: cibadmin - Updated ACL
=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - unknownguy: Query configuration
=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - unknownguy: Set enable-acl
=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - unknownguy: Set stonith-enabled
=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
pcmk__apply_creation_acl trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
Call failed: Permission denied
=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - unknownguy: Create a resource
=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - l33t-haxor: Query configuration
=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set enable-acl
=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - l33t-haxor: Create a resource
=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
<cib epoch="6" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - niceguy: Query configuration
=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Error performing operation: Permission denied
Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - niceguy: Set enable-acl
=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-stonith-enabled"
=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
<cib epoch="7" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - niceguy: Set stonith-enabled
=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
Call failed: Permission denied
=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Create a resource
=#=#=#= Begin test: root: Query configuration =#=#=#=
<cib epoch="7" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - root: Query configuration
=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
<cib epoch="8" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources/>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - root: Set stonith-enabled
=#=#=#= Begin test: root: Create a resource =#=#=#=
=#=#=#= Current cib after: root: Create a resource =#=#=#=
<cib epoch="9" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
* Passed: cibadmin - root: Create a resource
=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="10" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
Stopped
=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
<cib epoch="10" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Query a resource meta attribute
=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
<cib epoch="11" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes"/>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
<cib epoch="12" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
* Passed: cibadmin - badidea: Query configuration - implied deny
=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
<cib>
<configuration>
<resources>
<primitive id="dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
</configuration>
</cib>
=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
* Passed: cibadmin - betteridea: Query configuration - explicit deny
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - remove acls
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2"
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create resource
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create attribute (deny)
<cib epoch="13" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - create attribute (allow)
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - create attribute (direct allow)
<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
<meta_attributes id="dummy-meta_attributes">
<nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - modify attribute (allow)
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - modify attribute (direct allow)
<cib epoch="15" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
<acl_user id="badidea">
<read id="badidea-resources" xpath="//meta_attributes"/>
</acl_user>
<acl_user id="betteridea">
<deny id="betteridea-nothing" xpath="/cib"/>
<read id="betteridea-resources" xpath="//meta_attributes"/>
</acl_user>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - delete attribute (allow)
-
-
- !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!
-=#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#=
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-read-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-write-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-write-2"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="admin-read-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="admin-write-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="l33t-haxor"
-pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-l33t-haxor"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-l33t-haxor"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="crook-nothing"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="niceguy"
-pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="observer"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="bob"
-pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="admin"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="badidea"
-pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-badidea"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-badidea"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="badidea-resources"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="betteridea"
-pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-betteridea"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-betteridea"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="betteridea-nothing"
-pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="betteridea-resources"
-=#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#=
-<cib epoch="2" num_updates="0" admin_epoch="1">
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - delete attribute (direct allow)
+<cib epoch="16" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
</resources>
<constraints/>
<acls>
- <acl_target id="l33t-haxor">
- <role id="auto-l33t-haxor"/>
- </acl_target>
- <acl_role id="auto-l33t-haxor">
- <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
- </acl_role>
- <acl_target id="niceguy">
- <role id="observer"/>
- </acl_target>
- <acl_target id="bob">
- <role id="admin"/>
- </acl_target>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
- <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
- <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
- <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
- <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
- <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
</acl_role>
- <acl_target id="badidea">
- <role id="auto-badidea"/>
- </acl_target>
- <acl_role id="auto-badidea">
- <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
</acl_role>
- <acl_target id="betteridea">
- <role id="auto-betteridea"/>
- </acl_target>
- <acl_role id="auto-betteridea">
- <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
- <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
</acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#=
-* Passed: cibadmin - root: Upgrade to latest CIB schema
-=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
-Call failed: Permission denied
-=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - unknownguy: Query configuration
-=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - unknownguy: Set enable-acl
-=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - unknownguy: Set stonith-enabled
-=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
-pcmk__apply_creation_acl trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
-Call failed: Permission denied
-=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - unknownguy: Create a resource
-=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
-Call failed: Permission denied
-=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - l33t-haxor: Query configuration
-=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - l33t-haxor: Set enable-acl
-=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
-=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
-pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
-Call failed: Permission denied
-=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - l33t-haxor: Create a resource
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - create attribute (inherited allow)
+<cib epoch="17" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - modify attribute (inherited allow)
+<cib epoch="18" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - delete attribute (inherited allow)
+<cib epoch="19" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - create attribute (allow overrides deny)
+<cib epoch="20" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - modify attribute (allow overrides deny)
+<cib epoch="21" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - delete attribute (allow overrides deny)
+<cib epoch="22" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - create attribute (deny overrides allow)
+<cib epoch="23" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - modify attribute (deny overrides allow)
+<cib epoch="24" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
+ <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - delete attribute (deny overrides allow)
+
+
+ !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!
+=#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#=
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-read-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-write-2"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="admin-read-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="admin-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="super_user-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="rsc-writer-deny-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="rsc-writer-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="rsc-denied-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="rsc-denied-deny-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="l33t-haxor"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-l33t-haxor"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-l33t-haxor"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="crook-nothing"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="niceguy"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="observer"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="bob"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="admin"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="joe"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="super_user"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="mike"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="rsc_writer"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="chris"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="rsc_denied"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="badidea"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-badidea"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-badidea"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="badidea-resources"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="betteridea"
+pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-betteridea"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-betteridea"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="betteridea-nothing"
+pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="betteridea-resources"
+=#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#=
+<cib epoch="2" num_updates="0" admin_epoch="1">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#=
+* Passed: cibadmin - root: Upgrade to latest CIB schema
+=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Query configuration
+=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set enable-acl
+=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set stonith-enabled
+=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
+pcmk__apply_creation_acl trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Create a resource
+=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Query configuration
+=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set enable-acl
+=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
+=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Create a resource
=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
<cib epoch="7" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
- <resources/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - niceguy: Query configuration
+=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
+Error performing operation: Permission denied
+Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
+=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - niceguy: Set enable-acl
+=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
+<cib epoch="8" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - niceguy: Set stonith-enabled
+=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Create a resource
+=#=#=#= Begin test: root: Query configuration =#=#=#=
+<cib epoch="8" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - root: Query configuration
+=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - root: Set stonith-enabled
+=#=#=#= Begin test: root: Create a resource =#=#=#=
+=#=#=#= Current cib after: root: Create a resource =#=#=#=
+<cib epoch="10" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
+* Passed: cibadmin - root: Create a resource
+=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
+pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="11" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Stopped
+=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
+<cib epoch="11" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Query a resource meta attribute
+=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
+=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
+<cib epoch="12" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes"/>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="13" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
+<cib>
+ <configuration>
+ <resources>
+ <primitive id="dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ </configuration>
+</cib>
+=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
+* Passed: cibadmin - badidea: Query configuration - implied deny
+=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
+<cib>
+ <configuration>
+ <resources>
+ <primitive id="dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ </configuration>
+</cib>
+=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
+* Passed: cibadmin - betteridea: Query configuration - explicit deny
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - remove acls
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
-* Passed: cibadmin - niceguy: Query configuration
-=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
-Error performing operation: Permission denied
-Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
-=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - niceguy: Set enable-acl
-=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
-=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
-<cib epoch="8" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create resource
+<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
- <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
- <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
- <resources/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
-* Passed: crm_attribute - niceguy: Set stonith-enabled
-=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Call failed: Permission denied
-=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Create a resource
-=#=#=#= Begin test: root: Query configuration =#=#=#=
-<cib epoch="8" num_updates="0" admin_epoch="0">
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
- <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
- <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
- <resources/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
-* Passed: cibadmin - root: Query configuration
-=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
-=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
-<cib epoch="9" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
- <resources/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
-* Passed: crm_attribute - root: Set stonith-enabled
-=#=#=#= Begin test: root: Create a resource =#=#=#=
-=#=#=#= Current cib after: root: Create a resource =#=#=#=
-<cib epoch="10" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
- <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
- </acl_role>
- <acl_target id="betteridea">
- <role id="auto-betteridea"/>
- </acl_target>
- <acl_role id="auto-betteridea">
- <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
- <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
- </acl_role>
- </acls>
- </configuration>
- <status/>
-</cib>
-=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
-* Passed: cibadmin - root: Create a resource
-=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
-=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
-=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
-=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
-pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
-Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
-=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
-<cib epoch="11" num_updates="0" admin_epoch="0">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - create attribute (direct allow)
+<cib epoch="15" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
<meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
</meta_attributes>
</primitive>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Create a resource meta attribute
-=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Stopped
-=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
-<cib epoch="11" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - modify attribute (direct allow)
+<cib epoch="16" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
- </meta_attributes>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Query a resource meta attribute
-=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
-=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
-<cib epoch="12" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - delete attribute (direct allow)
+<cib epoch="17" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
- <meta_attributes id="dummy-meta_attributes"/>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Remove a resource meta attribute
-=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
-Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
-=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
-<cib epoch="13" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - create attribute (inherited allow)
+<cib epoch="18" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Create a resource meta attribute
-=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
-<cib>
- <configuration>
- <resources>
- <primitive id="dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
- </resources>
- </configuration>
-</cib>
-=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
-* Passed: cibadmin - badidea: Query configuration - implied deny
-=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
-<cib>
- <configuration>
- <resources>
- <primitive id="dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
- </resources>
- </configuration>
-</cib>
-=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
-* Passed: cibadmin - betteridea: Query configuration - explicit deny
-<cib epoch="14" num_updates="0" admin_epoch="0">
- <configuration>
- <crm_config>
- <cluster_property_set id="cib-bootstrap-options">
- <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
- <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
- <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
- </cluster_property_set>
- </crm_config>
- <nodes/>
- <resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
- </resources>
- <constraints/>
- </configuration>
- <status/>
-</cib>
-=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - remove acls
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - modify attribute (inherited allow)
+<cib epoch="19" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
- <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
-pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2"
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - create resource
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - delete attribute (inherited allow)
+<cib epoch="20" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
- <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - create attribute (allow overrides deny)
+<cib epoch="21" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
- <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - modify attribute (allow overrides deny)
+<cib epoch="22" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - create attribute (deny)
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - delete attribute (allow overrides deny)
+<cib epoch="23" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - create attribute (allow)
-<cib epoch="15" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - create attribute (deny overrides allow)
+<cib epoch="24" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
- <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
- <meta_attributes id="dummy-meta_attributes">
- <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
- </meta_attributes>
- </primitive>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - modify attribute (allow)
-<cib epoch="16" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - modify attribute (deny overrides allow)
+<cib epoch="25" num_updates="0" admin_epoch="0">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
<nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes/>
<resources>
<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
</resources>
<constraints/>
<acls>
<acl_target id="l33t-haxor">
<role id="auto-l33t-haxor"/>
</acl_target>
<acl_role id="auto-l33t-haxor">
<acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
</acl_role>
<acl_target id="niceguy">
<role id="observer"/>
</acl_target>
<acl_target id="bob">
<role id="admin"/>
</acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
<acl_role id="observer">
<acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
<acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
<acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
<acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
<acl_target id="badidea">
<role id="auto-badidea"/>
</acl_target>
<acl_role id="auto-badidea">
<acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
<acl_target id="betteridea">
<role id="auto-betteridea"/>
</acl_target>
<acl_role id="auto-betteridea">
<acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
<acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
</acl_role>
</acls>
</configuration>
<status/>
</cib>
-=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - delete attribute (allow)
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - delete attribute (deny overrides allow)
diff --git a/cts/cts-cli.in b/cts/cts-cli.in
index 8507d6290d..62e5698a6b 100755
--- a/cts/cts-cli.in
+++ b/cts/cts-cli.in
@@ -1,1394 +1,1510 @@
#!@BASH_PATH@
#
# Copyright 2008-2020 the Pacemaker project contributors
#
# The version control history for this file may have further details.
#
# This source code is licensed under the GNU General Public License version 2
# or later (GPLv2+) WITHOUT ANY WARRANTY.
#
#
# Note on portable usage of sed: GNU/POSIX/*BSD sed have a limited subset of
# compatible functionality. Do not use the -i option, alternation (\|),
# \0, or character sequences such as \n or \s.
#
USAGE_TEXT="Usage: cts-cli [<options>]
Options:
--help Display this text, then exit
-V, --verbose Display any differences from expected output
-t 'TEST [...]' Run only specified tests (default: 'dates tools crm_mon acls validity upgrade rules')
-p DIR Look for executables in DIR (may be specified multiple times)
-v, --valgrind Run all commands under valgrind
-s Save actual output as expected output"
# If readlink supports -e (i.e. GNU), use it
readlink -e / >/dev/null 2>/dev/null
if [ $? -eq 0 ]; then
test_home="$(dirname "$(readlink -e "$0")")"
else
test_home="$(dirname "$0")"
fi
: ${shadow=cts-cli}
shadow_dir=$(mktemp -d ${TMPDIR:-/tmp}/cts-cli.shadow.XXXXXXXXXX)
num_errors=0
num_passed=0
verbose=0
tests="dates tools crm_mon acls validity upgrade rules"
do_save=0
VALGRIND_CMD=
VALGRIND_OPTS="
-q
--gen-suppressions=all
--show-reachable=no
--leak-check=full
--trace-children=no
--time-stamp=yes
--num-callers=20
--suppressions=$test_home/valgrind-pcmk.suppressions
"
# These constants must track crm_exit_t values
CRM_EX_OK=0
CRM_EX_ERROR=1
CRM_EX_INVALID_PARAM=2
CRM_EX_UNIMPLEMENT_FEATURE=3
CRM_EX_INSUFFICIENT_PRIV=4
CRM_EX_USAGE=64
CRM_EX_CONFIG=78
CRM_EX_OLD=103
CRM_EX_DIGEST=104
CRM_EX_NOSUCH=105
CRM_EX_UNSAFE=107
CRM_EX_EXISTS=108
CRM_EX_MULTIPLE=109
CRM_EX_EXPIRED=110
CRM_EX_NOT_YET_IN_EFFECT=111
function test_assert() {
target=$1; shift
cib=$1; shift
app=`echo "$cmd" | sed 's/\ .*//'`
printf "* Running: $app - $desc\n" 1>&2
printf "=#=#=#= Begin test: $desc =#=#=#=\n"
eval $VALGRIND_CMD $cmd 2>&1
rc=$?
if [ x$cib != x0 ]; then
printf "=#=#=#= Current cib after: $desc =#=#=#=\n"
CIB_user=root cibadmin -Q
fi
printf "=#=#=#= End test: $desc - $(crm_error --exit $rc) ($rc) =#=#=#=\n"
if [ $rc -ne $target ]; then
num_errors=$(( $num_errors + 1 ))
printf "* Failed (rc=%.3d): %-14s - %s\n" $rc $app "$desc"
printf "* Failed (rc=%.3d): %-14s - %s\n" $rc $app "$desc (`which $app`)" 1>&2
return
exit $CRM_EX_ERROR
else
printf "* Passed: %-14s - %s\n" $app "$desc"
num_passed=$(( $num_passed + 1 ))
fi
}
function test_crm_mon() {
export CIB_file="$test_home/cli/crm_mon.xml"
desc="Basic text output"
cmd="crm_mon -1"
test_assert $CRM_EX_OK 0
desc="XML output"
cmd="crm_mon --output-as=xml"
test_assert $CRM_EX_OK 0
desc="Basic text output without node section"
cmd="crm_mon -1 --exclude=nodes"
test_assert $CRM_EX_OK 0
desc="XML output without the node section"
cmd="crm_mon --output-as=xml --exclude=nodes"
test_assert $CRM_EX_OK 0
desc="Text output with only the node section"
cmd="crm_mon -1 --exclude=all --include=nodes"
test_assert $CRM_EX_OK 0
# The above test doesn't need to be performed for other output formats. It's
# really just a test to make sure that blank lines are correct.
desc="Complete text output"
cmd="crm_mon -1 --include=all"
test_assert $CRM_EX_OK 0
# XML includes everything already so there's no need for a complete test
desc="Complete text output with detail"
cmd="crm_mon -1R --include=all"
test_assert $CRM_EX_OK 0
# XML includes detailed output already
desc="Complete brief text output"
cmd="crm_mon -1 --include=all --brief"
test_assert $CRM_EX_OK 0
desc="Complete text output grouped by node"
cmd="crm_mon -1 --include=all --group-by-node"
test_assert $CRM_EX_OK 0
# XML does not have a brief output option
desc="Complete brief text output grouped by node"
cmd="crm_mon -1 --include=all --group-by-node --brief"
test_assert $CRM_EX_OK 0
desc="XML output grouped by node"
cmd="crm_mon -1 --output-as=xml --group-by-node"
test_assert $CRM_EX_OK 0
desc="Complete text output filtered by node"
cmd="crm_mon -1 --include=all --node=cluster01"
test_assert $CRM_EX_OK 0
desc="XML output filtered by node"
cmd="crm_mon --output-as xml --include=all --node=cluster01"
test_assert $CRM_EX_OK 0
desc="Complete text output filtered by tag"
cmd="crm_mon -1 --include=all --node=even-nodes"
test_assert $CRM_EX_OK 0
desc="XML output filtered by tag"
cmd="crm_mon --output-as=xml --include=all --node=even-nodes"
test_assert $CRM_EX_OK 0
desc="Basic text output filtered by node that doesn't exist"
cmd="crm_mon -1 --node=blah"
test_assert $CRM_EX_OK 0
desc="XML output filtered by node that doesn't exist"
cmd="crm_mon --output-as=xml --node=blah"
test_assert $CRM_EX_OK 0
desc="Basic text output with inactive resources"
cmd="crm_mon -1 -r"
test_assert $CRM_EX_OK 0
# XML already includes inactive resources
desc="Basic text output with inactive resources, filtered by node"
cmd="crm_mon -1 -r --node=cluster02"
test_assert $CRM_EX_OK 0
# XML already includes inactive resources
unset CIB_file
export CIB_file="$test_home/cli/crm_mon-partial.xml"
desc="Text output of partially active resources"
cmd="crm_mon -1"
test_assert $CRM_EX_OK 0
desc="XML output of partially active resources"
cmd="crm_mon -1 --output-as=xml"
test_assert $CRM_EX_OK 0
desc="Text output of partially active resources, with inactive resources"
cmd="crm_mon -1 -r"
test_assert $CRM_EX_OK 0
# XML already includes inactive resources
desc="Text output of partially active resources, with inactive resources, filtered by node"
cmd="crm_mon -1 -r --node=cluster01"
test_assert $CRM_EX_OK 0
desc="Text output of partially active resources, filtered by node"
cmd="crm_mon -1 --output-as=xml --node=cluster01"
test_assert $CRM_EX_OK 0
unset CIB_file
}
function test_tools() {
local TMPXML
local TMPORIG
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
TMPORIG=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.existing.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow 2>&1
export CIB_shadow=$shadow
desc="Validate CIB"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK
desc="Configure something before erasing"
cmd="crm_attribute -n cluster-delay -v 60s"
test_assert $CRM_EX_OK
desc="Require --force for CIB erasure"
cmd="cibadmin -E"
test_assert $CRM_EX_UNSAFE
desc="Allow CIB erasure with --force"
cmd="cibadmin -E --force"
test_assert $CRM_EX_OK
desc="Query CIB"
cmd="cibadmin -Q > $TMPORIG"
test_assert $CRM_EX_OK
desc="Set cluster option"
cmd="crm_attribute -n cluster-delay -v 60s"
test_assert $CRM_EX_OK
desc="Query new cluster option"
cmd="cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay"
test_assert $CRM_EX_OK
desc="Query cluster options"
cmd="cibadmin -Q -o crm_config > $TMPXML"
test_assert $CRM_EX_OK
desc="Set no-quorum policy"
cmd="crm_attribute -n no-quorum-policy -v ignore"
test_assert $CRM_EX_OK
desc="Delete nvpair"
cmd="cibadmin -D -o crm_config --xml-text '<nvpair id=\"cib-bootstrap-options-cluster-delay\"/>'"
test_assert $CRM_EX_OK
desc="Create operation should fail"
cmd="cibadmin -C -o crm_config --xml-file $TMPXML"
test_assert $CRM_EX_EXISTS
desc="Modify cluster options section"
cmd="cibadmin -M -o crm_config --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Query updated cluster option"
cmd="cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay"
test_assert $CRM_EX_OK
desc="Set duplicate cluster option"
cmd="crm_attribute -n cluster-delay -v 40s -s duplicate"
test_assert $CRM_EX_OK
desc="Setting multiply defined cluster option should fail"
cmd="crm_attribute -n cluster-delay -v 30s"
test_assert $CRM_EX_MULTIPLE
desc="Set cluster option with -s"
cmd="crm_attribute -n cluster-delay -v 30s -s duplicate"
test_assert $CRM_EX_OK
desc="Delete cluster option with -i"
cmd="crm_attribute -n cluster-delay -D -i cib-bootstrap-options-cluster-delay"
test_assert $CRM_EX_OK
desc="Create node1 and bring it online"
cmd="crm_simulate --live-check --in-place --node-up=node1"
test_assert $CRM_EX_OK
desc="Create node attribute"
cmd="crm_attribute -n ram -v 1024M -N node1 -t nodes"
test_assert $CRM_EX_OK
desc="Query new node attribute"
cmd="cibadmin -Q -o nodes | grep node1-ram"
test_assert $CRM_EX_OK
desc="Set a transient (fail-count) node attribute"
cmd="crm_attribute -n fail-count-foo -v 3 -N node1 -t status"
test_assert $CRM_EX_OK
desc="Query a fail count"
cmd="crm_failcount --query -r foo -N node1"
test_assert $CRM_EX_OK
desc="Delete a transient (fail-count) node attribute"
cmd="crm_attribute -n fail-count-foo -D -N node1 -t status"
test_assert $CRM_EX_OK
desc="Digest calculation"
cmd="cibadmin -Q | cibadmin -5 -p 2>&1 > /dev/null"
test_assert $CRM_EX_OK
# This update will fail because it has version numbers
desc="Replace operation should fail"
cmd="cibadmin -R --xml-file $TMPORIG"
test_assert $CRM_EX_OLD
desc="Default standby value"
cmd="crm_standby -N node1 -G"
test_assert $CRM_EX_OK
desc="Set standby status"
cmd="crm_standby -N node1 -v true"
test_assert $CRM_EX_OK
desc="Query standby value"
cmd="crm_standby -N node1 -G"
test_assert $CRM_EX_OK
desc="Delete standby value"
cmd="crm_standby -N node1 -D"
test_assert $CRM_EX_OK
desc="Create a resource"
cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p is-managed -v false"
test_assert $CRM_EX_OK
desc="Query a resource meta attribute"
cmd="crm_resource -r dummy --meta -g is-managed"
test_assert $CRM_EX_OK
desc="Remove a resource meta attribute"
cmd="crm_resource -r dummy --meta -d is-managed"
test_assert $CRM_EX_OK
desc="Create another resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
test_assert $CRM_EX_OK 0
desc="Show why a resource is not running"
cmd="crm_resource -Y -r dummy"
test_assert $CRM_EX_OK 0
desc="Remove another resource meta attribute"
cmd="crm_resource -r dummy --meta -d target-role"
test_assert $CRM_EX_OK 0
desc="Create a resource attribute"
cmd="crm_resource -r dummy -p delay -v 10s"
test_assert $CRM_EX_OK
desc="List the configured resources"
cmd="crm_resource -L"
test_assert $CRM_EX_OK
desc="List IDs of instantiated resources"
cmd="crm_resource -l"
test_assert $CRM_EX_OK 0
desc="Show XML configuration of resource"
cmd="crm_resource -q -r dummy"
test_assert $CRM_EX_OK 0
desc="Require a destination when migrating a resource that is stopped"
cmd="crm_resource -r dummy -M"
test_assert $CRM_EX_USAGE
desc="Don't support migration to non-existent locations"
cmd="crm_resource -r dummy -M -N i.do.not.exist"
test_assert $CRM_EX_NOSUCH
desc="Create a fencing resource"
cmd="cibadmin -C -o resources --xml-text '<primitive id=\"Fence\" class=\"stonith\" type=\"fence_true\"/>'"
test_assert $CRM_EX_OK
desc="Bring resources online"
cmd="crm_simulate --live-check --in-place -S"
test_assert $CRM_EX_OK
desc="Try to move a resource to its existing location"
cmd="crm_resource -r dummy --move --node node1"
test_assert $CRM_EX_EXISTS
desc="Move a resource from its existing location"
cmd="crm_resource -r dummy --move"
test_assert $CRM_EX_OK
desc="Clear out constraints generated by --move"
cmd="crm_resource -r dummy --clear"
test_assert $CRM_EX_OK
desc="Default ticket granted state"
cmd="crm_ticket -t ticketA -G granted -d false"
test_assert $CRM_EX_OK
desc="Set ticket granted state"
cmd="crm_ticket -t ticketA -r --force"
test_assert $CRM_EX_OK
desc="Query ticket granted state"
cmd="crm_ticket -t ticketA -G granted"
test_assert $CRM_EX_OK
desc="Delete ticket granted state"
cmd="crm_ticket -t ticketA -D granted --force"
test_assert $CRM_EX_OK
desc="Make a ticket standby"
cmd="crm_ticket -t ticketA -s"
test_assert $CRM_EX_OK
desc="Query ticket standby state"
cmd="crm_ticket -t ticketA -G standby"
test_assert $CRM_EX_OK
desc="Activate a ticket"
cmd="crm_ticket -t ticketA -a"
test_assert $CRM_EX_OK
desc="Delete ticket standby state"
cmd="crm_ticket -t ticketA -D standby"
test_assert $CRM_EX_OK
desc="Ban a resource on unknown node"
cmd="crm_resource -r dummy -B -N host1"
test_assert $CRM_EX_NOSUCH
desc="Create two more nodes and bring them online"
cmd="crm_simulate --live-check --in-place --node-up=node2 --node-up=node3"
test_assert $CRM_EX_OK
desc="Ban dummy from node1"
cmd="crm_resource -r dummy -B -N node1"
test_assert $CRM_EX_OK
desc="Show where a resource is running"
cmd="crm_resource -r dummy -W"
test_assert $CRM_EX_OK 0
desc="Show constraints on a resource"
cmd="crm_resource -a -r dummy"
test_assert $CRM_EX_OK 0
desc="Ban dummy from node2"
cmd="crm_resource -r dummy -B -N node2"
test_assert $CRM_EX_OK
desc="Relocate resources due to ban"
cmd="crm_simulate --live-check --in-place -S"
test_assert $CRM_EX_OK
desc="Move dummy to node1"
cmd="crm_resource -r dummy -M -N node1"
test_assert $CRM_EX_OK
desc="Clear implicit constraints for dummy on node2"
cmd="crm_resource -r dummy -U -N node2"
test_assert $CRM_EX_OK
desc="Drop the status section"
cmd="cibadmin -R -o status --xml-text '<status/>'"
test_assert $CRM_EX_OK 0
desc="Create a clone"
cmd="cibadmin -C -o resources --xml-text '<clone id=\"test-clone\"><primitive id=\"test-primitive\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/></clone>'"
test_assert $CRM_EX_OK 0
desc="Create a resource meta attribute"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in the primitive"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false --force"
test_assert $CRM_EX_OK
desc="Update resource meta attribute with duplicates"
cmd="crm_resource -r test-clone --meta -p is-managed -v true"
test_assert $CRM_EX_OK
desc="Update resource meta attribute with duplicates (force clone)"
cmd="crm_resource -r test-clone --meta -p is-managed -v true --force"
test_assert $CRM_EX_OK
desc="Update child resource meta attribute with duplicates"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false"
test_assert $CRM_EX_OK
desc="Delete resource meta attribute with duplicates"
cmd="crm_resource -r test-clone --meta -d is-managed"
test_assert $CRM_EX_OK
desc="Delete resource meta attribute in parent"
cmd="crm_resource -r test-primitive --meta -d is-managed"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in the primitive"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false --force"
test_assert $CRM_EX_OK
desc="Update existing resource meta attribute"
cmd="crm_resource -r test-clone --meta -p is-managed -v true"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in the parent"
cmd="crm_resource -r test-clone --meta -p is-managed -v true --force"
test_assert $CRM_EX_OK
desc="Copy resources"
cmd="cibadmin -Q -o resources > $TMPXML"
test_assert $CRM_EX_OK 0
desc="Delete resource parent meta attribute (force)"
cmd="crm_resource -r test-clone --meta -d is-managed --force"
test_assert $CRM_EX_OK
desc="Restore duplicates"
cmd="cibadmin -R -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Delete resource child meta attribute"
cmd="crm_resource -r test-primitive --meta -d is-managed"
test_assert $CRM_EX_OK
cibadmin -C -o resources --xml-text '<group id="dummy-group"> \
<primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"\/> \
<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"\/> \
</group>'
desc="Create a resource meta attribute in dummy1"
cmd="crm_resource -r dummy1 --meta -p is-managed -v true"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in dummy-group"
cmd="crm_resource -r dummy-group --meta -p is-managed -v false"
test_assert $CRM_EX_OK
cibadmin -D -o resource --xml-text '<group id="dummy-group">'
desc="Specify a lifetime when moving a resource"
cmd="crm_resource -r dummy --move --node node2 --lifetime=PT1H"
test_assert $CRM_EX_OK
desc="Try to move a resource previously moved with a lifetime"
cmd="crm_resource -r dummy --move --node node1"
test_assert $CRM_EX_OK
desc="Ban dummy from node1 for a short time"
cmd="crm_resource -r dummy -B -N node1 --lifetime=PT1S"
test_assert $CRM_EX_OK
desc="Remove expired constraints"
sleep 2
cmd="crm_resource --clear --expired"
test_assert $CRM_EX_OK
# Clear has already been tested elsewhere, but we need to get rid of the
# constraints so testing delete works. It won't delete if there's still
# a reference to the resource somewhere.
desc="Clear all implicit constraints for dummy"
cmd="crm_resource -r dummy -U"
test_assert $CRM_EX_OK
desc="Delete a resource"
cmd="crm_resource -D -r dummy -t primitive"
test_assert $CRM_EX_OK
unset CIB_shadow
unset CIB_shadow_dir
rm -f "$TMPXML" "$TMPORIG"
desc="Create an XML patchset"
cmd="crm_diff -o $test_home/cli/crm_diff_old.xml -n $test_home/cli/crm_diff_new.xml"
test_assert $CRM_EX_ERROR 0
}
INVALID_PERIODS=(
"2019-01-01 00:00:00Z" # Start with no end
"2019-01-01 00:00:00Z/" # Start with only a trailing slash
"PT2S/P1M" # Two durations
"2019-13-01 00:00:00Z/P1M" # Out-of-range month
"20191077T15/P1M" # Out-of-range day
"2019-10-01T25:00:00Z/P1M" # Out-of-range hour
"2019-10-01T24:00:01Z/P1M" # Hour 24 with anything but :00:00
"PT5H/20191001T007000Z" # Out-of-range minute
"2019-10-01 00:00:80Z/P1M" # Out-of-range second
"2019-10-01 00:00:10 +25:00/P1M" # Out-of-range offset hour
"20191001T000010 -00:61/P1M" # Out-of-range offset minute
"P1Y/2019-02-29 00:00:00Z" # Feb. 29 in non-leap-year
"2019-01-01 00:00:00Z/P" # Duration with no values
"P1Z/2019-02-20 00:00:00Z" # Invalid duration unit
"P1YM/2019-02-20 00:00:00Z" # No number for duration unit
)
function test_dates() {
# Ensure invalid period specifications are rejected
for spec in '' "${INVALID_PERIODS[@]}"; do
desc="Invalid period - [$spec]"
cmd="iso8601 -p \"$spec\""
test_assert $CRM_EX_INVALID_PARAM 0
done
desc="2014-01-01 00:30:00 - 1 Hour"
cmd="iso8601 -d '2014-01-01 00:30:00Z' -D P-1H -E '2013-12-31 23:30:00Z'"
test_assert $CRM_EX_OK 0
desc="Valid date - Feb 29 in leap year"
cmd="iso8601 -d '2020-02-29 00:00:00Z' -E '2020-02-29 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="Valid date - using 'T' and offset"
cmd="iso8601 -d '20191201T131211 -05:00' -E '2019-12-01 18:12:11Z'"
test_assert $CRM_EX_OK 0
desc="24:00:00 equivalent to 00:00:00 of next day"
cmd="iso8601 -d '2019-12-31 24:00:00Z' -E '2020-01-01 00:00:00Z'"
test_assert $CRM_EX_OK 0
for y in 06 07 08 09 10 11 12 13 14 15 16 17 18 40; do
desc="20$y-W01-7"
cmd="iso8601 -d '20$y-W01-7 00Z'"
test_assert $CRM_EX_OK 0
desc="20$y-W01-7 - round-trip"
cmd="iso8601 -d '20$y-W01-7 00Z' -W -E '20$y-W01-7 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="20$y-W01-1"
cmd="iso8601 -d '20$y-W01-1 00Z'"
test_assert $CRM_EX_OK 0
desc="20$y-W01-1 - round-trip"
cmd="iso8601 -d '20$y-W01-1 00Z' -W -E '20$y-W01-1 00:00:00Z'"
test_assert $CRM_EX_OK 0
done
desc="2009-W53-07"
cmd="iso8601 -d '2009-W53-7 00:00:00Z' -W -E '2009-W53-7 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="epoch + 2 Years 5 Months 6 Minutes"
cmd="iso8601 -d 'epoch' -D P2Y5MT6M -E '1972-06-01 00:06:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-01-31 + 1 Month"
cmd="iso8601 -d '20090131T000000Z' -D P1M -E '2009-02-28 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-01-31 + 2 Months"
cmd="iso8601 -d '2009-01-31 00:00:00Z' -D P2M -E '2009-03-31 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-01-31 + 3 Months"
cmd="iso8601 -d '2009-01-31 00:00:00Z' -D P3M -E '2009-04-30 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-03-31 - 1 Month"
cmd="iso8601 -d '2009-03-31 01:00:00 +01:00' -D P-1M -E '2009-02-28 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2038-01-01 + 3 Months"
cmd="iso8601 -d '2038-01-01 00:00:00Z' -D P3M -E '2038-04-01 00:00:00Z'"
test_assert $CRM_EX_OK 0
}
function test_acl_loop() {
local TMPXML
TMPXML="$1"
# Make sure we're rejecting things for the right reasons
export PCMK_trace_functions=pcmk__check_acl,pcmk__apply_creation_acl
export PCMK_stderr=1
CIB_user=root cibadmin --replace --xml-text '<resources/>'
+ ### no ACL ###
export CIB_user=unknownguy
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set enable-acl"
cmd="crm_attribute -n enable-acl -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### deny /cib permission ###
export CIB_user=l33t-haxor
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set enable-acl"
cmd="crm_attribute -n enable-acl -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### observer role ###
export CIB_user=niceguy
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
desc="$CIB_user: Set enable-acl"
cmd="crm_attribute -n enable-acl -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_OK
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
export CIB_user=root
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v true"
test_assert $CRM_EX_OK
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
test_assert $CRM_EX_OK
+ ### deny /cib permission ###
export CIB_user=l33t-haxor
desc="$CIB_user: Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Query a resource meta attribute"
cmd="crm_resource -r dummy --meta -g target-role"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Remove a resource meta attribute"
cmd="crm_resource -r dummy --meta -d target-role"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### observer role ###
export CIB_user=niceguy
desc="$CIB_user: Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
test_assert $CRM_EX_OK
desc="$CIB_user: Query a resource meta attribute"
cmd="crm_resource -r dummy --meta -g target-role"
test_assert $CRM_EX_OK
desc="$CIB_user: Remove a resource meta attribute"
cmd="crm_resource -r dummy --meta -d target-role"
test_assert $CRM_EX_OK
desc="$CIB_user: Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Started"
test_assert $CRM_EX_OK
+ ### read //meta_attributes ###
export CIB_user=badidea
desc="$CIB_user: Query configuration - implied deny"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
+ ### deny /cib, read //meta_attributes ###
export CIB_user=betteridea
desc="$CIB_user: Query configuration - explicit deny"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --delete --xml-text '<acls/>'
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+ ### observer role ###
export CIB_user=niceguy
desc="$CIB_user: Replace - remove acls"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -C -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>'
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - create resource"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" crm_attribute -n enable-acl -v false
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - modify attribute (deny)"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace --xml-text '<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>'
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - delete attribute (deny)"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - create attribute (deny)"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### admin role ###
CIB_user=bob
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
- desc="$CIB_user: Replace - create attribute (allow)"
+ desc="$CIB_user: Replace - create attribute (direct allow)"
cmd="cibadmin --replace -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
- desc="$CIB_user: Replace - modify attribute (allow)"
+ desc="$CIB_user: Replace - modify attribute (direct allow)"
cmd="cibadmin --replace -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
- desc="$CIB_user: Replace - delete attribute (allow)"
+ desc="$CIB_user: Replace - delete attribute (direct allow)"
cmd="cibadmin --replace -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK 0
+
+ ### super_user role ###
+ export CIB_user=joe
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - create attribute (inherited allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - modify attribute (inherited allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - delete attribute (inherited allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ ### rsc_writer role ###
+ export CIB_user=mike
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - create attribute (allow overrides deny)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - modify attribute (allow overrides deny)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - delete attribute (allow overrides deny)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ ### rsc_denied role ###
+ export CIB_user=chris
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - create attribute (deny overrides allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+
+ # Set as root since setting as chris failed
+ CIB_user=root cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - modify attribute (deny overrides allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+
+ # Set as root since setting as chris failed
+ CIB_user=root cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - delete attribute (deny overrides allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_INSUFFICIENT_PRIV 0
}
function test_acls() {
local SHADOWPATH
local TMPXML
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.acls.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-1.3 2>&1
export CIB_shadow=$shadow
cat <<EOF > "$TMPXML"
<acls>
<acl_user id="l33t-haxor">
<deny id="crook-nothing" xpath="/cib"/>
</acl_user>
<acl_user id="niceguy">
<role_ref id="observer"/>
</acl_user>
<acl_user id="bob">
<role_ref id="admin"/>
</acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
<acl_role id="observer">
<read id="observer-read-1" xpath="/cib"/>
<write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
<write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
</acl_role>
<acl_role id="admin">
<read id="admin-read-1" xpath="/cib"/>
<write id="admin-write-1" xpath="//resources"/>
</acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
</acls>
EOF
desc="Configure some ACLs"
cmd="cibadmin -M -o acls --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Enable ACLs"
cmd="crm_attribute -n enable-acl -v true"
test_assert $CRM_EX_OK
desc="Set cluster option"
cmd="crm_attribute -n no-quorum-policy -v ignore"
test_assert $CRM_EX_OK
desc="New ACL"
cmd="cibadmin --create -o acls --xml-text '<acl_user id=\"badidea\"><read id=\"badidea-resources\" xpath=\"//meta_attributes\"/></acl_user>'"
test_assert $CRM_EX_OK
desc="Another ACL"
cmd="cibadmin --create -o acls --xml-text '<acl_user id=\"betteridea\"><read id=\"betteridea-resources\" xpath=\"//meta_attributes\"/></acl_user>'"
test_assert $CRM_EX_OK
desc="Updated ACL"
cmd="cibadmin --replace -o acls --xml-text '<acl_user id=\"betteridea\"><deny id=\"betteridea-nothing\" xpath=\"/cib\"/><read id=\"betteridea-resources\" xpath=\"//meta_attributes\"/></acl_user>'"
test_assert $CRM_EX_OK
test_acl_loop "$TMPXML"
printf "\n\n !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!\n"
printf "\nUpgrading to latest CIB schema and re-testing\n" 1>&2
export CIB_user=root
desc="$CIB_user: Upgrade to latest CIB schema"
cmd="cibadmin --upgrade --force -V"
test_assert $CRM_EX_OK
SHADOWPATH="$(crm_shadow --file)"
# sed -i isn't portable :-(
cp -p "$SHADOWPATH" "${SHADOWPATH}.$$" # to keep permissions
sed -e 's/epoch=.2/epoch=\"6/g' -e 's/admin_epoch=.1/admin_epoch=\"0/g' \
"$SHADOWPATH" > "${SHADOWPATH}.$$"
mv -- "${SHADOWPATH}.$$" "$SHADOWPATH"
test_acl_loop "$TMPXML"
unset CIB_shadow_dir
rm -f "$TMPXML"
}
function test_validity() {
local TMPGOOD
local TMPBAD
TMPGOOD=$(mktemp ${TMPDIR:-/tmp}/cts-cli.validity.good.xml.XXXXXXXXXX)
TMPBAD=$(mktemp ${TMPDIR:-/tmp}/cts-cli.validity.bad.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-1.2 2>&1
export CIB_shadow=$shadow
export PCMK_trace_functions=apply_upgrade,update_validation,cli_config_update
export PCMK_stderr=1
cibadmin -C -o resources --xml-text '<primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>'
cibadmin -C -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>'
cibadmin -C -o constraints --xml-text '<rsc_order id="ord_1-2" first="dummy1" first-action="start" then="dummy2"/>'
cibadmin -Q > "$TMPGOOD"
desc="Try to make resulting CIB invalid (enum violation)"
cmd="cibadmin -M -o constraints --xml-text '<rsc_order id=\"ord_1-2\" first=\"dummy1\" first-action=\"break\" then=\"dummy2\"/>'"
test_assert $CRM_EX_CONFIG
sed 's|"start"|"break"|' "$TMPGOOD" > "$TMPBAD"
desc="Run crm_simulate with invalid CIB (enum violation)"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_CONFIG 0
desc="Try to make resulting CIB invalid (unrecognized validate-with)"
cmd="cibadmin -M --xml-text '<cib validate-with=\"pacemaker-9999.0\"/>'"
test_assert $CRM_EX_CONFIG
sed 's|"pacemaker-1.2"|"pacemaker-9999.0"|' "$TMPGOOD" > "$TMPBAD"
desc="Run crm_simulate with invalid CIB (unrecognized validate-with)"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_CONFIG 0
desc="Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1)"
cmd="cibadmin -C -o configuration --xml-text '<tags/>'"
test_assert $CRM_EX_CONFIG
sed 's|</configuration>|<tags/></configuration>|' "$TMPGOOD" > "$TMPBAD"
desc="Run crm_simulate with invalid, but possibly recoverable CIB (valid with X.Y+1)"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_OK 0
sed 's|[ ][ ]*validate-with="[^"]*"||' "$TMPGOOD" > "$TMPBAD"
desc="Make resulting CIB valid, although without validate-with attribute"
cmd="cibadmin -R --xml-file $TMPBAD"
test_assert $CRM_EX_OK
desc="Run crm_simulate with valid CIB, but without validate-with attribute"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_OK 0
# this will just disable validation and accept the config, outputting
# validation errors
sed -e 's|[ ][ ]*validate-with="[^"]*"||' \
-e 's|\([ ][ ]*epoch="[^"]*\)"|\10"|' -e 's|"start"|"break"|' \
"$TMPGOOD" > "$TMPBAD"
desc="Make resulting CIB invalid, and without validate-with attribute"
cmd="cibadmin -R --xml-file $TMPBAD"
test_assert $CRM_EX_OK
desc="Run crm_simulate with invalid CIB, also without validate-with attribute"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_OK 0
unset CIB_shadow_dir
rm -f "$TMPGOOD" "$TMPBAD"
}
test_upgrade() {
local TMPXML
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-2.10 2>&1
export CIB_shadow=$shadow
desc="Set stonith-enabled=false"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_OK
cat <<EOF > "$TMPXML"
<resources>
<primitive id="mySmartFuse" class="ocf" provider="experiment" type="SmartFuse">
<operations>
<op id="mySmartFuse-start" name="start" interval="0" timeout="40s"/>
<op id="mySmartFuse-monitor-inputpower" name="monitor" interval="30s">
<instance_attributes id="mySmartFuse-inputpower-instanceparams">
<nvpair id="mySmartFuse-inputpower-requires" name="requires" value="inputpower"/>
</instance_attributes>
</op>
<op id="mySmartFuse-monitor-outputpower" name="monitor" interval="2s">
<instance_attributes id="mySmartFuse-outputpower-instanceparams">
<nvpair id="mySmartFuse-outputpower-requires" name="requires" value="outputpower"/>
</instance_attributes>
</op>
</operations>
<instance_attributes id="mySmartFuse-params">
<nvpair id="mySmartFuse-params-ip" name="ip" value="192.0.2.10"/>
</instance_attributes>
<!-- a bit hairy but valid -->
<instance_attributes id-ref="mySmartFuse-outputpower-instanceparams"/>
</primitive>
</resources>
EOF
desc="Configure the initial resource"
cmd="cibadmin -M -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Upgrade to latest CIB schema (trigger 2.10.xsl + the wrapping)"
cmd="cibadmin --upgrade --force -V -V"
test_assert $CRM_EX_OK
desc="Query a resource instance attribute (shall survive)"
cmd="crm_resource -r mySmartFuse -g requires"
test_assert $CRM_EX_OK
unset CIB_shadow_dir
rm -f "$TMPXML"
}
test_rules() {
local TMPXML
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow 2>&1
export CIB_shadow=$shadow
cibadmin -C -o resources --xml-text '<primitive class="ocf" id="dummy" provider="heartbeat" type="Dummy" />'
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat <<EOF > "$TMPXML"
<rsc_location id="cli-too-many-date-expressions" rsc="dummy">
<rule id="cli-rule-too-many-date-expressions" score="INFINITY" boolean-op="or">
<date_expression id="cli-date-expression-1" operation="gt" start="2020-01-01 01:00:00 -0500"/>
<date_expression id="cli-date-expression-2" operation="lt" end="2019-01-01 01:00:00 -0500"/>
</rule>
</rsc_location>
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat <<EOF > "$TMPXML"
<rsc_location id="cli-prefer-dummy-expired" rsc="dummy">
<rule id="cli-prefer-rule-dummy-expired" score="INFINITY">
<date_expression id="cli-prefer-lifetime-end-dummy-expired" operation="lt" end="2019-01-01 12:00:00 -05:00"/>
</rule>
</rsc_location>
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
if [ "$(uname)" == "FreeBSD" ]; then
tomorrow=$(date -v+1d +"%F %T %z")
else
tomorrow=$(date --date=tomorrow +"%F %T %z")
fi
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat <<EOF > "$TMPXML"
<rsc_location id="cli-prefer-dummy-not-yet" rsc="dummy">
<rule id="cli-prefer-rule-dummy-not-yet" score="INFINITY">
<date_expression id="cli-prefer-lifetime-end-dummy-not-yet" operation="gt" start="${tomorrow}"/>
</rule>
</rsc_location>
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat <<EOF > "$TMPXML"
<rsc_location id="cli-prefer-dummy-date_spec-only-years" rsc="dummy">
<rule id="cli-prefer-rule-dummy-date_spec-only-years" score="INFINITY">
<date_expression id="cli-prefer-dummy-date_spec-only-years-expr" operation="date_spec">
<date_spec id="cli-prefer-dummy-date_spec-only-years-spec" years="2019"/>
</date_expression>
</rule>
</rsc_location>
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat <<EOF > "$TMPXML"
<rsc_location id="cli-prefer-dummy-date_spec-without-years" rsc="dummy">
<rule id="cli-prefer-rule-dummy-date_spec-without-years" score="INFINITY">
<date_expression id="cli-prefer-dummy-date_spec-without-years-expr" operation="date_spec">
<date_spec id="cli-prefer-dummy-date_spec-without-years-spec" hours="20" months="1,3,5,7"/>
</date_expression>
</rule>
</rsc_location>
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat <<EOF > "$TMPXML"
<rsc_location id="cli-prefer-dummy-date_spec-years-moon" rsc="dummy">
<rule id="cli-prefer-rule-dummy-date_spec-years-moon" score="INFINITY">
<date_expression id="cli-prefer-dummy-date_spec-years-moon-expr" operation="date_spec">
<date_spec id="cli-prefer-dummy-date_spec-years-moon-spec" years="2019" moon="1"/>
</date_expression>
</rule>
</rsc_location>
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat <<EOF > "$TMPXML"
<rsc_location id="cli-no-date_expression" rsc="dummy">
<rule id="cli-no-date_expression-rule" score="INFINITY">
<expression id="ban-apache-expr" attribute="#uname" operation="eq" value="node3"/>
</rule>
</rsc_location>
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
desc="Try to check a rule that doesn't exist"
cmd="crm_rule -c -r blahblah"
test_assert $CRM_EX_NOSUCH
desc="Try to check a rule that has too many date_expressions"
cmd="crm_rule -c -r cli-rule-too-many-date-expressions"
test_assert $CRM_EX_UNIMPLEMENT_FEATURE
desc="Verify basic rule is expired"
cmd="crm_rule -c -r cli-prefer-rule-dummy-expired"
test_assert $CRM_EX_EXPIRED
desc="Verify basic rule worked in the past"
cmd="crm_rule -c -r cli-prefer-rule-dummy-expired -d 20180101"
test_assert $CRM_EX_OK
desc="Verify basic rule is not yet in effect"
cmd="crm_rule -c -r cli-prefer-rule-dummy-not-yet"
test_assert $CRM_EX_NOT_YET_IN_EFFECT
desc="Verify date_spec rule with years has expired"
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years"
test_assert $CRM_EX_EXPIRED
desc="Verify date_spec rule with years is in effect"
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years -d 20190201"
test_assert $CRM_EX_OK
desc="Try to check a rule whose date_spec does not contain years="
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-without-years"
test_assert $CRM_EX_NOSUCH
desc="Try to check a rule whose date_spec contains years= and moon="
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-years-moon"
test_assert $CRM_EX_NOSUCH
desc="Try to check a rule with no date_expression"
cmd="crm_rule -c -r cli-no-date_expression-rule"
test_assert $CRM_EX_UNIMPLEMENT_FEATURE
unset CIB_shadow_dir
}
# Process command-line arguments
while [ $# -gt 0 ]; do
case "$1" in
-t)
tests="$2"
shift 2
;;
-V|--verbose)
verbose=1
shift
;;
-v|--valgrind)
export G_SLICE=always-malloc
VALGRIND_CMD="valgrind $VALGRIND_OPTS"
shift
;;
-s)
do_save=1
shift
;;
-p)
export PATH="$2:$PATH"
shift
;;
--help)
echo "$USAGE_TEXT"
exit $CRM_EX_OK
;;
*)
echo "error: unknown option $1"
echo
echo "$USAGE_TEXT"
exit $CRM_EX_USAGE
;;
esac
done
for t in $tests; do
case "$t" in
dates) ;;
tools) ;;
acls) ;;
validity) ;;
upgrade) ;;
rules) ;;
crm_mon) ;;
*)
echo "error: unknown test $t"
echo
echo "$USAGE_TEXT"
exit $CRM_EX_USAGE
;;
esac
done
# Check whether we're running from source directory
SRCDIR=$(dirname $test_home)
if [ -x "$SRCDIR/tools/crm_simulate" ]; then
export PATH="$SRCDIR/tools:$PATH"
echo "Using local binaries from: $SRCDIR/tools"
if [ -x "$SRCDIR/xml" ]; then
export PCMK_schema_directory="$SRCDIR/xml"
echo "Using local schemas from: $PCMK_schema_directory"
fi
fi
for t in $tests; do
echo "Testing $t"
TMPFILE=$(mktemp ${TMPDIR:-/tmp}/cts-cli.$t.XXXXXXXXXX)
eval TMPFILE_$t="$TMPFILE"
test_$t > "$TMPFILE"
# last-run= and last-rc-change= are always numeric in the CIB. However,
# for the crm_mon test we also need to compare against the XML output of
# the crm_mon program. There, these are shown as human readable strings
# (like the output of the `date` command).
sed -e 's/cib-last-written.*>/>/'\
-e 's/ last-run=\"[A-Za-z0-9: ]*\"//'\
-e 's/Last updated: .*/Last updated:/' \
-e 's/Last change: .*/Last change:/' \
-e 's/(version .*)/(version)/' \
-e 's/last_update time=\".*\"/last_update time=\"\"/' \
-e 's/last_change time=\".*\"/last_change time=\"\"/' \
-e 's/ version=\".*\" / version=\"\" /' \
-e 's/request=\".*crm_mon/request=\"crm_mon/' \
-e 's/crm_feature_set="[^"]*" //'\
-e 's/validate-with="[^"]*" //'\
-e 's/Created new pacemaker-.* configuration/Created new pacemaker configuration/'\
-e 's/.*\(pcmk__.*\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/.*\(unpack_.*\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/.*\(update_validation\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/.*\(apply_upgrade\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/ last-rc-change=\"[A-Za-z0-9: ]*\"//'\
-e 's|^/tmp/cts-cli\.validity\.bad.xml\.[^:]*:|validity.bad.xml:|'\
-e 's/^Entity: line [0-9][0-9]*: //'\
-e 's/\(validation ([0-9][0-9]* of \)[0-9][0-9]*\().*\)/\1X\2/' \
-e 's/^Migration will take effect until: .*/Migration will take effect until:/' \
-e 's/ end=\"[0-9][-+: 0-9]*Z*\"/ end=\"\"/' \
-e 's/ start=\"[0-9][-+: 0-9]*Z*\"/ start=\"\"/' \
-e 's/^Error checking rule: Device not configured/Error checking rule: No such device or address/' \
"$TMPFILE" > "${TMPFILE}.$$"
mv -- "${TMPFILE}.$$" "$TMPFILE"
if [ $do_save -eq 1 ]; then
cp "$TMPFILE" $test_home/cli/regression.$t.exp
fi
done
rm -rf "${shadow_dir}"
failed=0
if [ $verbose -eq 1 ]; then
echo -e "\n\nResults"
fi
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
if [ $verbose -eq 1 ]; then
diff -wu $test_home/cli/regression.$t.exp "$TMPFILE"
else
diff -w $test_home/cli/regression.$t.exp "$TMPFILE" >/dev/null 2>&1
fi
if [ $? -ne 0 ]; then
failed=1
fi
done
echo -e "\n\nSummary"
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
grep -e '^\* \(Passed\|Failed\)' "$TMPFILE"
done
if [ $num_errors -ne 0 ]; then
echo "$num_errors tests failed; see output in:"
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
echo " $TMPFILE"
done
exit $CRM_EX_ERROR
elif [ $failed -eq 1 ]; then
echo "$num_passed tests passed but output was unexpected; see output in:"
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
echo " $TMPFILE"
done
exit $CRM_EX_DIGEST
else
echo $num_passed tests passed
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
rm -f "$TMPFILE"
done
crm_shadow --force --delete $shadow >/dev/null 2>&1
exit $CRM_EX_OK
fi