diff --git a/cts/cli/regression.acls.exp b/cts/cli/regression.acls.exp
index 22c2ce9f94..d9e76459ec 100644
--- a/cts/cli/regression.acls.exp
+++ b/cts/cli/regression.acls.exp
@@ -1,2348 +1,4438 @@
Created new pacemaker configuration
Setting up shadow instance
A new shadow instance was created. To begin using it paste the following into your shell:
CIB_shadow=cts-cli ; export CIB_shadow
=#=#=#= Begin test: Configure some ACLs =#=#=#=
=#=#=#= Current cib after: Configure some ACLs =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: Configure some ACLs - OK (0) =#=#=#=
* Passed: cibadmin - Configure some ACLs
=#=#=#= Begin test: Enable ACLs =#=#=#=
=#=#=#= Current cib after: Enable ACLs =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: Enable ACLs - OK (0) =#=#=#=
* Passed: crm_attribute - Enable ACLs
=#=#=#= Begin test: Set cluster option =#=#=#=
=#=#=#= Current cib after: Set cluster option =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: Set cluster option - OK (0) =#=#=#=
* Passed: crm_attribute - Set cluster option
=#=#=#= Begin test: New ACL =#=#=#=
=#=#=#= Current cib after: New ACL =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: New ACL - OK (0) =#=#=#=
* Passed: cibadmin - New ACL
=#=#=#= Begin test: Another ACL =#=#=#=
=#=#=#= Current cib after: Another ACL =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: Another ACL - OK (0) =#=#=#=
* Passed: cibadmin - Another ACL
=#=#=#= Begin test: Updated ACL =#=#=#=
=#=#=#= Current cib after: Updated ACL =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: Updated ACL - OK (0) =#=#=#=
* Passed: cibadmin - Updated ACL
=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - unknownguy: Query configuration
=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - unknownguy: Set enable-acl
=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - unknownguy: Set stonith-enabled
=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
pcmk__apply_creation_acl trace: Creation of scaffolding with id="" is implicitly allowed
Call failed: Permission denied
=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - unknownguy: Create a resource
=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - l33t-haxor: Query configuration
=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set enable-acl
=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy"
Call failed: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - l33t-haxor: Create a resource
=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - niceguy: Query configuration
=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Error performing operation: Permission denied
Error setting enable-acl=false (section=crm_config, set=): Permission denied
=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
* Passed: crm_attribute - niceguy: Set enable-acl
=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
pcmk__apply_creation_acl trace: ACLs allow creation of with id="cib-bootstrap-options-stonith-enabled"
=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - niceguy: Set stonith-enabled
=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy"
Call failed: Permission denied
=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Create a resource
=#=#=#= Begin test: root: Query configuration =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
* Passed: cibadmin - root: Query configuration
=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
* Passed: crm_attribute - root: Set stonith-enabled
=#=#=#= Begin test: root: Create a resource =#=#=#=
=#=#=#= Current cib after: root: Create a resource =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
* Passed: cibadmin - root: Create a resource
=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
Error performing operation: Permission denied
=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
pcmk__apply_creation_acl trace: Creation of scaffolding with id="dummy-meta_attributes" is implicitly allowed
pcmk__apply_creation_acl trace: ACLs allow creation of with id="dummy-meta_attributes-target-role"
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
Stopped
=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Query a resource meta attribute
=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Remove a resource meta attribute
=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
pcmk__apply_creation_acl trace: ACLs allow creation of with id="dummy-meta_attributes-target-role"
Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Create a resource meta attribute
=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
* Passed: cibadmin - badidea: Query configuration - implied deny
=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
* Passed: cibadmin - betteridea: Query configuration - explicit deny
=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - remove acls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy2"
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create resource
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
Call failed: Permission denied
=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
* Passed: cibadmin - niceguy: Replace - create attribute (deny)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - create attribute (allow)
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - create attribute (direct allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - modify attribute (allow)
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - modify attribute (direct allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - delete attribute (allow)
-
-
- !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!
-=#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#=
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer-read-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer-write-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer-write-2"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="admin-read-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="admin-write-1"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="l33t-haxor"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-l33t-haxor"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-l33t-haxor"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="crook-nothing"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="niceguy"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="bob"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="admin"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="badidea"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-badidea"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-badidea"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="badidea-resources"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="betteridea"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-betteridea"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-betteridea"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="betteridea-nothing"
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="betteridea-resources"
-=#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#=
-
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - delete attribute (direct allow)
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
+
+
-
-
-
-
-
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#=
-* Passed: cibadmin - root: Upgrade to latest CIB schema
-=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
-Call failed: Permission denied
-=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - unknownguy: Query configuration
-=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - unknownguy: Set enable-acl
-=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - unknownguy: Set stonith-enabled
-=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
-pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
-pcmk__apply_creation_acl trace: Creation of scaffolding with id="" is implicitly allowed
-Call failed: Permission denied
-=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - unknownguy: Create a resource
-=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
-Call failed: Permission denied
-=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - l33t-haxor: Query configuration
-=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - l33t-haxor: Set enable-acl
-=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
-=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
-pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy"
-Call failed: Permission denied
-=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - l33t-haxor: Create a resource
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - create attribute (inherited allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - modify attribute (inherited allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - delete attribute (inherited allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - create attribute (allow overrides deny)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - modify attribute (allow overrides deny)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - delete attribute (allow overrides deny)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - create attribute (deny overrides allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - modify attribute (deny overrides allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - delete attribute (deny overrides allow)
+
+
+ !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!
+=#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#=
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer-read-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer-write-2"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="admin-read-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="admin-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="super_user-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="rsc-writer-deny-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="rsc-writer-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="rsc-denied-write-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="rsc-denied-deny-1"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="l33t-haxor"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-l33t-haxor"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-l33t-haxor"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="crook-nothing"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="niceguy"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="observer"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="bob"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="admin"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="joe"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="super_user"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="mike"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="rsc_writer"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="chris"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="rsc_denied"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="badidea"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-badidea"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-badidea"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="badidea-resources"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="betteridea"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-betteridea"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="auto-betteridea"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="betteridea-nothing"
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="betteridea-resources"
+=#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#=
+* Passed: cibadmin - root: Upgrade to latest CIB schema
+=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Query configuration
+=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set enable-acl
+=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set stonith-enabled
+=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
+pcmk__apply_creation_acl trace: Creation of scaffolding with id="" is implicitly allowed
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Create a resource
+=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Query configuration
+=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set enable-acl
+=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
+=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Create a resource
=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - niceguy: Query configuration
+=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
+Error performing operation: Permission denied
+Error setting enable-acl=false (section=crm_config, set=): Permission denied
+=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - niceguy: Set enable-acl
+=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - niceguy: Set stonith-enabled
+=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Create a resource
+=#=#=#= Begin test: root: Query configuration =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - root: Query configuration
+=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - root: Set stonith-enabled
+=#=#=#= Begin test: root: Create a resource =#=#=#=
+=#=#=#= Current cib after: root: Create a resource =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
+* Passed: cibadmin - root: Create a resource
+=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: Creation of scaffolding with id="dummy-meta_attributes" is implicitly allowed
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Stopped
+=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Query a resource meta attribute
+=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
+=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: ACLs allow creation of with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
+* Passed: cibadmin - badidea: Query configuration - implied deny
+=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
+* Passed: cibadmin - betteridea: Query configuration - explicit deny
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - remove acls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
-* Passed: cibadmin - niceguy: Query configuration
-=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
-Error performing operation: Permission denied
-Error setting enable-acl=false (section=crm_config, set=): Permission denied
-=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute - niceguy: Set enable-acl
-=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
-=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
-
+=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
+pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy2"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create resource
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
-* Passed: crm_attribute - niceguy: Set stonith-enabled
-=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy"
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
Call failed: Permission denied
-=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Create a resource
-=#=#=#= Begin test: root: Query configuration =#=#=#=
-
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
-* Passed: cibadmin - root: Query configuration
-=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
-=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
-
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
-* Passed: crm_attribute - root: Set stonith-enabled
-=#=#=#= Begin test: root: Create a resource =#=#=#=
-=#=#=#= Current cib after: root: Create a resource =#=#=#=
-
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create attribute (deny)
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
-* Passed: cibadmin - root: Create a resource
-=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
-=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
-=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
-=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-pcmk__apply_creation_acl trace: Creation of scaffolding with id="dummy-meta_attributes" is implicitly allowed
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="dummy-meta_attributes-target-role"
-Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
-=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - create attribute (direct allow)
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Create a resource meta attribute
-=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Stopped
-=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
-
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - modify attribute (direct allow)
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Query a resource meta attribute
-=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
-=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
-
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - delete attribute (direct allow)
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Remove a resource meta attribute
-=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
-unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-pcmk__apply_creation_acl trace: ACLs allow creation of with id="dummy-meta_attributes-target-role"
-Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
-=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
-
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - create attribute (inherited allow)
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource - niceguy: Create a resource meta attribute
-=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
-
-
-
-
-
-
-
-
-
-
-
-=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
-* Passed: cibadmin - badidea: Query configuration - implied deny
-=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
-
-
-
-
-
-
-
-
-
-
-
-=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
-* Passed: cibadmin - betteridea: Query configuration - explicit deny
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - remove acls
-
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - modify attribute (inherited allow)
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
-pcmk__apply_creation_acl trace: ACLs disallow creation of with id="dummy2"
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - create resource
-
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - delete attribute (inherited allow)
+
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
-
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - create attribute (allow overrides deny)
+
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
-
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - modify attribute (allow overrides deny)
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin - niceguy: Replace - create attribute (deny)
-
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - delete attribute (allow overrides deny)
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - create attribute (allow)
-
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - create attribute (deny overrides allow)
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - modify attribute (allow)
-
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - modify attribute (deny overrides allow)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin - bob: Replace - delete attribute (allow)
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - delete attribute (deny overrides allow)
diff --git a/cts/cts-cli.in b/cts/cts-cli.in
index 8507d6290d..62e5698a6b 100755
--- a/cts/cts-cli.in
+++ b/cts/cts-cli.in
@@ -1,1394 +1,1510 @@
#!@BASH_PATH@
#
# Copyright 2008-2020 the Pacemaker project contributors
#
# The version control history for this file may have further details.
#
# This source code is licensed under the GNU General Public License version 2
# or later (GPLv2+) WITHOUT ANY WARRANTY.
#
#
# Note on portable usage of sed: GNU/POSIX/*BSD sed have a limited subset of
# compatible functionality. Do not use the -i option, alternation (\|),
# \0, or character sequences such as \n or \s.
#
USAGE_TEXT="Usage: cts-cli []
Options:
--help Display this text, then exit
-V, --verbose Display any differences from expected output
-t 'TEST [...]' Run only specified tests (default: 'dates tools crm_mon acls validity upgrade rules')
-p DIR Look for executables in DIR (may be specified multiple times)
-v, --valgrind Run all commands under valgrind
-s Save actual output as expected output"
# If readlink supports -e (i.e. GNU), use it
readlink -e / >/dev/null 2>/dev/null
if [ $? -eq 0 ]; then
test_home="$(dirname "$(readlink -e "$0")")"
else
test_home="$(dirname "$0")"
fi
: ${shadow=cts-cli}
shadow_dir=$(mktemp -d ${TMPDIR:-/tmp}/cts-cli.shadow.XXXXXXXXXX)
num_errors=0
num_passed=0
verbose=0
tests="dates tools crm_mon acls validity upgrade rules"
do_save=0
VALGRIND_CMD=
VALGRIND_OPTS="
-q
--gen-suppressions=all
--show-reachable=no
--leak-check=full
--trace-children=no
--time-stamp=yes
--num-callers=20
--suppressions=$test_home/valgrind-pcmk.suppressions
"
# These constants must track crm_exit_t values
CRM_EX_OK=0
CRM_EX_ERROR=1
CRM_EX_INVALID_PARAM=2
CRM_EX_UNIMPLEMENT_FEATURE=3
CRM_EX_INSUFFICIENT_PRIV=4
CRM_EX_USAGE=64
CRM_EX_CONFIG=78
CRM_EX_OLD=103
CRM_EX_DIGEST=104
CRM_EX_NOSUCH=105
CRM_EX_UNSAFE=107
CRM_EX_EXISTS=108
CRM_EX_MULTIPLE=109
CRM_EX_EXPIRED=110
CRM_EX_NOT_YET_IN_EFFECT=111
function test_assert() {
target=$1; shift
cib=$1; shift
app=`echo "$cmd" | sed 's/\ .*//'`
printf "* Running: $app - $desc\n" 1>&2
printf "=#=#=#= Begin test: $desc =#=#=#=\n"
eval $VALGRIND_CMD $cmd 2>&1
rc=$?
if [ x$cib != x0 ]; then
printf "=#=#=#= Current cib after: $desc =#=#=#=\n"
CIB_user=root cibadmin -Q
fi
printf "=#=#=#= End test: $desc - $(crm_error --exit $rc) ($rc) =#=#=#=\n"
if [ $rc -ne $target ]; then
num_errors=$(( $num_errors + 1 ))
printf "* Failed (rc=%.3d): %-14s - %s\n" $rc $app "$desc"
printf "* Failed (rc=%.3d): %-14s - %s\n" $rc $app "$desc (`which $app`)" 1>&2
return
exit $CRM_EX_ERROR
else
printf "* Passed: %-14s - %s\n" $app "$desc"
num_passed=$(( $num_passed + 1 ))
fi
}
function test_crm_mon() {
export CIB_file="$test_home/cli/crm_mon.xml"
desc="Basic text output"
cmd="crm_mon -1"
test_assert $CRM_EX_OK 0
desc="XML output"
cmd="crm_mon --output-as=xml"
test_assert $CRM_EX_OK 0
desc="Basic text output without node section"
cmd="crm_mon -1 --exclude=nodes"
test_assert $CRM_EX_OK 0
desc="XML output without the node section"
cmd="crm_mon --output-as=xml --exclude=nodes"
test_assert $CRM_EX_OK 0
desc="Text output with only the node section"
cmd="crm_mon -1 --exclude=all --include=nodes"
test_assert $CRM_EX_OK 0
# The above test doesn't need to be performed for other output formats. It's
# really just a test to make sure that blank lines are correct.
desc="Complete text output"
cmd="crm_mon -1 --include=all"
test_assert $CRM_EX_OK 0
# XML includes everything already so there's no need for a complete test
desc="Complete text output with detail"
cmd="crm_mon -1R --include=all"
test_assert $CRM_EX_OK 0
# XML includes detailed output already
desc="Complete brief text output"
cmd="crm_mon -1 --include=all --brief"
test_assert $CRM_EX_OK 0
desc="Complete text output grouped by node"
cmd="crm_mon -1 --include=all --group-by-node"
test_assert $CRM_EX_OK 0
# XML does not have a brief output option
desc="Complete brief text output grouped by node"
cmd="crm_mon -1 --include=all --group-by-node --brief"
test_assert $CRM_EX_OK 0
desc="XML output grouped by node"
cmd="crm_mon -1 --output-as=xml --group-by-node"
test_assert $CRM_EX_OK 0
desc="Complete text output filtered by node"
cmd="crm_mon -1 --include=all --node=cluster01"
test_assert $CRM_EX_OK 0
desc="XML output filtered by node"
cmd="crm_mon --output-as xml --include=all --node=cluster01"
test_assert $CRM_EX_OK 0
desc="Complete text output filtered by tag"
cmd="crm_mon -1 --include=all --node=even-nodes"
test_assert $CRM_EX_OK 0
desc="XML output filtered by tag"
cmd="crm_mon --output-as=xml --include=all --node=even-nodes"
test_assert $CRM_EX_OK 0
desc="Basic text output filtered by node that doesn't exist"
cmd="crm_mon -1 --node=blah"
test_assert $CRM_EX_OK 0
desc="XML output filtered by node that doesn't exist"
cmd="crm_mon --output-as=xml --node=blah"
test_assert $CRM_EX_OK 0
desc="Basic text output with inactive resources"
cmd="crm_mon -1 -r"
test_assert $CRM_EX_OK 0
# XML already includes inactive resources
desc="Basic text output with inactive resources, filtered by node"
cmd="crm_mon -1 -r --node=cluster02"
test_assert $CRM_EX_OK 0
# XML already includes inactive resources
unset CIB_file
export CIB_file="$test_home/cli/crm_mon-partial.xml"
desc="Text output of partially active resources"
cmd="crm_mon -1"
test_assert $CRM_EX_OK 0
desc="XML output of partially active resources"
cmd="crm_mon -1 --output-as=xml"
test_assert $CRM_EX_OK 0
desc="Text output of partially active resources, with inactive resources"
cmd="crm_mon -1 -r"
test_assert $CRM_EX_OK 0
# XML already includes inactive resources
desc="Text output of partially active resources, with inactive resources, filtered by node"
cmd="crm_mon -1 -r --node=cluster01"
test_assert $CRM_EX_OK 0
desc="Text output of partially active resources, filtered by node"
cmd="crm_mon -1 --output-as=xml --node=cluster01"
test_assert $CRM_EX_OK 0
unset CIB_file
}
function test_tools() {
local TMPXML
local TMPORIG
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
TMPORIG=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.existing.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow 2>&1
export CIB_shadow=$shadow
desc="Validate CIB"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK
desc="Configure something before erasing"
cmd="crm_attribute -n cluster-delay -v 60s"
test_assert $CRM_EX_OK
desc="Require --force for CIB erasure"
cmd="cibadmin -E"
test_assert $CRM_EX_UNSAFE
desc="Allow CIB erasure with --force"
cmd="cibadmin -E --force"
test_assert $CRM_EX_OK
desc="Query CIB"
cmd="cibadmin -Q > $TMPORIG"
test_assert $CRM_EX_OK
desc="Set cluster option"
cmd="crm_attribute -n cluster-delay -v 60s"
test_assert $CRM_EX_OK
desc="Query new cluster option"
cmd="cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay"
test_assert $CRM_EX_OK
desc="Query cluster options"
cmd="cibadmin -Q -o crm_config > $TMPXML"
test_assert $CRM_EX_OK
desc="Set no-quorum policy"
cmd="crm_attribute -n no-quorum-policy -v ignore"
test_assert $CRM_EX_OK
desc="Delete nvpair"
cmd="cibadmin -D -o crm_config --xml-text ''"
test_assert $CRM_EX_OK
desc="Create operation should fail"
cmd="cibadmin -C -o crm_config --xml-file $TMPXML"
test_assert $CRM_EX_EXISTS
desc="Modify cluster options section"
cmd="cibadmin -M -o crm_config --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Query updated cluster option"
cmd="cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay"
test_assert $CRM_EX_OK
desc="Set duplicate cluster option"
cmd="crm_attribute -n cluster-delay -v 40s -s duplicate"
test_assert $CRM_EX_OK
desc="Setting multiply defined cluster option should fail"
cmd="crm_attribute -n cluster-delay -v 30s"
test_assert $CRM_EX_MULTIPLE
desc="Set cluster option with -s"
cmd="crm_attribute -n cluster-delay -v 30s -s duplicate"
test_assert $CRM_EX_OK
desc="Delete cluster option with -i"
cmd="crm_attribute -n cluster-delay -D -i cib-bootstrap-options-cluster-delay"
test_assert $CRM_EX_OK
desc="Create node1 and bring it online"
cmd="crm_simulate --live-check --in-place --node-up=node1"
test_assert $CRM_EX_OK
desc="Create node attribute"
cmd="crm_attribute -n ram -v 1024M -N node1 -t nodes"
test_assert $CRM_EX_OK
desc="Query new node attribute"
cmd="cibadmin -Q -o nodes | grep node1-ram"
test_assert $CRM_EX_OK
desc="Set a transient (fail-count) node attribute"
cmd="crm_attribute -n fail-count-foo -v 3 -N node1 -t status"
test_assert $CRM_EX_OK
desc="Query a fail count"
cmd="crm_failcount --query -r foo -N node1"
test_assert $CRM_EX_OK
desc="Delete a transient (fail-count) node attribute"
cmd="crm_attribute -n fail-count-foo -D -N node1 -t status"
test_assert $CRM_EX_OK
desc="Digest calculation"
cmd="cibadmin -Q | cibadmin -5 -p 2>&1 > /dev/null"
test_assert $CRM_EX_OK
# This update will fail because it has version numbers
desc="Replace operation should fail"
cmd="cibadmin -R --xml-file $TMPORIG"
test_assert $CRM_EX_OLD
desc="Default standby value"
cmd="crm_standby -N node1 -G"
test_assert $CRM_EX_OK
desc="Set standby status"
cmd="crm_standby -N node1 -v true"
test_assert $CRM_EX_OK
desc="Query standby value"
cmd="crm_standby -N node1 -G"
test_assert $CRM_EX_OK
desc="Delete standby value"
cmd="crm_standby -N node1 -D"
test_assert $CRM_EX_OK
desc="Create a resource"
cmd="cibadmin -C -o resources --xml-text ''"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p is-managed -v false"
test_assert $CRM_EX_OK
desc="Query a resource meta attribute"
cmd="crm_resource -r dummy --meta -g is-managed"
test_assert $CRM_EX_OK
desc="Remove a resource meta attribute"
cmd="crm_resource -r dummy --meta -d is-managed"
test_assert $CRM_EX_OK
desc="Create another resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
test_assert $CRM_EX_OK 0
desc="Show why a resource is not running"
cmd="crm_resource -Y -r dummy"
test_assert $CRM_EX_OK 0
desc="Remove another resource meta attribute"
cmd="crm_resource -r dummy --meta -d target-role"
test_assert $CRM_EX_OK 0
desc="Create a resource attribute"
cmd="crm_resource -r dummy -p delay -v 10s"
test_assert $CRM_EX_OK
desc="List the configured resources"
cmd="crm_resource -L"
test_assert $CRM_EX_OK
desc="List IDs of instantiated resources"
cmd="crm_resource -l"
test_assert $CRM_EX_OK 0
desc="Show XML configuration of resource"
cmd="crm_resource -q -r dummy"
test_assert $CRM_EX_OK 0
desc="Require a destination when migrating a resource that is stopped"
cmd="crm_resource -r dummy -M"
test_assert $CRM_EX_USAGE
desc="Don't support migration to non-existent locations"
cmd="crm_resource -r dummy -M -N i.do.not.exist"
test_assert $CRM_EX_NOSUCH
desc="Create a fencing resource"
cmd="cibadmin -C -o resources --xml-text ''"
test_assert $CRM_EX_OK
desc="Bring resources online"
cmd="crm_simulate --live-check --in-place -S"
test_assert $CRM_EX_OK
desc="Try to move a resource to its existing location"
cmd="crm_resource -r dummy --move --node node1"
test_assert $CRM_EX_EXISTS
desc="Move a resource from its existing location"
cmd="crm_resource -r dummy --move"
test_assert $CRM_EX_OK
desc="Clear out constraints generated by --move"
cmd="crm_resource -r dummy --clear"
test_assert $CRM_EX_OK
desc="Default ticket granted state"
cmd="crm_ticket -t ticketA -G granted -d false"
test_assert $CRM_EX_OK
desc="Set ticket granted state"
cmd="crm_ticket -t ticketA -r --force"
test_assert $CRM_EX_OK
desc="Query ticket granted state"
cmd="crm_ticket -t ticketA -G granted"
test_assert $CRM_EX_OK
desc="Delete ticket granted state"
cmd="crm_ticket -t ticketA -D granted --force"
test_assert $CRM_EX_OK
desc="Make a ticket standby"
cmd="crm_ticket -t ticketA -s"
test_assert $CRM_EX_OK
desc="Query ticket standby state"
cmd="crm_ticket -t ticketA -G standby"
test_assert $CRM_EX_OK
desc="Activate a ticket"
cmd="crm_ticket -t ticketA -a"
test_assert $CRM_EX_OK
desc="Delete ticket standby state"
cmd="crm_ticket -t ticketA -D standby"
test_assert $CRM_EX_OK
desc="Ban a resource on unknown node"
cmd="crm_resource -r dummy -B -N host1"
test_assert $CRM_EX_NOSUCH
desc="Create two more nodes and bring them online"
cmd="crm_simulate --live-check --in-place --node-up=node2 --node-up=node3"
test_assert $CRM_EX_OK
desc="Ban dummy from node1"
cmd="crm_resource -r dummy -B -N node1"
test_assert $CRM_EX_OK
desc="Show where a resource is running"
cmd="crm_resource -r dummy -W"
test_assert $CRM_EX_OK 0
desc="Show constraints on a resource"
cmd="crm_resource -a -r dummy"
test_assert $CRM_EX_OK 0
desc="Ban dummy from node2"
cmd="crm_resource -r dummy -B -N node2"
test_assert $CRM_EX_OK
desc="Relocate resources due to ban"
cmd="crm_simulate --live-check --in-place -S"
test_assert $CRM_EX_OK
desc="Move dummy to node1"
cmd="crm_resource -r dummy -M -N node1"
test_assert $CRM_EX_OK
desc="Clear implicit constraints for dummy on node2"
cmd="crm_resource -r dummy -U -N node2"
test_assert $CRM_EX_OK
desc="Drop the status section"
cmd="cibadmin -R -o status --xml-text ''"
test_assert $CRM_EX_OK 0
desc="Create a clone"
cmd="cibadmin -C -o resources --xml-text ''"
test_assert $CRM_EX_OK 0
desc="Create a resource meta attribute"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in the primitive"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false --force"
test_assert $CRM_EX_OK
desc="Update resource meta attribute with duplicates"
cmd="crm_resource -r test-clone --meta -p is-managed -v true"
test_assert $CRM_EX_OK
desc="Update resource meta attribute with duplicates (force clone)"
cmd="crm_resource -r test-clone --meta -p is-managed -v true --force"
test_assert $CRM_EX_OK
desc="Update child resource meta attribute with duplicates"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false"
test_assert $CRM_EX_OK
desc="Delete resource meta attribute with duplicates"
cmd="crm_resource -r test-clone --meta -d is-managed"
test_assert $CRM_EX_OK
desc="Delete resource meta attribute in parent"
cmd="crm_resource -r test-primitive --meta -d is-managed"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in the primitive"
cmd="crm_resource -r test-primitive --meta -p is-managed -v false --force"
test_assert $CRM_EX_OK
desc="Update existing resource meta attribute"
cmd="crm_resource -r test-clone --meta -p is-managed -v true"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in the parent"
cmd="crm_resource -r test-clone --meta -p is-managed -v true --force"
test_assert $CRM_EX_OK
desc="Copy resources"
cmd="cibadmin -Q -o resources > $TMPXML"
test_assert $CRM_EX_OK 0
desc="Delete resource parent meta attribute (force)"
cmd="crm_resource -r test-clone --meta -d is-managed --force"
test_assert $CRM_EX_OK
desc="Restore duplicates"
cmd="cibadmin -R -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Delete resource child meta attribute"
cmd="crm_resource -r test-primitive --meta -d is-managed"
test_assert $CRM_EX_OK
cibadmin -C -o resources --xml-text ' \
\
\
'
desc="Create a resource meta attribute in dummy1"
cmd="crm_resource -r dummy1 --meta -p is-managed -v true"
test_assert $CRM_EX_OK
desc="Create a resource meta attribute in dummy-group"
cmd="crm_resource -r dummy-group --meta -p is-managed -v false"
test_assert $CRM_EX_OK
cibadmin -D -o resource --xml-text ''
desc="Specify a lifetime when moving a resource"
cmd="crm_resource -r dummy --move --node node2 --lifetime=PT1H"
test_assert $CRM_EX_OK
desc="Try to move a resource previously moved with a lifetime"
cmd="crm_resource -r dummy --move --node node1"
test_assert $CRM_EX_OK
desc="Ban dummy from node1 for a short time"
cmd="crm_resource -r dummy -B -N node1 --lifetime=PT1S"
test_assert $CRM_EX_OK
desc="Remove expired constraints"
sleep 2
cmd="crm_resource --clear --expired"
test_assert $CRM_EX_OK
# Clear has already been tested elsewhere, but we need to get rid of the
# constraints so testing delete works. It won't delete if there's still
# a reference to the resource somewhere.
desc="Clear all implicit constraints for dummy"
cmd="crm_resource -r dummy -U"
test_assert $CRM_EX_OK
desc="Delete a resource"
cmd="crm_resource -D -r dummy -t primitive"
test_assert $CRM_EX_OK
unset CIB_shadow
unset CIB_shadow_dir
rm -f "$TMPXML" "$TMPORIG"
desc="Create an XML patchset"
cmd="crm_diff -o $test_home/cli/crm_diff_old.xml -n $test_home/cli/crm_diff_new.xml"
test_assert $CRM_EX_ERROR 0
}
INVALID_PERIODS=(
"2019-01-01 00:00:00Z" # Start with no end
"2019-01-01 00:00:00Z/" # Start with only a trailing slash
"PT2S/P1M" # Two durations
"2019-13-01 00:00:00Z/P1M" # Out-of-range month
"20191077T15/P1M" # Out-of-range day
"2019-10-01T25:00:00Z/P1M" # Out-of-range hour
"2019-10-01T24:00:01Z/P1M" # Hour 24 with anything but :00:00
"PT5H/20191001T007000Z" # Out-of-range minute
"2019-10-01 00:00:80Z/P1M" # Out-of-range second
"2019-10-01 00:00:10 +25:00/P1M" # Out-of-range offset hour
"20191001T000010 -00:61/P1M" # Out-of-range offset minute
"P1Y/2019-02-29 00:00:00Z" # Feb. 29 in non-leap-year
"2019-01-01 00:00:00Z/P" # Duration with no values
"P1Z/2019-02-20 00:00:00Z" # Invalid duration unit
"P1YM/2019-02-20 00:00:00Z" # No number for duration unit
)
function test_dates() {
# Ensure invalid period specifications are rejected
for spec in '' "${INVALID_PERIODS[@]}"; do
desc="Invalid period - [$spec]"
cmd="iso8601 -p \"$spec\""
test_assert $CRM_EX_INVALID_PARAM 0
done
desc="2014-01-01 00:30:00 - 1 Hour"
cmd="iso8601 -d '2014-01-01 00:30:00Z' -D P-1H -E '2013-12-31 23:30:00Z'"
test_assert $CRM_EX_OK 0
desc="Valid date - Feb 29 in leap year"
cmd="iso8601 -d '2020-02-29 00:00:00Z' -E '2020-02-29 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="Valid date - using 'T' and offset"
cmd="iso8601 -d '20191201T131211 -05:00' -E '2019-12-01 18:12:11Z'"
test_assert $CRM_EX_OK 0
desc="24:00:00 equivalent to 00:00:00 of next day"
cmd="iso8601 -d '2019-12-31 24:00:00Z' -E '2020-01-01 00:00:00Z'"
test_assert $CRM_EX_OK 0
for y in 06 07 08 09 10 11 12 13 14 15 16 17 18 40; do
desc="20$y-W01-7"
cmd="iso8601 -d '20$y-W01-7 00Z'"
test_assert $CRM_EX_OK 0
desc="20$y-W01-7 - round-trip"
cmd="iso8601 -d '20$y-W01-7 00Z' -W -E '20$y-W01-7 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="20$y-W01-1"
cmd="iso8601 -d '20$y-W01-1 00Z'"
test_assert $CRM_EX_OK 0
desc="20$y-W01-1 - round-trip"
cmd="iso8601 -d '20$y-W01-1 00Z' -W -E '20$y-W01-1 00:00:00Z'"
test_assert $CRM_EX_OK 0
done
desc="2009-W53-07"
cmd="iso8601 -d '2009-W53-7 00:00:00Z' -W -E '2009-W53-7 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="epoch + 2 Years 5 Months 6 Minutes"
cmd="iso8601 -d 'epoch' -D P2Y5MT6M -E '1972-06-01 00:06:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-01-31 + 1 Month"
cmd="iso8601 -d '20090131T000000Z' -D P1M -E '2009-02-28 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-01-31 + 2 Months"
cmd="iso8601 -d '2009-01-31 00:00:00Z' -D P2M -E '2009-03-31 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-01-31 + 3 Months"
cmd="iso8601 -d '2009-01-31 00:00:00Z' -D P3M -E '2009-04-30 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2009-03-31 - 1 Month"
cmd="iso8601 -d '2009-03-31 01:00:00 +01:00' -D P-1M -E '2009-02-28 00:00:00Z'"
test_assert $CRM_EX_OK 0
desc="2038-01-01 + 3 Months"
cmd="iso8601 -d '2038-01-01 00:00:00Z' -D P3M -E '2038-04-01 00:00:00Z'"
test_assert $CRM_EX_OK 0
}
function test_acl_loop() {
local TMPXML
TMPXML="$1"
# Make sure we're rejecting things for the right reasons
export PCMK_trace_functions=pcmk__check_acl,pcmk__apply_creation_acl
export PCMK_stderr=1
CIB_user=root cibadmin --replace --xml-text ''
+ ### no ACL ###
export CIB_user=unknownguy
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set enable-acl"
cmd="crm_attribute -n enable-acl -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text ''"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### deny /cib permission ###
export CIB_user=l33t-haxor
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set enable-acl"
cmd="crm_attribute -n enable-acl -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text ''"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### observer role ###
export CIB_user=niceguy
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
desc="$CIB_user: Set enable-acl"
cmd="crm_attribute -n enable-acl -v false"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_OK
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text ''"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
export CIB_user=root
desc="$CIB_user: Query configuration"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
desc="$CIB_user: Set stonith-enabled"
cmd="crm_attribute -n stonith-enabled -v true"
test_assert $CRM_EX_OK
desc="$CIB_user: Create a resource"
cmd="cibadmin -C -o resources --xml-text ''"
test_assert $CRM_EX_OK
+ ### deny /cib permission ###
export CIB_user=l33t-haxor
desc="$CIB_user: Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Query a resource meta attribute"
cmd="crm_resource -r dummy --meta -g target-role"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
desc="$CIB_user: Remove a resource meta attribute"
cmd="crm_resource -r dummy --meta -d target-role"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### observer role ###
export CIB_user=niceguy
desc="$CIB_user: Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
test_assert $CRM_EX_OK
desc="$CIB_user: Query a resource meta attribute"
cmd="crm_resource -r dummy --meta -g target-role"
test_assert $CRM_EX_OK
desc="$CIB_user: Remove a resource meta attribute"
cmd="crm_resource -r dummy --meta -d target-role"
test_assert $CRM_EX_OK
desc="$CIB_user: Create a resource meta attribute"
cmd="crm_resource -r dummy --meta -p target-role -v Started"
test_assert $CRM_EX_OK
+ ### read //meta_attributes ###
export CIB_user=badidea
desc="$CIB_user: Query configuration - implied deny"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
+ ### deny /cib, read //meta_attributes ###
export CIB_user=betteridea
desc="$CIB_user: Query configuration - explicit deny"
cmd="cibadmin -Q"
test_assert $CRM_EX_OK 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --delete --xml-text ''
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+ ### observer role ###
export CIB_user=niceguy
desc="$CIB_user: Replace - remove acls"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -C -o resources --xml-text ''
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - create resource"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" crm_attribute -n enable-acl -v false
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - modify attribute (deny)"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace --xml-text ''
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - delete attribute (deny)"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
desc="$CIB_user: Replace - create attribute (deny)"
cmd="cibadmin --replace --xml-file $TMPXML"
test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+ ### admin role ###
CIB_user=bob
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
- desc="$CIB_user: Replace - create attribute (allow)"
+ desc="$CIB_user: Replace - create attribute (direct allow)"
cmd="cibadmin --replace -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
- desc="$CIB_user: Replace - modify attribute (allow)"
+ desc="$CIB_user: Replace - modify attribute (direct allow)"
cmd="cibadmin --replace -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK 0
CIB_user=root cibadmin -Q > "$TMPXML"
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text ''
CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
- desc="$CIB_user: Replace - delete attribute (allow)"
+ desc="$CIB_user: Replace - delete attribute (direct allow)"
cmd="cibadmin --replace -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK 0
+
+ ### super_user role ###
+ export CIB_user=joe
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - create attribute (inherited allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - modify attribute (inherited allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - delete attribute (inherited allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ ### rsc_writer role ###
+ export CIB_user=mike
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - create attribute (allow overrides deny)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - modify attribute (allow overrides deny)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - delete attribute (allow overrides deny)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_OK 0
+
+ ### rsc_denied role ###
+ export CIB_user=chris
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - create attribute (deny overrides allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+
+ # Set as root since setting as chris failed
+ CIB_user=root cibadmin --modify --xml-text ''
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - modify attribute (deny overrides allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+
+ # Set as root since setting as chris failed
+ CIB_user=root cibadmin --modify --xml-text ''
+
+ CIB_user=root cibadmin -Q > "$TMPXML"
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text ''
+ CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+ desc="$CIB_user: Replace - delete attribute (deny overrides allow)"
+ cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+ test_assert $CRM_EX_INSUFFICIENT_PRIV 0
}
function test_acls() {
local SHADOWPATH
local TMPXML
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.acls.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-1.3 2>&1
export CIB_shadow=$shadow
cat < "$TMPXML"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
EOF
desc="Configure some ACLs"
cmd="cibadmin -M -o acls --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Enable ACLs"
cmd="crm_attribute -n enable-acl -v true"
test_assert $CRM_EX_OK
desc="Set cluster option"
cmd="crm_attribute -n no-quorum-policy -v ignore"
test_assert $CRM_EX_OK
desc="New ACL"
cmd="cibadmin --create -o acls --xml-text ''"
test_assert $CRM_EX_OK
desc="Another ACL"
cmd="cibadmin --create -o acls --xml-text ''"
test_assert $CRM_EX_OK
desc="Updated ACL"
cmd="cibadmin --replace -o acls --xml-text ''"
test_assert $CRM_EX_OK
test_acl_loop "$TMPXML"
printf "\n\n !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!\n"
printf "\nUpgrading to latest CIB schema and re-testing\n" 1>&2
export CIB_user=root
desc="$CIB_user: Upgrade to latest CIB schema"
cmd="cibadmin --upgrade --force -V"
test_assert $CRM_EX_OK
SHADOWPATH="$(crm_shadow --file)"
# sed -i isn't portable :-(
cp -p "$SHADOWPATH" "${SHADOWPATH}.$$" # to keep permissions
sed -e 's/epoch=.2/epoch=\"6/g' -e 's/admin_epoch=.1/admin_epoch=\"0/g' \
"$SHADOWPATH" > "${SHADOWPATH}.$$"
mv -- "${SHADOWPATH}.$$" "$SHADOWPATH"
test_acl_loop "$TMPXML"
unset CIB_shadow_dir
rm -f "$TMPXML"
}
function test_validity() {
local TMPGOOD
local TMPBAD
TMPGOOD=$(mktemp ${TMPDIR:-/tmp}/cts-cli.validity.good.xml.XXXXXXXXXX)
TMPBAD=$(mktemp ${TMPDIR:-/tmp}/cts-cli.validity.bad.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-1.2 2>&1
export CIB_shadow=$shadow
export PCMK_trace_functions=apply_upgrade,update_validation,cli_config_update
export PCMK_stderr=1
cibadmin -C -o resources --xml-text ''
cibadmin -C -o resources --xml-text ''
cibadmin -C -o constraints --xml-text ''
cibadmin -Q > "$TMPGOOD"
desc="Try to make resulting CIB invalid (enum violation)"
cmd="cibadmin -M -o constraints --xml-text ''"
test_assert $CRM_EX_CONFIG
sed 's|"start"|"break"|' "$TMPGOOD" > "$TMPBAD"
desc="Run crm_simulate with invalid CIB (enum violation)"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_CONFIG 0
desc="Try to make resulting CIB invalid (unrecognized validate-with)"
cmd="cibadmin -M --xml-text ''"
test_assert $CRM_EX_CONFIG
sed 's|"pacemaker-1.2"|"pacemaker-9999.0"|' "$TMPGOOD" > "$TMPBAD"
desc="Run crm_simulate with invalid CIB (unrecognized validate-with)"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_CONFIG 0
desc="Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1)"
cmd="cibadmin -C -o configuration --xml-text ''"
test_assert $CRM_EX_CONFIG
sed 's|||' "$TMPGOOD" > "$TMPBAD"
desc="Run crm_simulate with invalid, but possibly recoverable CIB (valid with X.Y+1)"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_OK 0
sed 's|[ ][ ]*validate-with="[^"]*"||' "$TMPGOOD" > "$TMPBAD"
desc="Make resulting CIB valid, although without validate-with attribute"
cmd="cibadmin -R --xml-file $TMPBAD"
test_assert $CRM_EX_OK
desc="Run crm_simulate with valid CIB, but without validate-with attribute"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_OK 0
# this will just disable validation and accept the config, outputting
# validation errors
sed -e 's|[ ][ ]*validate-with="[^"]*"||' \
-e 's|\([ ][ ]*epoch="[^"]*\)"|\10"|' -e 's|"start"|"break"|' \
"$TMPGOOD" > "$TMPBAD"
desc="Make resulting CIB invalid, and without validate-with attribute"
cmd="cibadmin -R --xml-file $TMPBAD"
test_assert $CRM_EX_OK
desc="Run crm_simulate with invalid CIB, also without validate-with attribute"
cmd="crm_simulate -x $TMPBAD -S"
test_assert $CRM_EX_OK 0
unset CIB_shadow_dir
rm -f "$TMPGOOD" "$TMPBAD"
}
test_upgrade() {
local TMPXML
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-2.10 2>&1
export CIB_shadow=$shadow
desc="Set stonith-enabled=false"
cmd="crm_attribute -n stonith-enabled -v false"
test_assert $CRM_EX_OK
cat < "$TMPXML"
EOF
desc="Configure the initial resource"
cmd="cibadmin -M -o resources --xml-file $TMPXML"
test_assert $CRM_EX_OK
desc="Upgrade to latest CIB schema (trigger 2.10.xsl + the wrapping)"
cmd="cibadmin --upgrade --force -V -V"
test_assert $CRM_EX_OK
desc="Query a resource instance attribute (shall survive)"
cmd="crm_resource -r mySmartFuse -g requires"
test_assert $CRM_EX_OK
unset CIB_shadow_dir
rm -f "$TMPXML"
}
test_rules() {
local TMPXML
export CIB_shadow_dir="${shadow_dir}"
$VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow 2>&1
export CIB_shadow=$shadow
cibadmin -C -o resources --xml-text ''
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat < "$TMPXML"
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat < "$TMPXML"
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
if [ "$(uname)" == "FreeBSD" ]; then
tomorrow=$(date -v+1d +"%F %T %z")
else
tomorrow=$(date --date=tomorrow +"%F %T %z")
fi
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat < "$TMPXML"
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat < "$TMPXML"
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat < "$TMPXML"
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat < "$TMPXML"
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
cat < "$TMPXML"
EOF
cibadmin -C -o constraints -x "$TMPXML"
rm -f "$TMPXML"
desc="Try to check a rule that doesn't exist"
cmd="crm_rule -c -r blahblah"
test_assert $CRM_EX_NOSUCH
desc="Try to check a rule that has too many date_expressions"
cmd="crm_rule -c -r cli-rule-too-many-date-expressions"
test_assert $CRM_EX_UNIMPLEMENT_FEATURE
desc="Verify basic rule is expired"
cmd="crm_rule -c -r cli-prefer-rule-dummy-expired"
test_assert $CRM_EX_EXPIRED
desc="Verify basic rule worked in the past"
cmd="crm_rule -c -r cli-prefer-rule-dummy-expired -d 20180101"
test_assert $CRM_EX_OK
desc="Verify basic rule is not yet in effect"
cmd="crm_rule -c -r cli-prefer-rule-dummy-not-yet"
test_assert $CRM_EX_NOT_YET_IN_EFFECT
desc="Verify date_spec rule with years has expired"
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years"
test_assert $CRM_EX_EXPIRED
desc="Verify date_spec rule with years is in effect"
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years -d 20190201"
test_assert $CRM_EX_OK
desc="Try to check a rule whose date_spec does not contain years="
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-without-years"
test_assert $CRM_EX_NOSUCH
desc="Try to check a rule whose date_spec contains years= and moon="
cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-years-moon"
test_assert $CRM_EX_NOSUCH
desc="Try to check a rule with no date_expression"
cmd="crm_rule -c -r cli-no-date_expression-rule"
test_assert $CRM_EX_UNIMPLEMENT_FEATURE
unset CIB_shadow_dir
}
# Process command-line arguments
while [ $# -gt 0 ]; do
case "$1" in
-t)
tests="$2"
shift 2
;;
-V|--verbose)
verbose=1
shift
;;
-v|--valgrind)
export G_SLICE=always-malloc
VALGRIND_CMD="valgrind $VALGRIND_OPTS"
shift
;;
-s)
do_save=1
shift
;;
-p)
export PATH="$2:$PATH"
shift
;;
--help)
echo "$USAGE_TEXT"
exit $CRM_EX_OK
;;
*)
echo "error: unknown option $1"
echo
echo "$USAGE_TEXT"
exit $CRM_EX_USAGE
;;
esac
done
for t in $tests; do
case "$t" in
dates) ;;
tools) ;;
acls) ;;
validity) ;;
upgrade) ;;
rules) ;;
crm_mon) ;;
*)
echo "error: unknown test $t"
echo
echo "$USAGE_TEXT"
exit $CRM_EX_USAGE
;;
esac
done
# Check whether we're running from source directory
SRCDIR=$(dirname $test_home)
if [ -x "$SRCDIR/tools/crm_simulate" ]; then
export PATH="$SRCDIR/tools:$PATH"
echo "Using local binaries from: $SRCDIR/tools"
if [ -x "$SRCDIR/xml" ]; then
export PCMK_schema_directory="$SRCDIR/xml"
echo "Using local schemas from: $PCMK_schema_directory"
fi
fi
for t in $tests; do
echo "Testing $t"
TMPFILE=$(mktemp ${TMPDIR:-/tmp}/cts-cli.$t.XXXXXXXXXX)
eval TMPFILE_$t="$TMPFILE"
test_$t > "$TMPFILE"
# last-run= and last-rc-change= are always numeric in the CIB. However,
# for the crm_mon test we also need to compare against the XML output of
# the crm_mon program. There, these are shown as human readable strings
# (like the output of the `date` command).
sed -e 's/cib-last-written.*>/>/'\
-e 's/ last-run=\"[A-Za-z0-9: ]*\"//'\
-e 's/Last updated: .*/Last updated:/' \
-e 's/Last change: .*/Last change:/' \
-e 's/(version .*)/(version)/' \
-e 's/last_update time=\".*\"/last_update time=\"\"/' \
-e 's/last_change time=\".*\"/last_change time=\"\"/' \
-e 's/ version=\".*\" / version=\"\" /' \
-e 's/request=\".*crm_mon/request=\"crm_mon/' \
-e 's/crm_feature_set="[^"]*" //'\
-e 's/validate-with="[^"]*" //'\
-e 's/Created new pacemaker-.* configuration/Created new pacemaker configuration/'\
-e 's/.*\(pcmk__.*\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/.*\(unpack_.*\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/.*\(update_validation\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/.*\(apply_upgrade\)@.*\.c:[0-9][0-9]*)/\1/g' \
-e 's/ last-rc-change=\"[A-Za-z0-9: ]*\"//'\
-e 's|^/tmp/cts-cli\.validity\.bad.xml\.[^:]*:|validity.bad.xml:|'\
-e 's/^Entity: line [0-9][0-9]*: //'\
-e 's/\(validation ([0-9][0-9]* of \)[0-9][0-9]*\().*\)/\1X\2/' \
-e 's/^Migration will take effect until: .*/Migration will take effect until:/' \
-e 's/ end=\"[0-9][-+: 0-9]*Z*\"/ end=\"\"/' \
-e 's/ start=\"[0-9][-+: 0-9]*Z*\"/ start=\"\"/' \
-e 's/^Error checking rule: Device not configured/Error checking rule: No such device or address/' \
"$TMPFILE" > "${TMPFILE}.$$"
mv -- "${TMPFILE}.$$" "$TMPFILE"
if [ $do_save -eq 1 ]; then
cp "$TMPFILE" $test_home/cli/regression.$t.exp
fi
done
rm -rf "${shadow_dir}"
failed=0
if [ $verbose -eq 1 ]; then
echo -e "\n\nResults"
fi
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
if [ $verbose -eq 1 ]; then
diff -wu $test_home/cli/regression.$t.exp "$TMPFILE"
else
diff -w $test_home/cli/regression.$t.exp "$TMPFILE" >/dev/null 2>&1
fi
if [ $? -ne 0 ]; then
failed=1
fi
done
echo -e "\n\nSummary"
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
grep -e '^\* \(Passed\|Failed\)' "$TMPFILE"
done
if [ $num_errors -ne 0 ]; then
echo "$num_errors tests failed; see output in:"
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
echo " $TMPFILE"
done
exit $CRM_EX_ERROR
elif [ $failed -eq 1 ]; then
echo "$num_passed tests passed but output was unexpected; see output in:"
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
echo " $TMPFILE"
done
exit $CRM_EX_DIGEST
else
echo $num_passed tests passed
for t in $tests; do
eval TMPFILE="\$TMPFILE_$t"
rm -f "$TMPFILE"
done
crm_shadow --force --delete $shadow >/dev/null 2>&1
exit $CRM_EX_OK
fi
diff --git a/lib/common/acl.c b/lib/common/acl.c
index aca0aadda9..64407760c2 100644
--- a/lib/common/acl.c
+++ b/lib/common/acl.c
@@ -1,827 +1,814 @@
/*
* Copyright 2004-2020 the Pacemaker project contributors
*
* The version control history for this file may have further details.
*
* This source code is licensed under the GNU Lesser General Public License
* version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include "crmcommon_private.h"
#define MAX_XPATH_LEN 4096
typedef struct xml_acl_s {
enum xml_private_flags mode;
char *xpath;
} xml_acl_t;
static void
__xml_acl_free(void *data)
{
if (data) {
xml_acl_t *acl = data;
free(acl->xpath);
free(acl);
}
}
void
pcmk__free_acls(GList *acls)
{
g_list_free_full(acls, __xml_acl_free);
}
static GList *
__xml_acl_create(xmlNode *xml, GList *acls, enum xml_private_flags mode)
{
xml_acl_t *acl = NULL;
const char *tag = crm_element_value(xml, XML_ACL_ATTR_TAG);
const char *ref = crm_element_value(xml, XML_ACL_ATTR_REF);
const char *xpath = crm_element_value(xml, XML_ACL_ATTR_XPATH);
const char *attr = crm_element_value(xml, XML_ACL_ATTR_ATTRIBUTE);
if (tag == NULL) {
// @COMPAT rolling upgrades <=1.1.11
tag = crm_element_value(xml, XML_ACL_ATTR_TAGv1);
}
if (ref == NULL) {
// @COMPAT rolling upgrades <=1.1.11
ref = crm_element_value(xml, XML_ACL_ATTR_REFv1);
}
if ((tag == NULL) && (ref == NULL) && (xpath == NULL)) {
// Schema should prevent this, but to be safe ...
crm_trace("Ignoring ACL <%s> element without selection criteria",
crm_element_name(xml));
return NULL;
}
acl = calloc(1, sizeof (xml_acl_t));
CRM_ASSERT(acl != NULL);
acl->mode = mode;
if (xpath) {
acl->xpath = strdup(xpath);
CRM_ASSERT(acl->xpath != NULL);
crm_trace("Unpacked ACL <%s> element using xpath: %s",
crm_element_name(xml), acl->xpath);
} else {
int offset = 0;
char buffer[MAX_XPATH_LEN];
if (tag) {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
"//%s", tag);
} else {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
"//*");
}
if (ref || attr) {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
"[");
}
if (ref) {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
"@id='%s'", ref);
}
// NOTE: schema currently does not allow this
if (ref && attr) {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
" and ");
}
if (attr) {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
"@%s", attr);
}
if (ref || attr) {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
"]");
}
CRM_LOG_ASSERT(offset > 0);
acl->xpath = strdup(buffer);
CRM_ASSERT(acl->xpath != NULL);
crm_trace("Unpacked ACL <%s> element as xpath: %s",
crm_element_name(xml), acl->xpath);
}
return g_list_append(acls, acl);
}
/*!
* \internal
* \brief Unpack a user, group, or role subtree of the ACLs section
*
* \param[in] acl_top XML of entire ACLs section
* \param[in] acl_entry XML of ACL element being unpacked
* \param[in,out] acls List of ACLs unpacked so far
*
* \return New head of (possibly modified) acls
*/
static GList *
__xml_acl_parse_entry(xmlNode *acl_top, xmlNode *acl_entry, GList *acls)
{
xmlNode *child = NULL;
for (child = __xml_first_child_element(acl_entry); child;
child = __xml_next_element(child)) {
const char *tag = crm_element_name(child);
const char *kind = crm_element_value(child, XML_ACL_ATTR_KIND);
if (strcmp(XML_ACL_TAG_PERMISSION, tag) == 0){
CRM_ASSERT(kind != NULL);
crm_trace("Unpacking ACL <%s> element of kind '%s'", tag, kind);
tag = kind;
} else {
crm_trace("Unpacking ACL <%s> element", tag);
}
if (strcmp(XML_ACL_TAG_ROLE_REF, tag) == 0
|| strcmp(XML_ACL_TAG_ROLE_REFv1, tag) == 0) {
const char *ref_role = crm_element_value(child, XML_ATTR_ID);
if (ref_role) {
xmlNode *role = NULL;
for (role = __xml_first_child_element(acl_top); role;
role = __xml_next_element(role)) {
if (!strcmp(XML_ACL_TAG_ROLE, (const char *) role->name)) {
const char *role_id = crm_element_value(role,
XML_ATTR_ID);
if (role_id && strcmp(ref_role, role_id) == 0) {
crm_trace("Unpacking referenced role '%s' in ACL <%s> element",
role_id, crm_element_name(acl_entry));
acls = __xml_acl_parse_entry(acl_top, role, acls);
break;
}
}
}
}
} else if (strcmp(XML_ACL_TAG_READ, tag) == 0) {
acls = __xml_acl_create(child, acls, xpf_acl_read);
} else if (strcmp(XML_ACL_TAG_WRITE, tag) == 0) {
acls = __xml_acl_create(child, acls, xpf_acl_write);
} else if (strcmp(XML_ACL_TAG_DENY, tag) == 0) {
acls = __xml_acl_create(child, acls, xpf_acl_deny);
} else {
crm_warn("Ignoring unknown ACL %s '%s'",
(kind? "kind" : "element"), tag);
}
}
return acls;
}
/*
*/
static const char *
__xml_acl_to_text(enum xml_private_flags flags)
{
if (is_set(flags, xpf_acl_deny)) {
return "deny";
} else if (is_set(flags, xpf_acl_write) || is_set(flags, xpf_acl_create)) {
return "read/write";
} else if (is_set(flags, xpf_acl_read)) {
return "read";
}
return "none";
}
void
pcmk__apply_acl(xmlNode *xml)
{
GListPtr aIter = NULL;
xml_private_t *p = xml->doc->_private;
xmlXPathObjectPtr xpathObj = NULL;
if (xml_acl_enabled(xml) == FALSE) {
crm_trace("Skipping ACLs for user '%s' because not enabled for this XML",
p->user);
return;
}
for (aIter = p->acls; aIter != NULL; aIter = aIter->next) {
int max = 0, lpc = 0;
xml_acl_t *acl = aIter->data;
xpathObj = xpath_search(xml, acl->xpath);
max = numXpathResults(xpathObj);
for (lpc = 0; lpc < max; lpc++) {
xmlNode *match = getXpathResult(xpathObj, lpc);
char *path = xml_get_path(match);
p = match->_private;
crm_trace("Applying %s ACL to %s matched by %s",
__xml_acl_to_text(acl->mode), path, acl->xpath);
#ifdef SUSE_ACL_COMPAT
if (is_not_set(p->flags, acl->mode)
&& (is_set(p->flags, xpf_acl_read)
|| is_set(p->flags, xpf_acl_write)
|| is_set(p->flags, xpf_acl_deny))) {
pcmk__config_warn("Configuration element %s is matched by "
"multiple ACL rules, only the first applies "
"('%s' wins over '%s')",
path, __xml_acl_to_text(p->flags),
__xml_acl_to_text(acl->mode));
free(path);
continue;
}
#endif
p->flags |= acl->mode;
free(path);
}
crm_trace("Applied %s ACL %s (%d match%s)",
__xml_acl_to_text(acl->mode), acl->xpath, max,
((max == 1)? "" : "es"));
freeXpathObject(xpathObj);
}
-
- p = xml->_private;
- if (is_not_set(p->flags, xpf_acl_read)
- && is_not_set(p->flags, xpf_acl_write)) {
-
- p->flags |= xpf_acl_deny;
- p = xml->doc->_private;
- crm_info("Applied default deny ACL for user '%s' to <%s>",
- p->user, crm_element_name(xml));
- }
-
}
/*!
* \internal
* \brief Unpack ACLs for a given user
*
* \param[in] source XML with ACL definitions
* \param[in,out] target XML that ACLs will be applied to
* \param[in] user Username whose ACLs need to be unpacked
*/
void
pcmk__unpack_acl(xmlNode *source, xmlNode *target, const char *user)
{
#if ENABLE_ACL
xml_private_t *p = NULL;
if ((target == NULL) || (target->doc == NULL)
|| (target->doc->_private == NULL)) {
return;
}
p = target->doc->_private;
if (pcmk_acl_required(user) == FALSE) {
crm_trace("Not unpacking ACLs because not required for user '%s'",
user);
} else if (p->acls == NULL) {
xmlNode *acls = get_xpath_object("//" XML_CIB_TAG_ACLS,
source, LOG_NEVER);
free(p->user);
p->user = strdup(user);
if (acls) {
xmlNode *child = NULL;
for (child = __xml_first_child_element(acls); child;
child = __xml_next_element(child)) {
const char *tag = crm_element_name(child);
if (!strcmp(tag, XML_ACL_TAG_USER)
|| !strcmp(tag, XML_ACL_TAG_USERv1)) {
const char *id = crm_element_value(child, XML_ATTR_ID);
if (id && strcmp(id, user) == 0) {
crm_debug("Unpacking ACLs for user '%s'", id);
p->acls = __xml_acl_parse_entry(acls, child, p->acls);
}
}
}
}
}
#endif
}
static inline bool
__xml_acl_mode_test(enum xml_private_flags allowed,
enum xml_private_flags requested)
{
if (is_set(allowed, xpf_acl_deny)) {
return FALSE;
} else if (is_set(allowed, requested)) {
return TRUE;
} else if (is_set(requested, xpf_acl_read)
&& is_set(allowed, xpf_acl_write)) {
return TRUE;
} else if (is_set(requested, xpf_acl_create)
&& is_set(allowed, xpf_acl_write)) {
return TRUE;
} else if (is_set(requested, xpf_acl_create)
&& is_set(allowed, xpf_created)) {
return TRUE;
}
return FALSE;
}
/* rc = TRUE if orig_cib has been filtered
* That means '*result' rather than 'xml' should be exploited afterwards
*/
static bool
__xml_purge_attributes(xmlNode *xml)
{
xmlNode *child = NULL;
xmlAttr *xIter = NULL;
bool readable_children = FALSE;
xml_private_t *p = xml->_private;
if (__xml_acl_mode_test(p->flags, xpf_acl_read)) {
crm_trace("%s[@id=%s] is readable", crm_element_name(xml), ID(xml));
return TRUE;
}
xIter = xml->properties;
while (xIter != NULL) {
xmlAttr *tmp = xIter;
const char *prop_name = (const char *)xIter->name;
xIter = xIter->next;
if (strcmp(prop_name, XML_ATTR_ID) == 0) {
continue;
}
xmlUnsetProp(xml, tmp->name);
}
child = __xml_first_child(xml);
while ( child != NULL ) {
xmlNode *tmp = child;
child = __xml_next(child);
readable_children |= __xml_purge_attributes(tmp);
}
if (readable_children == FALSE) {
free_xml(xml); /* Nothing readable under here, purge completely */
}
return readable_children;
}
/*!
* \internal
* \brief Copy ACL-allowed portions of specified XML
*
* \param[in] user Username whose ACLs should be used
* \param[in] acl_source XML containing ACLs
* \param[in] xml XML to be copied
* \param[out] result Copy of XML portions readable via ACLs
*
* \return TRUE if xml exists and ACLs are required for user, otherwise FALSE
*/
bool
xml_acl_filtered_copy(const char *user, xmlNode *acl_source, xmlNode *xml,
xmlNode **result)
{
GListPtr aIter = NULL;
xmlNode *target = NULL;
- xml_private_t *p = NULL;
xml_private_t *doc = NULL;
*result = NULL;
if (xml == NULL || pcmk_acl_required(user) == FALSE) {
crm_trace("Not filtering XML because ACLs not required for user '%s'",
user);
return FALSE;
}
crm_trace("Filtering XML copy using user '%s' ACLs", user);
target = copy_xml(xml);
if (target == NULL) {
return TRUE;
}
pcmk__unpack_acl(acl_source, target, user);
pcmk__set_xml_flag(target, xpf_acl_enabled);
pcmk__apply_acl(target);
doc = target->doc->_private;
for(aIter = doc->acls; aIter != NULL && target; aIter = aIter->next) {
int max = 0;
xml_acl_t *acl = aIter->data;
if (acl->mode != xpf_acl_deny) {
/* Nothing to do */
} else if (acl->xpath) {
int lpc = 0;
xmlXPathObjectPtr xpathObj = xpath_search(target, acl->xpath);
max = numXpathResults(xpathObj);
for(lpc = 0; lpc < max; lpc++) {
xmlNode *match = getXpathResult(xpathObj, lpc);
if (__xml_purge_attributes(match) == FALSE && match == target) {
crm_trace("ACLs deny user '%s' access to entire XML document",
user);
freeXpathObject(xpathObj);
return TRUE;
}
}
crm_trace("ACLs deny user '%s' access to %s (%d match%s)",
user, acl->xpath, max, ((max == 1)? "" : "es"));
freeXpathObject(xpathObj);
}
}
- p = target->_private;
- if (is_set(p->flags, xpf_acl_deny)
- && (__xml_purge_attributes(target) == FALSE)) {
+ if (__xml_purge_attributes(target) == FALSE) {
crm_trace("ACLs deny user '%s' access to entire XML document", user);
return TRUE;
}
if (doc->acls) {
g_list_free_full(doc->acls, __xml_acl_free);
doc->acls = NULL;
} else {
crm_trace("User '%s' without ACLs denied access to entire XML document",
user);
free_xml(target);
target = NULL;
}
if (target) {
*result = target;
}
return TRUE;
}
/*!
* \internal
* \brief Check whether creation of an XML element is implicitly allowed
*
* Check whether XML is a "scaffolding" element whose creation is implicitly
* allowed regardless of ACLs (that is, it is not in the ACL section and has
* no attributes other than "id").
*
* \param[in] xml XML element to check
*
* \return TRUE if XML element is implicitly allowed, FALSE otherwise
*/
static bool
implicitly_allowed(xmlNode *xml)
{
char *path = NULL;
for (xmlAttr *prop = xml->properties; prop != NULL; prop = prop->next) {
if (strcmp((const char *) prop->name, XML_ATTR_ID) != 0) {
return FALSE;
}
}
path = xml_get_path(xml);
if (strstr(path, "/" XML_CIB_TAG_ACLS "/") != NULL) {
free(path);
return FALSE;
}
free(path);
return TRUE;
}
#define display_id(xml) (ID(xml)? ID(xml) : "")
/*!
* \internal
* \brief Drop XML nodes created in violation of ACLs
*
* Given an XML element, free all of its descendent nodes created in violation
* of ACLs, with the exception of allowing "scaffolding" elements (i.e. those
* that aren't in the ACL section and don't have any attributes other than
* "id").
*
* \param[in,out] xml XML to check
* \param[in] check_top Whether to apply checks to argument itself
* (if TRUE, xml might get freed)
*/
void
pcmk__apply_creation_acl(xmlNode *xml, bool check_top)
{
xml_private_t *p = xml->_private;
if (is_set(p->flags, xpf_created)) {
if (implicitly_allowed(xml)) {
crm_trace("Creation of <%s> scaffolding with id=\"%s\""
" is implicitly allowed",
crm_element_name(xml), display_id(xml));
} else if (pcmk__check_acl(xml, NULL, xpf_acl_write)) {
crm_trace("ACLs allow creation of <%s> with id=\"%s\"",
crm_element_name(xml), display_id(xml));
} else if (check_top) {
crm_trace("ACLs disallow creation of <%s> with id=\"%s\"",
crm_element_name(xml), display_id(xml));
pcmk_free_xml_subtree(xml);
return;
} else {
crm_notice("ACLs would disallow creation of %s<%s> with id=\"%s\" ",
((xml == xmlDocGetRootElement(xml->doc))? "root element " : ""),
crm_element_name(xml), display_id(xml));
}
}
for (xmlNode *cIter = __xml_first_child(xml); cIter != NULL; ) {
xmlNode *child = cIter;
cIter = __xml_next(cIter); /* In case it is free'd */
pcmk__apply_creation_acl(child, TRUE);
}
}
bool
xml_acl_denied(xmlNode *xml)
{
if (xml && xml->doc && xml->doc->_private){
xml_private_t *p = xml->doc->_private;
return is_set(p->flags, xpf_acl_denied);
}
return FALSE;
}
void
xml_acl_disable(xmlNode *xml)
{
if (xml_acl_enabled(xml)) {
xml_private_t *p = xml->doc->_private;
/* Catch anything that was created but shouldn't have been */
pcmk__apply_acl(xml);
pcmk__apply_creation_acl(xml, FALSE);
clear_bit(p->flags, xpf_acl_enabled);
}
}
bool
xml_acl_enabled(xmlNode *xml)
{
if (xml && xml->doc && xml->doc->_private){
xml_private_t *p = xml->doc->_private;
return is_set(p->flags, xpf_acl_enabled);
}
return FALSE;
}
bool
pcmk__check_acl(xmlNode *xml, const char *name, enum xml_private_flags mode)
{
CRM_ASSERT(xml);
CRM_ASSERT(xml->doc);
CRM_ASSERT(xml->doc->_private);
#if ENABLE_ACL
if (pcmk__tracking_xml_changes(xml, FALSE) && xml_acl_enabled(xml)) {
int offset = 0;
xmlNode *parent = xml;
char buffer[MAX_XPATH_LEN];
xml_private_t *docp = xml->doc->_private;
offset = pcmk__element_xpath(NULL, xml, buffer, offset,
sizeof(buffer));
if (name) {
offset += snprintf(buffer + offset, MAX_XPATH_LEN - offset,
"[@%s]", name);
}
CRM_LOG_ASSERT(offset > 0);
if (docp->acls == NULL) {
crm_trace("User '%s' without ACLs denied %s access to %s",
docp->user, __xml_acl_to_text(mode), buffer);
pcmk__set_xml_flag(xml, xpf_acl_denied);
return FALSE;
}
/* Walk the tree upwards looking for xml_acl_* flags
* - Creating an attribute requires write permissions for the node
* - Creating a child requires write permissions for the parent
*/
if (name) {
xmlAttr *attr = xmlHasProp(xml, (pcmkXmlStr) name);
if (attr && mode == xpf_acl_create) {
mode = xpf_acl_write;
}
}
while (parent && parent->_private) {
xml_private_t *p = parent->_private;
if (__xml_acl_mode_test(p->flags, mode)) {
return TRUE;
} else if (is_set(p->flags, xpf_acl_deny)) {
- crm_trace("Parent ACL denies user '%s' %s access to %s",
- docp->user, __xml_acl_to_text(mode), buffer);
+ crm_trace("%sACL denies user '%s' %s access to %s",
+ (parent != xml) ? "Parent " : "", docp->user,
+ __xml_acl_to_text(mode), buffer);
pcmk__set_xml_flag(xml, xpf_acl_denied);
return FALSE;
}
parent = parent->parent;
}
crm_trace("Default ACL denies user '%s' %s access to %s",
docp->user, __xml_acl_to_text(mode), buffer);
pcmk__set_xml_flag(xml, xpf_acl_denied);
return FALSE;
}
#endif
return TRUE;
}
/*!
* \brief Check whether ACLs are required for a given user
*
* \param[in] User name to check
*
* \return true if the user requires ACLs, false otherwise
*/
bool
pcmk_acl_required(const char *user)
{
#if ENABLE_ACL
if (pcmk__str_empty(user)) {
crm_trace("ACLs not required because no user set");
return FALSE;
} else if (!strcmp(user, CRM_DAEMON_USER) || !strcmp(user, "root")) {
crm_trace("ACLs not required for privileged user %s", user);
return FALSE;
}
crm_trace("ACLs required for %s", user);
return TRUE;
#else
crm_trace("ACLs not required because not supported by this build");
return FALSE;
#endif
}
#if ENABLE_ACL
char *
pcmk__uid2username(uid_t uid)
{
struct passwd *pwent = getpwuid(uid);
if (pwent == NULL) {
crm_perror(LOG_INFO, "Cannot get user details for user ID %d", uid);
return NULL;
}
return strdup(pwent->pw_name);
}
/*!
* \internal
* \brief Set the ACL user field properly on an XML request
*
* Multiple user names are potentially involved in an XML request: the effective
* user of the current process; the user name known from an IPC client
* connection; and the user name obtained from the request itself, whether by
* the current standard XML attribute name or an older legacy attribute name.
* This function chooses the appropriate one that should be used for ACLs, sets
* it in the request (using the standard attribute name, and the legacy name if
* given), and returns it.
*
* \param[in,out] request XML request to update
* \param[in] field Alternate name for ACL user name XML attribute
* \param[in] peer_user User name as known from IPC connection
*
* \return ACL user name actually used
*/
const char *
pcmk__update_acl_user(xmlNode *request, const char *field,
const char *peer_user)
{
static const char *effective_user = NULL;
const char *requested_user = NULL;
const char *user = NULL;
if (effective_user == NULL) {
effective_user = pcmk__uid2username(geteuid());
if (effective_user == NULL) {
effective_user = strdup("#unprivileged");
CRM_CHECK(effective_user != NULL, return NULL);
crm_err("Unable to determine effective user, assuming unprivileged for ACLs");
}
}
requested_user = crm_element_value(request, XML_ACL_TAG_USER);
if (requested_user == NULL) {
/* @COMPAT rolling upgrades <=1.1.11
*
* field is checked for backward compatibility with older versions that
* did not use XML_ACL_TAG_USER.
*/
requested_user = crm_element_value(request, field);
}
if (!pcmk__is_privileged(effective_user)) {
/* We're not running as a privileged user, set or overwrite any existing
* value for $XML_ACL_TAG_USER
*/
user = effective_user;
} else if (peer_user == NULL && requested_user == NULL) {
/* No user known or requested, use 'effective_user' and make sure one is
* set for the request
*/
user = effective_user;
} else if (peer_user == NULL) {
/* No user known, trusting 'requested_user' */
user = requested_user;
} else if (!pcmk__is_privileged(peer_user)) {
/* The peer is not a privileged user, set or overwrite any existing
* value for $XML_ACL_TAG_USER
*/
user = peer_user;
} else if (requested_user == NULL) {
/* Even if we're privileged, make sure there is always a value set */
user = peer_user;
} else {
/* Legal delegation to 'requested_user' */
user = requested_user;
}
// This requires pointer comparison, not string comparison
if (user != crm_element_value(request, XML_ACL_TAG_USER)) {
crm_xml_add(request, XML_ACL_TAG_USER, user);
}
if (field != NULL && user != crm_element_value(request, field)) {
crm_xml_add(request, field, user);
}
return requested_user;
}
#endif