HomeClusterLabs Projects

Fix: libcrmcommon: Use truly implicit deny for ACLs

Description

Fix: libcrmcommon: Use truly implicit deny for ACLs

If a node does not have any ACLs set for it explicitly, it's assigned a
deny flag. However, in the case of scoped commands, the input to
pcmk__apply_acl() may be a section rather than the whole CIB. The
node at the root of the section that's passed in gets assigned a deny
flag after no ACLs match it.

This causes pcmk__check_acl() to fail prematurely when it walks up
the tree of parents. It reaches the node at the root of the section
that was passed to pcmk__apply_acl(), finds a deny flag, and returns
FALSE. If that node's parent (e.g., /cib) has a read or write ACL,
the parent's ACL is not reached and thus not considered.

The fix is to avoid setting a deny flag for a node if there is no ACL
for that node. pcmk__check_acl() already denies access implicitly if
neither read nor write is set for a node or any of its parents.

Resolves: RHBZ#1833173
Signed-off-by: Reid Wahl <nrwahl@protonmail.com>

Details

Provenance
nrwahl2Authored on Jul 15 2020, 7:43 PM
Parents
rP51b5193c1896: Refactor: libcrmcommon: Remove redundant ACL checks
Branches
Unknown
Tags
Unknown

Event Timeline