Change Details

Almost all the discussion in [[ https://github.com/ClusterLabs/pacemaker/pull/3404 | CLPR#3404 ]] is about this issue. This issue is not present when running against a CIB file. Ken said: > I vaguely remember that ACLs don't matter for CIB_file, since the user's file system permissions override anything we do. Reproducer: 1. Set the `enable-acl` property to true. 2. Add the following ACLs: ``` <acls> <acl_role id="role-deny-acls-write-resources"> <acl_permission id="deny-acls" kind="deny" xpath="/cib/configuration/acls"/> <acl_permission id="write-resources" kind="write" xpath="/cib/configuration/resources"/> <acl_permission id="read-rest" kind="read" xpath="/cib"/> </acl_role> <acl_target id="test_user"> <role id="role-deny-acls-write-resources"/> </acl_target> </acls> ``` 3. Run `cibadmin -Q --force --show-access=namespace --user=test_user` **as `test_user`** Expected results (`<acls>` should be hidden because they're denied to the user running the command, but the other ACLs should be shown correctly as read and write). ``` <pcmk-access-readable:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr 1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-writable="http://clusterlabs.org/ns/pacemaker/access/writable" xmlns:pcmk-access-readable="http://clusterlabs.org/ns/pacemaker/access/readable" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/> <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/> <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/> <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/> </cluster_property_set> </crm_config> <nodes> <node id="1" uname="laptop"/> </nodes> <pcmk-access-writable:resources/> <constraints/> </configuration> <status> <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member"> <transient_attributes id="1"> <instance_attributes id="status-1"> <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/> </instance_attributes> </transient_attributes> <lrm id="1"> <lrm_resources/> </lrm> </node_state> </status> </pcmk-access-readable:cib> ``` Actual results (the entire `<cib>` is shown as denied, and `<acls>` is correctly hidden): ``` <pcmk-access-denied:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr 1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/> <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/> <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/> <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/> </cluster_property_set> </crm_config> <nodes> <node id="1" uname="laptop"/> </nodes> <resources/> <constraints/> </configuration> <status> <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member"> <transient_attributes id="1"> <instance_attributes id="status-1"> <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/> </instance_attributes> </transient_attributes> <lrm id="1"> <lrm_resources/> </lrm> </node_state> </status> </pcmk-access-denied:cib> ```

Almost all the discussion in [[ https://github.com/ClusterLabs/pacemaker/pull/3404 | CLPR#3404 ]] is about this issue. This issue is not present when running against a CIB file. Ken said: > I vaguely remember that ACLs don't matter for CIB_file, since the user's file system permissions override anything we do. This bug goes all the way back to 2.1.3 when the access rendering feature was introduced. Reproducer: 1. Set the `enable-acl` property to true. 2. Add the following ACLs: ``` <acls> <acl_role id="role-deny-acls-write-resources"> <acl_permission id="deny-acls" kind="deny" xpath="/cib/configuration/acls"/> <acl_permission id="write-resources" kind="write" xpath="/cib/configuration/resources"/> <acl_permission id="read-rest" kind="read" xpath="/cib"/> </acl_role> <acl_target id="test_user"> <role id="role-deny-acls-write-resources"/> </acl_target> </acls> ``` 3. Run `cibadmin -Q --force --show-access=namespace --user=test_user` **as `test_user`** Expected results (`<acls>` should be hidden because they're denied to the user running the command, but the other ACLs should be shown correctly as read and write). ``` <pcmk-access-readable:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr 1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-writable="http://clusterlabs.org/ns/pacemaker/access/writable" xmlns:pcmk-access-readable="http://clusterlabs.org/ns/pacemaker/access/readable" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/> <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/> <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/> <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/> </cluster_property_set> </crm_config> <nodes> <node id="1" uname="laptop"/> </nodes> <pcmk-access-writable:resources/> <constraints/> </configuration> <status> <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member"> <transient_attributes id="1"> <instance_attributes id="status-1"> <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/> </instance_attributes> </transient_attributes> <lrm id="1"> <lrm_resources/> </lrm> </node_state> </status> </pcmk-access-readable:cib> ``` Actual results (the entire `<cib>` is shown as denied, and `<acls>` is correctly hidden): ``` <pcmk-access-denied:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr 1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/> <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/> <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/> <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/> </cluster_property_set> </crm_config> <nodes> <node id="1" uname="laptop"/> </nodes> <resources/> <constraints/> </configuration> <status> <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member"> <transient_attributes id="1"> <instance_attributes id="status-1"> <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/> </instance_attributes> </transient_attributes> <lrm id="1"> <lrm_resources/> </lrm> </node_state> </status> </pcmk-access-denied:cib> ```

Almost all the discussion in [[ https://github.com/ClusterLabs/pacemaker/pull/3404 | CLPR#3404 ]] is about this issue. This issue is not present when running against a CIB file. Ken said: > I vaguely remember that ACLs don't matter for CIB_file, since the user's file system permissions override anything we do. This bug goes all the way back to 2.1.3 when the access rendering feature was introduced. Reproducer: 1. Set the `enable-acl` property to true. 2. Add the following ACLs: ``` <acls> <acl_role id="role-deny-acls-write-resources"> <acl_permission id="deny-acls" kind="deny" xpath="/cib/configuration/acls"/> <acl_permission id="write-resources" kind="write" xpath="/cib/configuration/resources"/> <acl_permission id="read-rest" kind="read" xpath="/cib"/> </acl_role> <acl_target id="test_user"> <role id="role-deny-acls-write-resources"/> </acl_target> </acls> ``` 3. Run `cibadmin -Q --force --show-access=namespace --user=test_user` **as `test_user`** Expected results (`<acls>` should be hidden because they're denied to the user running the command, but the other ACLs should be shown correctly as read and write). ``` <pcmk-access-readable:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr 1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-writable="http://clusterlabs.org/ns/pacemaker/access/writable" xmlns:pcmk-access-readable="http://clusterlabs.org/ns/pacemaker/access/readable" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/> <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/> <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/> <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/> </cluster_property_set> </crm_config> <nodes> <node id="1" uname="laptop"/> </nodes> <pcmk-access-writable:resources/> <constraints/> </configuration> <status> <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member"> <transient_attributes id="1"> <instance_attributes id="status-1"> <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/> </instance_attributes> </transient_attributes> <lrm id="1"> <lrm_resources/> </lrm> </node_state> </status> </pcmk-access-readable:cib> ``` Actual results (the entire `<cib>` is shown as denied, and `<acls>` is correctly hidden): ``` <pcmk-access-denied:cib crm_feature_set="3.19.2" validate-with="pacemaker-3.8" epoch="13" num_updates="6" admin_epoch="0" cib-last-written="Mon Apr 1 14:48:52 2024" update-origin="laptop" update-client="hacluster" update-user="hacluster" have-quorum="1" dc-uuid="1" xmlns:pcmk-access-denied="http://clusterlabs.org/ns/pacemaker/access/denied"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-dc-deadtime" name="dc-deadtime" value="3s"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-have-watchdog" name="have-watchdog" value="false"/> <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="2.1.7-d82a8bb04e"/> <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/> <nvpair id="cib-bootstrap-options-cluster-name" name="cluster-name" value="testcluster"/> </cluster_property_set> </crm_config> <nodes> <node id="1" uname="laptop"/> </nodes> <resources/> <constraints/> </configuration> <status> <node_state id="1" uname="laptop" in_ccm="1712008128" crmd="1712008128" crm-debug-origin="do_state_transition" join="member" expected="member"> <transient_attributes id="1"> <instance_attributes id="status-1"> <nvpair id="status-1-.feature-set" name="#feature-set" value="3.19.2"/> </instance_attributes> </transient_attributes> <lrm id="1"> <lrm_resources/> </lrm> </node_state> </status> </pcmk-access-denied:cib> ```