From eea1eacb8c8642bdbac69e03f866fee20e8dce27 Mon Sep 17 00:00:00 2001
From: Ken Gaillot <kgaillot@redhat.com>
Date: Jan 22 2021 12:12:31 +0000
Subject: Fix: scheduler: properly compute digest of non-sensitive resource parameters


The controller records op-secure-digest as a hash of all resource parameters
(specifically, those listed in the resource agent's meta-data) except those
marked as private.

Previously, the scheduler compared that against a digest of *all* parameters
(including meta-attributes, etc.) after filtering private parameters and
running pcmk__filter_op_for_digest(). The latter usually made the hash
identical to the controller's, but not always. Now, it only digests resource
instance attributes.

---

diff --git a/lib/pengine/utils.c b/lib/pengine/utils.c
index bfb67da..2ad8780 100644
--- a/lib/pengine/utils.c
+++ b/lib/pengine/utils.c
@@ -2123,7 +2123,12 @@ rsc_action_digest(pe_resource_t *rsc, const char *task, const char *key,
         data->digest_all_calc = calculate_operation_digest(data->params_all, op_version);
 
         if (calc_secure) {
-            data->params_secure = copy_xml(data->params_all);
+            /* The controller doesn't create a digest of *all* non-sensitive
+             * parameters, only those listed in resource agent meta-data. The
+             * equivalent here is rsc->parameters.
+             */
+            data->params_secure = create_xml_node(NULL, XML_TAG_PARAMS);
+            g_hash_table_foreach(rsc->parameters, hash2field, data->params_secure);
             if(secure_list) {
                 filter_parameters(data->params_secure, secure_list, FALSE);
             }