Created new pacemaker configuration Setting up shadow instance A new shadow instance was created. To begin using it paste the following into your shell: CIB_shadow=cts-cli ; export CIB_shadow =#=#=#= Begin test: Configure some ACLs =#=#=#= =#=#=#= Current cib after: Configure some ACLs =#=#=#= <cib epoch="1" num_updates="0" admin_epoch="0"> <configuration> <crm_config/> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: Configure some ACLs - OK (0) =#=#=#= * Passed: cibadmin - Configure some ACLs =#=#=#= Begin test: Enable ACLs =#=#=#= =#=#=#= Current cib after: Enable ACLs =#=#=#= <cib epoch="2" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: Enable ACLs - OK (0) =#=#=#= * Passed: crm_attribute - Enable ACLs =#=#=#= Begin test: Set cluster option =#=#=#= =#=#=#= Current cib after: Set cluster option =#=#=#= <cib epoch="3" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: Set cluster option - OK (0) =#=#=#= * Passed: crm_attribute - Set cluster option =#=#=#= Begin test: New ACL =#=#=#= =#=#=#= Current cib after: New ACL =#=#=#= <cib epoch="4" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: New ACL - OK (0) =#=#=#= * Passed: cibadmin - New ACL =#=#=#= Begin test: Another ACL =#=#=#= =#=#=#= Current cib after: Another ACL =#=#=#= <cib epoch="5" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: Another ACL - OK (0) =#=#=#= * Passed: cibadmin - Another ACL =#=#=#= Begin test: Updated ACL =#=#=#= =#=#=#= Current cib after: Updated ACL =#=#=#= <cib epoch="6" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: Updated ACL - OK (0) =#=#=#= * Passed: cibadmin - Updated ACL =#=#=#= Begin test: unknownguy: Query configuration =#=#=#= Call failed: Permission denied =#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - unknownguy: Query configuration =#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#= Error performing operation: Permission denied =#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - unknownguy: Set enable-acl =#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#= Error performing operation: Permission denied =#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - unknownguy: Set stonith-enabled =#=#=#= Begin test: unknownguy: Create a resource =#=#=#= pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id] pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class] pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider] pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type] pcmk__apply_creation_acl trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed Call failed: Permission denied =#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - unknownguy: Create a resource =#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#= Call failed: Permission denied =#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - l33t-haxor: Query configuration =#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - l33t-haxor: Set enable-acl =#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - l33t-haxor: Set stonith-enabled =#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#= pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy'] pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy" Call failed: Permission denied =#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - l33t-haxor: Create a resource =#=#=#= Begin test: niceguy: Query configuration =#=#=#= <cib epoch="6" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#= * Passed: cibadmin - niceguy: Query configuration =#=#=#= Begin test: niceguy: Set enable-acl =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value] Error performing operation: Permission denied Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied =#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - niceguy: Set enable-acl =#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#= pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-stonith-enabled" =#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#= <cib epoch="7" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#= * Passed: crm_attribute - niceguy: Set stonith-enabled =#=#=#= Begin test: niceguy: Create a resource =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'] pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy" Call failed: Permission denied =#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Create a resource =#=#=#= Begin test: root: Query configuration =#=#=#= <cib epoch="7" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: root: Query configuration - OK (0) =#=#=#= * Passed: cibadmin - root: Query configuration =#=#=#= Begin test: root: Set stonith-enabled =#=#=#= =#=#=#= Current cib after: root: Set stonith-enabled =#=#=#= <cib epoch="8" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#= * Passed: crm_attribute - root: Set stonith-enabled =#=#=#= Begin test: root: Create a resource =#=#=#= =#=#=#= Current cib after: root: Create a resource =#=#=#= <cib epoch="9" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: root: Create a resource - OK (0) =#=#=#= * Passed: cibadmin - root: Create a resource =#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#= * Passed: crm_resource - l33t-haxor: Create a resource meta attribute =#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#= * Passed: crm_resource - l33t-haxor: Query a resource meta attribute =#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#= * Passed: crm_resource - l33t-haxor: Remove a resource meta attribute =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= <cib epoch="10" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Create a resource meta attribute =#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity Stopped =#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#= <cib epoch="10" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Query a resource meta attribute =#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role =#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#= <cib epoch="11" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"/> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Remove a resource meta attribute =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= <cib epoch="12" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Create a resource meta attribute =#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#= <cib> <configuration> <resources> <primitive id="dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> </configuration> </cib> =#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#= * Passed: cibadmin - badidea: Query configuration - implied deny =#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#= <cib> <configuration> <resources> <primitive id="dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> </configuration> </cib> =#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#= * Passed: cibadmin - betteridea: Query configuration - explicit deny <cib epoch="13" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls Call failed: Permission denied =#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - remove acls <cib epoch="13" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - create resource =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2'] pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2" Call failed: Permission denied =#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - create resource <cib epoch="13" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value] Call failed: Permission denied =#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - modify attribute (deny) <cib epoch="13" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'] Call failed: Permission denied =#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - delete attribute (deny) <cib epoch="13" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description] Call failed: Permission denied =#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - create attribute (deny) <cib epoch="13" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#= =#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#= * Passed: cibadmin - bob: Replace - create attribute (allow) <cib epoch="14" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#= =#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#= * Passed: cibadmin - bob: Replace - modify attribute (allow) <cib epoch="15" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> </resources> <constraints/> <acls> <acl_user id="l33t-haxor"> <deny id="crook-nothing" xpath="/cib"/> </acl_user> <acl_user id="niceguy"> <role_ref id="observer"/> </acl_user> <acl_user id="bob"> <role_ref id="admin"/> </acl_user> <acl_role id="observer"> <read id="observer-read-1" xpath="/cib"/> <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <read id="admin-read-1" xpath="/cib"/> <write id="admin-write-1" xpath="//resources"/> </acl_role> <acl_user id="badidea"> <read id="badidea-resources" xpath="//meta_attributes"/> </acl_user> <acl_user id="betteridea"> <deny id="betteridea-nothing" xpath="/cib"/> <read id="betteridea-resources" xpath="//meta_attributes"/> </acl_user> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#= =#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#= * Passed: cibadmin - bob: Replace - delete attribute (allow) !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#! =#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#= pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-read-1" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-write-1" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="observer-write-2" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="admin-read-1" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="admin-write-1" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="l33t-haxor" pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-l33t-haxor" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-l33t-haxor" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="crook-nothing" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="niceguy" pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="observer" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="bob" pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="admin" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="badidea" pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-badidea" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-badidea" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="badidea-resources" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_target> with id="betteridea" pcmk__apply_creation_acl trace: ACLs allow creation of <role> with id="auto-betteridea" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_role> with id="auto-betteridea" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="betteridea-nothing" pcmk__apply_creation_acl trace: ACLs allow creation of <acl_permission> with id="betteridea-resources" =#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#= <cib epoch="2" num_updates="0" admin_epoch="1"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#= * Passed: cibadmin - root: Upgrade to latest CIB schema =#=#=#= Begin test: unknownguy: Query configuration =#=#=#= Call failed: Permission denied =#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - unknownguy: Query configuration =#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#= Error performing operation: Permission denied =#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - unknownguy: Set enable-acl =#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#= Error performing operation: Permission denied =#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - unknownguy: Set stonith-enabled =#=#=#= Begin test: unknownguy: Create a resource =#=#=#= pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id] pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class] pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider] pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type] pcmk__apply_creation_acl trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed Call failed: Permission denied =#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - unknownguy: Create a resource =#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#= Call failed: Permission denied =#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - l33t-haxor: Query configuration =#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - l33t-haxor: Set enable-acl =#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - l33t-haxor: Set stonith-enabled =#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#= pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy'] pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy" Call failed: Permission denied =#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - l33t-haxor: Create a resource =#=#=#= Begin test: niceguy: Query configuration =#=#=#= <cib epoch="7" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#= * Passed: cibadmin - niceguy: Query configuration =#=#=#= Begin test: niceguy: Set enable-acl =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value] Error performing operation: Permission denied Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied =#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#= * Passed: crm_attribute - niceguy: Set enable-acl =#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#= =#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#= <cib epoch="8" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#= * Passed: crm_attribute - niceguy: Set stonith-enabled =#=#=#= Begin test: niceguy: Create a resource =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'] pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy" Call failed: Permission denied =#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Create a resource =#=#=#= Begin test: root: Query configuration =#=#=#= <cib epoch="8" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: root: Query configuration - OK (0) =#=#=#= * Passed: cibadmin - root: Query configuration =#=#=#= Begin test: root: Set stonith-enabled =#=#=#= =#=#=#= Current cib after: root: Set stonith-enabled =#=#=#= <cib epoch="9" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources/> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#= * Passed: crm_attribute - root: Set stonith-enabled =#=#=#= Begin test: root: Create a resource =#=#=#= =#=#=#= Current cib after: root: Create a resource =#=#=#= <cib epoch="10" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: root: Create a resource - OK (0) =#=#=#= * Passed: cibadmin - root: Create a resource =#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#= * Passed: crm_resource - l33t-haxor: Create a resource meta attribute =#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#= * Passed: crm_resource - l33t-haxor: Query a resource meta attribute =#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#= Error performing operation: Permission denied =#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#= * Passed: crm_resource - l33t-haxor: Remove a resource meta attribute =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= <cib epoch="11" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Create a resource meta attribute =#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity Stopped =#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#= <cib epoch="11" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Query a resource meta attribute =#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role =#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#= <cib epoch="12" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"/> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Remove a resource meta attribute =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= unpack_resources error: Resource start-up disabled since no STONITH resources have been defined unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= <cib epoch="13" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= * Passed: crm_resource - niceguy: Create a resource meta attribute =#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#= <cib> <configuration> <resources> <primitive id="dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> </configuration> </cib> =#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#= * Passed: cibadmin - badidea: Query configuration - implied deny =#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#= <cib> <configuration> <resources> <primitive id="dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> </configuration> </cib> =#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#= * Passed: cibadmin - betteridea: Query configuration - explicit deny <cib epoch="14" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls Call failed: Permission denied =#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - remove acls <cib epoch="14" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - create resource =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2'] pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2" Call failed: Permission denied =#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - create resource <cib epoch="14" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value] Call failed: Permission denied =#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - modify attribute (deny) <cib epoch="14" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'] Call failed: Permission denied =#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - delete attribute (deny) <cib epoch="14" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#= pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch] pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description] Call failed: Permission denied =#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#= * Passed: cibadmin - niceguy: Replace - create attribute (deny) <cib epoch="14" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#= =#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#= * Passed: cibadmin - bob: Replace - create attribute (allow) <cib epoch="15" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"> <meta_attributes id="dummy-meta_attributes"> <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> </meta_attributes> </primitive> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#= =#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#= * Passed: cibadmin - bob: Replace - modify attribute (allow) <cib epoch="16" num_updates="0" admin_epoch="0"> <configuration> <crm_config> <cluster_property_set id="cib-bootstrap-options"> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> </cluster_property_set> </crm_config> <nodes/> <resources> <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> </resources> <constraints/> <acls> <acl_target id="l33t-haxor"> <role id="auto-l33t-haxor"/> </acl_target> <acl_role id="auto-l33t-haxor"> <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> </acl_role> <acl_target id="niceguy"> <role id="observer"/> </acl_target> <acl_target id="bob"> <role id="admin"/> </acl_target> <acl_role id="observer"> <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> </acl_role> <acl_role id="admin"> <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> </acl_role> <acl_target id="badidea"> <role id="auto-badidea"/> </acl_target> <acl_role id="auto-badidea"> <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> <acl_target id="betteridea"> <role id="auto-betteridea"/> </acl_target> <acl_role id="auto-betteridea"> <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> </acl_role> </acls> </configuration> <status/> </cib> =#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#= =#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#= * Passed: cibadmin - bob: Replace - delete attribute (allow)