| Created new pacemaker configuration |
| Setting up shadow instance |
| A new shadow instance was created. To begin using it paste the following into your shell: |
| CIB_shadow=tools-regression ; export CIB_shadow |
| =#=#=#= Begin test: Configure some ACLs =#=#=#= |
| =#=#=#= Current cib after: Configure some ACLs =#=#=#= |
| <cib epoch="1" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config/> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: Configure some ACLs - OK (0) =#=#=#= |
| * Passed: cibadmin - Configure some ACLs |
| =#=#=#= Begin test: Enable ACLs =#=#=#= |
| =#=#=#= Current cib after: Enable ACLs =#=#=#= |
| <cib epoch="2" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: Enable ACLs - OK (0) =#=#=#= |
| * Passed: crm_attribute - Enable ACLs |
| =#=#=#= Begin test: Set cluster option =#=#=#= |
| =#=#=#= Current cib after: Set cluster option =#=#=#= |
| <cib epoch="3" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: Set cluster option - OK (0) =#=#=#= |
| * Passed: crm_attribute - Set cluster option |
| =#=#=#= Begin test: New ACL =#=#=#= |
| =#=#=#= Current cib after: New ACL =#=#=#= |
| <cib epoch="4" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: New ACL - OK (0) =#=#=#= |
| * Passed: cibadmin - New ACL |
| =#=#=#= Begin test: Another ACL =#=#=#= |
| =#=#=#= Current cib after: Another ACL =#=#=#= |
| <cib epoch="5" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: Another ACL - OK (0) =#=#=#= |
| * Passed: cibadmin - Another ACL |
| =#=#=#= Begin test: Updated ACL =#=#=#= |
| =#=#=#= Current cib after: Updated ACL =#=#=#= |
| <cib epoch="6" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: Updated ACL - OK (0) =#=#=#= |
| * Passed: cibadmin - Updated ACL |
| =#=#=#= Begin test: unknownguy: Query configuration =#=#=#= |
| Call failed: Permission denied |
| =#=#=#= End test: unknownguy: Query configuration - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - unknownguy: Query configuration |
| =#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: unknownguy: Set enable-acl - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - unknownguy: Set enable-acl |
| =#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: unknownguy: Set stonith-enabled - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - unknownguy: Set stonith-enabled |
| =#=#=#= Begin test: unknownguy: Create a resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed |
| Call failed: Permission denied |
| =#=#=#= End test: unknownguy: Create a resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - unknownguy: Create a resource |
| =#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#= |
| Call failed: Permission denied |
| =#=#=#= End test: l33t-haxor: Query configuration - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - l33t-haxor: Query configuration |
| =#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Set enable-acl - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - l33t-haxor: Set enable-acl |
| =#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Set stonith-enabled - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - l33t-haxor: Set stonith-enabled |
| =#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: parent |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs disallow creation of <primitive> with id="dummy" |
| Call failed: Permission denied |
| =#=#=#= End test: l33t-haxor: Create a resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - l33t-haxor: Create a resource |
| =#=#=#= Begin test: niceguy: Query configuration =#=#=#= |
| <cib epoch="6" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#= |
| * Passed: cibadmin - niceguy: Query configuration |
| =#=#=#= Begin test: niceguy: Set enable-acl =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default |
| Error performing operation: Permission denied |
| Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied |
| =#=#=#= End test: niceguy: Set enable-acl - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - niceguy: Set enable-acl |
| =#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-stonith-enabled" |
| =#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#= |
| <cib epoch="7" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#= |
| * Passed: crm_attribute - niceguy: Set stonith-enabled |
| =#=#=#= Begin test: niceguy: Create a resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: default |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs disallow creation of <primitive> with id="dummy" |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Create a resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Create a resource |
| =#=#=#= Begin test: root: Query configuration =#=#=#= |
| <cib epoch="7" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: root: Query configuration - OK (0) =#=#=#= |
| * Passed: cibadmin - root: Query configuration |
| =#=#=#= Begin test: root: Set stonith-enabled =#=#=#= |
| =#=#=#= Current cib after: root: Set stonith-enabled =#=#=#= |
| <cib epoch="8" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#= |
| * Passed: crm_attribute - root: Set stonith-enabled |
| =#=#=#= Begin test: root: Create a resource =#=#=#= |
| =#=#=#= Current cib after: root: Create a resource =#=#=#= |
| <cib epoch="9" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: root: Create a resource - OK (0) =#=#=#= |
| * Passed: cibadmin - root: Create a resource |
| =#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Create a resource meta attribute - Permission denied (13) =#=#=#= |
| * Passed: crm_resource - l33t-haxor: Create a resource meta attribute |
| =#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Query a resource meta attribute - Permission denied (13) =#=#=#= |
| * Passed: crm_resource - l33t-haxor: Query a resource meta attribute |
| =#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Permission denied (13) =#=#=#= |
| * Passed: crm_resource - l33t-haxor: Remove a resource meta attribute |
| =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" |
| |
| Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Stopped |
| =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= |
| <cib epoch="10" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Create a resource meta attribute |
| =#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| Stopped |
| =#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#= |
| <cib epoch="10" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Query a resource meta attribute |
| =#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role |
| =#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#= |
| <cib epoch="11" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"/> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Remove a resource meta attribute |
| =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" |
| |
| Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Started |
| =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= |
| <cib epoch="12" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Create a resource meta attribute |
| =#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#= |
| <cib> |
| <configuration> |
| <resources> |
| <primitive id="dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| </configuration> |
| </cib> |
| =#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#= |
| * Passed: cibadmin - badidea: Query configuration - implied deny |
| =#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#= |
| <cib> |
| <configuration> |
| <resources> |
| <primitive id="dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| </configuration> |
| </cib> |
| =#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#= |
| * Passed: cibadmin - betteridea: Query configuration - explicit deny |
| <cib epoch="13" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/acls: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - remove acls - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - remove acls |
| <cib epoch="13" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - create resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy2']: default |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs disallow creation of <primitive> with id="dummy2" |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - create resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - create resource |
| <cib epoch="13" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - modify attribute (deny) |
| <cib epoch="13" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - delete attribute (deny) |
| <cib epoch="13" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - create attribute (deny) |
| <cib epoch="13" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#= |
| =#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#= |
| * Passed: cibadmin - bob: Replace - create attribute (allow) |
| <cib epoch="14" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#= |
| =#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#= |
| * Passed: cibadmin - bob: Replace - modify attribute (allow) |
| <cib epoch="15" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_user id="l33t-haxor"> |
| <deny id="crook-nothing" xpath="/cib"/> |
| </acl_user> |
| <acl_user id="niceguy"> |
| <role_ref id="observer"/> |
| </acl_user> |
| <acl_user id="bob"> |
| <role_ref id="admin"/> |
| </acl_user> |
| <acl_role id="observer"> |
| <read id="observer-read-1" xpath="/cib"/> |
| <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/> |
| <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <read id="admin-read-1" xpath="/cib"/> |
| <write id="admin-write-1" xpath="//resources"/> |
| </acl_role> |
| <acl_user id="badidea"> |
| <read id="badidea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| <acl_user id="betteridea"> |
| <deny id="betteridea-nothing" xpath="/cib"/> |
| <read id="betteridea-resources" xpath="//meta_attributes"/> |
| </acl_user> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#= |
| =#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#= |
| * Passed: cibadmin - bob: Replace - delete attribute (allow) |
| |
| |
| !#!#!#!#! Upgrading to pacemaker-2.0 and retesting !#!#!#!#! |
| =#=#=#= Begin test: root: Upgrade to pacemaker-2.0 =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="observer-read-1" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="observer-write-1" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="observer-write-2" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="admin-read-1" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="admin-write-1" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_target> with id="l33t-haxor" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <role> with id="auto-l33t-haxor" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_role> with id="auto-l33t-haxor" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="crook-nothing" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_target> with id="niceguy" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <role> with id="observer" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_target> with id="bob" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <role> with id="admin" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_target> with id="badidea" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <role> with id="auto-badidea" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_role> with id="auto-badidea" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="badidea-resources" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_target> with id="betteridea" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <role> with id="auto-betteridea" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_role> with id="auto-betteridea" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="betteridea-nothing" |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <acl_permission> with id="betteridea-resources" |
| =#=#=#= Current cib after: root: Upgrade to pacemaker-2.0 =#=#=#= |
| <cib epoch="2" num_updates="0" admin_epoch="1"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: root: Upgrade to pacemaker-2.0 - OK (0) =#=#=#= |
| * Passed: cibadmin - root: Upgrade to pacemaker-2.0 |
| =#=#=#= Begin test: unknownguy: Query configuration =#=#=#= |
| Call failed: Permission denied |
| =#=#=#= End test: unknownguy: Query configuration - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - unknownguy: Query configuration |
| =#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: unknownguy: Set enable-acl - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - unknownguy: Set enable-acl |
| =#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: unknownguy: Set stonith-enabled - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - unknownguy: Set stonith-enabled |
| =#=#=#= Begin test: unknownguy: Create a resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__check_acl: Ordinary user unknownguy cannot access the CIB without any defined ACLs |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed |
| Call failed: Permission denied |
| =#=#=#= End test: unknownguy: Create a resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - unknownguy: Create a resource |
| =#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#= |
| Call failed: Permission denied |
| =#=#=#= End test: l33t-haxor: Query configuration - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - l33t-haxor: Query configuration |
| =#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Set enable-acl - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - l33t-haxor: Set enable-acl |
| =#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Set stonith-enabled - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - l33t-haxor: Set stonith-enabled |
| =#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: parent |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs disallow creation of <primitive> with id="dummy" |
| Call failed: Permission denied |
| =#=#=#= End test: l33t-haxor: Create a resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - l33t-haxor: Create a resource |
| =#=#=#= Begin test: niceguy: Query configuration =#=#=#= |
| <cib epoch="7" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#= |
| * Passed: cibadmin - niceguy: Query configuration |
| =#=#=#= Begin test: niceguy: Set enable-acl =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default |
| Error performing operation: Permission denied |
| Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied |
| =#=#=#= End test: niceguy: Set enable-acl - Permission denied (13) =#=#=#= |
| * Passed: crm_attribute - niceguy: Set enable-acl |
| =#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#= |
| =#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#= |
| <cib epoch="8" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#= |
| * Passed: crm_attribute - niceguy: Set stonith-enabled |
| =#=#=#= Begin test: niceguy: Create a resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy']: default |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs disallow creation of <primitive> with id="dummy" |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Create a resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Create a resource |
| =#=#=#= Begin test: root: Query configuration =#=#=#= |
| <cib epoch="8" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: root: Query configuration - OK (0) =#=#=#= |
| * Passed: cibadmin - root: Query configuration |
| =#=#=#= Begin test: root: Set stonith-enabled =#=#=#= |
| =#=#=#= Current cib after: root: Set stonith-enabled =#=#=#= |
| <cib epoch="9" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources/> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#= |
| * Passed: crm_attribute - root: Set stonith-enabled |
| =#=#=#= Begin test: root: Create a resource =#=#=#= |
| =#=#=#= Current cib after: root: Create a resource =#=#=#= |
| <cib epoch="10" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: root: Create a resource - OK (0) =#=#=#= |
| * Passed: cibadmin - root: Create a resource |
| =#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Create a resource meta attribute - Permission denied (13) =#=#=#= |
| * Passed: crm_resource - l33t-haxor: Create a resource meta attribute |
| =#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Query a resource meta attribute - Permission denied (13) =#=#=#= |
| * Passed: crm_resource - l33t-haxor: Query a resource meta attribute |
| =#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#= |
| Error performing operation: Permission denied |
| =#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Permission denied (13) =#=#=#= |
| * Passed: crm_resource - l33t-haxor: Remove a resource meta attribute |
| =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" |
| |
| Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Stopped |
| =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= |
| <cib epoch="11" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Create a resource meta attribute |
| =#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| Stopped |
| =#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#= |
| <cib epoch="11" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Query a resource meta attribute |
| =#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role |
| =#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#= |
| <cib epoch="12" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"/> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Remove a resource meta attribute |
| =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= |
| error: unpack_resources: Resource start-up disabled since no STONITH resources have been defined |
| error: unpack_resources: Either configure some or disable STONITH with the stonith-enabled option |
| error: unpack_resources: NOTE: Clusters with shared data need STONITH to ensure data integrity |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role" |
| |
| Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role=Started |
| =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#= |
| <cib epoch="13" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#= |
| * Passed: crm_resource - niceguy: Create a resource meta attribute |
| =#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#= |
| <cib> |
| <configuration> |
| <resources> |
| <primitive id="dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| </configuration> |
| </cib> |
| =#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#= |
| * Passed: cibadmin - badidea: Query configuration - implied deny |
| =#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#= |
| <cib> |
| <configuration> |
| <resources> |
| <primitive id="dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| </configuration> |
| </cib> |
| =#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#= |
| * Passed: cibadmin - betteridea: Query configuration - explicit deny |
| <cib epoch="14" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/acls: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - remove acls - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - remove acls |
| <cib epoch="14" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - create resource =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy2']: default |
| ( acl.c:NNN ) trace: pcmk__post_process_acl: ACLs disallow creation of <primitive> with id="dummy2" |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - create resource - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - create resource |
| <cib epoch="14" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - modify attribute (deny) |
| <cib epoch="14" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - delete attribute (deny) |
| <cib epoch="14" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#= |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib[@epoch]: default |
| ( acl.c:NNN ) trace: pcmk__check_acl: 400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default |
| Call failed: Permission denied |
| =#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#= |
| * Passed: cibadmin - niceguy: Replace - create attribute (deny) |
| <cib epoch="14" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#= |
| =#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#= |
| * Passed: cibadmin - bob: Replace - create attribute (allow) |
| <cib epoch="15" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"> |
| <meta_attributes id="dummy-meta_attributes"> |
| <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/> |
| </meta_attributes> |
| </primitive> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#= |
| =#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#= |
| * Passed: cibadmin - bob: Replace - modify attribute (allow) |
| <cib epoch="16" num_updates="0" admin_epoch="0"> |
| <configuration> |
| <crm_config> |
| <cluster_property_set id="cib-bootstrap-options"> |
| <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/> |
| <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/> |
| <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/> |
| </cluster_property_set> |
| </crm_config> |
| <nodes/> |
| <resources> |
| <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/> |
| </resources> |
| <constraints/> |
| <acls> |
| <acl_target id="l33t-haxor"> |
| <role id="auto-l33t-haxor"/> |
| </acl_target> |
| <acl_role id="auto-l33t-haxor"> |
| <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/> |
| </acl_role> |
| <acl_target id="niceguy"> |
| <role id="observer"/> |
| </acl_target> |
| <acl_target id="bob"> |
| <role id="admin"/> |
| </acl_target> |
| <acl_role id="observer"> |
| <acl_permission id="observer-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/> |
| <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/> |
| </acl_role> |
| <acl_role id="admin"> |
| <acl_permission id="admin-read-1" kind="read" xpath="/cib"/> |
| <acl_permission id="admin-write-1" kind="write" xpath="//resources"/> |
| </acl_role> |
| <acl_target id="badidea"> |
| <role id="auto-badidea"/> |
| </acl_target> |
| <acl_role id="auto-badidea"> |
| <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| <acl_target id="betteridea"> |
| <role id="auto-betteridea"/> |
| </acl_target> |
| <acl_role id="auto-betteridea"> |
| <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/> |
| <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/> |
| </acl_role> |
| </acls> |
| </configuration> |
| <status/> |
| </cib> |
| =#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#= |
| =#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#= |
| * Passed: cibadmin - bob: Replace - delete attribute (allow) |