Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: beekhof/pacemaker
...
head fork: beekhof/pacemaker
  • 15 commits
  • 13 files changed
  • 0 commit comments
  • 1 contributor
View
64 cib/callbacks.c
@@ -368,7 +368,7 @@ process_ping_reply(xmlNode *reply)
digest, remote_cib);
if(remote_cib) {
/* Additional debug */
- xml_calculate_changes(the_cib, remote_cib, NULL);
+ xml_calculate_changes(the_cib, remote_cib);
xml_log_changes(LOG_INFO, __FUNCTION__, remote_cib);
free_xml(remote_cib);
}
@@ -1035,19 +1035,6 @@ cib_process_request(xmlNode * request, gboolean force_synchronous, gboolean priv
return;
}
-static bool
-acl_enabled(GHashTable * config_hash)
-{
- bool rc = FALSE;
- const char *value = NULL;
-
- value = cib_pref(config_hash, "enable-acl");
- rc = crm_is_true(value);
-
- crm_debug("CIB ACL is %s", rc ? "enabled" : "disabled");
- return rc;
-}
-
int
cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gboolean privileged)
{
@@ -1056,10 +1043,6 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
xmlNode *result_cib = NULL;
xmlNode *current_cib = NULL;
-#if ENABLE_ACL
- xmlNode *filtered_current_cib = NULL;
-#endif
-
int call_type = 0;
int call_options = 0;
@@ -1106,26 +1089,9 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
goto done;
} else if (cib_op_modifies(call_type) == FALSE) {
- xmlNode *cib_ro = current_cib;
-
-#if ENABLE_ACL
- if (acl_enabled(config_hash)) {
- const char *user = crm_element_value(request, F_CIB_USER);
-
- if(xml_acl_filtered_copy(user, current_cib, &filtered_current_cib)) {
- if (filtered_current_cib == NULL) {
- crm_debug("Pre-filtered the entire cib");
- rc = -EACCES;
- goto done;
- }
- cib_ro = filtered_current_cib;
- }
- }
-#endif
-
rc = cib_perform_op(op, call_options, cib_op_func(call_type), TRUE,
section, request, input, FALSE, &config_changed,
- cib_ro, &result_cib, NULL, &output);
+ current_cib, &result_cib, NULL, &output);
CRM_CHECK(result_cib == NULL, free_xml(result_cib));
goto done;
@@ -1158,9 +1124,6 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
clear_bit(call_options, cib_zero_copy);
}
- if(acl_enabled(config_hash)) {
- xml_acl_enable(current_cib);
- }
/* result_cib must not be modified after cib_perform_op() returns */
rc = cib_perform_op(op, call_options, cib_op_func(call_type), FALSE,
section, request, input, manage_counters, &config_changed,
@@ -1220,21 +1183,6 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
}
output = result_cib;
-#if ENABLE_ACL
- if (acl_enabled(config_hash)) {
- const char *user = crm_element_value(request, F_CIB_USER);
-
- if(xml_acl_filtered_copy(user, current_cib, &filtered_current_cib)) {
- if (filtered_current_cib == NULL) {
- crm_debug("Pre-filtered the entire cib");
- rc = -EACCES;
- goto done;
- }
- free_xml(result_cib);
- output = filtered_current_cib;
- }
- }
-#endif
} else {
CRM_ASSERT(is_not_set(call_options, cib_zero_copy));
@@ -1282,15 +1230,15 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
}
crm_trace("cleanup");
-#if ENABLE_ACL
- if (filtered_current_cib != NULL) {
- free_xml(filtered_current_cib);
+
+ if (cib_op_modifies(call_type) == FALSE && output != current_cib) {
+ free_xml(output);
}
-#endif
if (call_type >= 0) {
cib_op_cleanup(call_type, call_options, &input, &output);
}
+
crm_trace("done");
return rc;
}
View
1  include/crm/common/util.h
@@ -120,5 +120,6 @@ void crm_build_path(const char *path_c, mode_t mode);
int crm_user_lookup(const char *name, uid_t * uid, gid_t * gid);
int crm_exit(int rc);
+bool pcmk_acl_required(const char *user);
#endif
View
19 include/crm/common/xml.h
@@ -251,19 +251,24 @@ static inline int numXpathResults(xmlXPathObjectPtr xpathObj)
}
bool xml_acl_enabled(xmlNode *xml);
-void xml_acl_enable(xmlNode *xml); /* Call prior to xml_track_changes() */
+void xml_acl_enable(xmlNode *xml, const char *user); /* Call prior to xml_track_changes() */
+void xml_acl_disable(xmlNode *xml);
+bool xml_acl_denied(xmlNode *xml); /* Part or all of a change was rejected */
bool xml_acl_filtered_copy(const char *user, xmlNode *xml, xmlNode ** result);
-void xml_track_changes(xmlNode * xml, const char *user);
-void xml_calculate_changes(xmlNode * old, xmlNode * new, const char *user);
-void xml_accept_changes(xmlNode * xml);
+
bool xml_tracking_changes(xmlNode * xml);
bool xml_document_dirty(xmlNode *xml);
-xmlNode *xml_create_patchset(
- int format, xmlNode *source, xmlNode *target, bool *config, bool manage_version, bool with_digest);
-int xml_apply_patchset(xmlNode *xml, xmlNode *patchset, bool check_version);
+void xml_track_changes(xmlNode * xml, const char *user, bool enforce_acls);
+void xml_calculate_changes(xmlNode * old, xmlNode * new); /* For comparing two documents after the fact */
+void xml_accept_changes(xmlNode * xml);
void xml_log_changes(uint8_t level, const char *function, xmlNode *xml);
void xml_log_patchset(uint8_t level, const char *function, xmlNode *xml);
bool xml_patch_versions(xmlNode *patchset, int add[3], int del[3]);
+
+xmlNode *xml_create_patchset(
+ int format, xmlNode *source, xmlNode *target, bool *config, bool manage_version, bool with_digest);
+int xml_apply_patchset(xmlNode *xml, xmlNode *patchset, bool check_version);
+
void save_xml_to_file(xmlNode * xml, const char *desc, const char *filename);
char *xml_get_path(xmlNode *xml);
View
29 lib/cib/cib_file.c
@@ -254,8 +254,10 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
const char *user_name)
{
int rc = pcmk_ok;
+ char *effective_user = NULL;
gboolean query = FALSE;
gboolean changed = FALSE;
+ xmlNode *request = NULL;
xmlNode *output = NULL;
xmlNode *cib_diff = NULL;
xmlNode *result_cib = NULL;
@@ -264,6 +266,7 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
static int max_msg_types = DIMOF(cib_file_ops);
crm_info("%s on %s", op, section);
+ call_options |= (cib_no_mtime | cib_inhibit_bcast | cib_scope_local);
if (cib->state == cib_disconnected) {
return -ENOTCONN;
@@ -290,10 +293,20 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
}
cib->call_id++;
- rc = cib_perform_op(op, call_options | cib_no_mtime | cib_inhibit_bcast, fn, query,
- section, NULL, data, TRUE, &changed, in_mem_cib, &result_cib, &cib_diff,
+ request = cib_create_op(cib->call_id, "dummy-token", op, host, section, data, call_options, user_name);
+#if ENABLE_ACL
+ if(user_name != NULL) {
+ effective_user = uid2username(geteuid());
+ crm_trace("Checking if %s can impersonate %s", effective_user, user_name);
+ determine_request_user(effective_user, request, F_CIB_USER);
+ }
+ crm_trace("Performing %s operation as %s", op, crm_element_value(request, F_CIB_USER));
+#endif
+ rc = cib_perform_op(op, call_options, fn, query,
+ section, request, data, TRUE, &changed, in_mem_cib, &result_cib, &cib_diff,
&output);
+ free_xml(request);
if (rc == -pcmk_err_dtd_validation) {
validate_xml_verbose(result_cib);
}
@@ -314,14 +327,16 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
}
if (output_data && output) {
- *output_data = copy_xml(output);
- }
+ if(output == in_mem_cib) {
+ *output_data = copy_xml(output);
+ } else {
+ *output_data = output;
+ }
- if (query == FALSE || (call_options & cib_no_children)) {
- free_xml(output);
- } else if (safe_str_eq(crm_element_name(output), "xpath-query")) {
+ } else if(output != in_mem_cib) {
free_xml(output);
}
+ free(effective_user);
return rc;
}
View
92 lib/cib/cib_utils.c
@@ -114,9 +114,12 @@ get_cib_copy(cib_t * cib)
if (cib->cmds->query(cib, NULL, &xml_cib, options) != pcmk_ok) {
crm_err("Couldnt retrieve the CIB");
+ free_xml(xml_cib);
return NULL;
+
} else if (xml_cib == NULL) {
crm_err("The CIB result was empty");
+ free_xml(xml_cib);
return NULL;
}
@@ -289,6 +292,27 @@ createEmptyCib(void)
return cib_root;
}
+static bool
+cib_acl_enabled(xmlNode *xml, const char *user)
+{
+ bool rc = FALSE;
+
+#if ENABLE_ACL
+ if(pcmk_acl_required(user)) {
+ const char *value = NULL;
+ GHashTable *options = g_hash_table_new_full(crm_str_hash, g_str_equal, g_hash_destroy_str, g_hash_destroy_str);
+
+ cib_read_config(options, xml);
+ value = cib_pref(options, "enable-acl");
+ rc = crm_is_true(value);
+ g_hash_table_destroy(options);
+ }
+
+ crm_debug("CIB ACL is %s", rc ? "enabled" : "disabled");
+#endif
+ return rc;
+}
+
int
cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_query,
const char *section, xmlNode * req, xmlNode * input,
@@ -301,9 +325,9 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
xmlNode *scratch = NULL;
xmlNode *local_diff = NULL;
- const char *user = crm_element_value(req, F_CIB_USER);
const char *new_version = NULL;
static struct qb_log_callsite *diff_cs = NULL;
+ const char *user = crm_element_value(req, F_CIB_USER);
crm_trace("Begin %s%s op", is_query ? "read-only " : "", op);
@@ -320,7 +344,38 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
}
if (is_query) {
- rc = (*fn) (op, call_options, section, req, input, current_cib, result_cib, output);
+ xmlNode *cib_ro = current_cib;
+ xmlNode *cib_filtered = NULL;
+
+ if(cib_acl_enabled(cib_ro, user)) {
+ if(xml_acl_filtered_copy(user, cib_ro, &cib_filtered)) {
+ if (cib_filtered == NULL) {
+ crm_debug("Pre-filtered the entire cib");
+ return -EACCES;
+ }
+ cib_ro = cib_filtered;
+ crm_log_xml_trace(cib_ro, "filtered");
+ }
+ }
+
+ rc = (*fn) (op, call_options, section, req, input, cib_ro, result_cib, output);
+
+ if(output == NULL) {
+ /* nothing */
+
+ } else if(cib_filtered == *output) {
+ cib_filtered = NULL; /* Let them have this copy */
+
+ } else if(cib_filtered) {
+ /* We're about to free the document of which *output is a part */
+ *output = copy_xml(*output);
+
+ } else if(*output != current_cib) {
+ /* Give them a copy they can free */
+ *output = copy_xml(*output);
+ }
+
+ free_xml(cib_filtered);
return rc;
}
@@ -335,26 +390,33 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
copy_in_properties(current_cib, scratch);
top = current_cib;
- xml_track_changes(scratch, user);
+ xml_track_changes(scratch, user, cib_acl_enabled(scratch, user));
rc = (*fn) (op, call_options, section, req, input, scratch, &scratch, output);
} else {
scratch = copy_xml(current_cib);
-
- xml_track_changes(scratch, user);
+ xml_track_changes(scratch, user, cib_acl_enabled(scratch, user));
rc = (*fn) (op, call_options, section, req, input, current_cib, &scratch, output);
if(xml_tracking_changes(scratch) == FALSE) {
crm_trace("Inferring changes after %s op", op);
- xml_calculate_changes(current_cib, scratch, user);
+ xml_track_changes(scratch, user, cib_acl_enabled(scratch, user));
+ xml_calculate_changes(current_cib, scratch);
}
CRM_CHECK(current_cib != scratch, return -EINVAL);
}
+ xml_acl_disable(scratch); /* Allow the system to make any additional changes */
+
if (rc == pcmk_ok && scratch == NULL) {
rc = -EINVAL;
goto done;
+ } else if(rc == pcmk_ok && xml_acl_denied(scratch)) {
+ crm_trace("ACL rejected part or all of the proposed changes");
+ rc = -EACCES;
+ goto done;
+
} else if (rc != pcmk_ok) {
goto done;
}
@@ -511,7 +573,19 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
}
done:
+
*result_cib = scratch;
+#if ENABLE_ACL
+ if(rc != pcmk_ok && cib_acl_enabled(current_cib, user)) {
+ if(xml_acl_filtered_copy(user, scratch, result_cib)) {
+ if (*result_cib == NULL) {
+ crm_debug("Pre-filtered the entire cib result");
+ }
+ free_xml(scratch);
+ }
+ }
+#endif
+
if(diff) {
*diff = local_diff;
} else {
@@ -766,5 +840,11 @@ cib_internal_op(cib_t * cib, const char *op, const char *host,
xmlNode ** output_data, int call_options, const char *user_name) =
cib->delegate_fn;
+#if ENABLE_ACL
+ if(user_name == NULL) {
+ user_name = getenv("CIB_user");
+ }
+#endif
+
return delegate(cib, op, host, section, data, output_data, call_options, user_name);
}
View
24 lib/common/utils.c
@@ -2260,6 +2260,28 @@ create_operation_update(xmlNode * parent, lrmd_event_data_t * op, const char *ca
return xml_op;
}
+bool
+pcmk_acl_required(const char *user)
+{
+#if ENABLE_ACL
+ if(user == NULL || strlen(user) == 0) {
+ crm_trace("no user set");
+ return FALSE;
+
+ } else if (strcmp(user, CRM_DAEMON_USER) == 0) {
+ return FALSE;
+
+ } else if (strcmp(user, "root") == 0) {
+ return FALSE;
+ }
+ crm_trace("acls required for %s", user);
+ return TRUE;
+#else
+ crm_trace("acls not supported");
+ return FALSE;
+#endif
+}
+
#if ENABLE_ACL
char *
uid2username(uid_t uid)
@@ -2293,7 +2315,7 @@ determine_request_user(const char *user, xmlNode * request, const char *field)
/* } else { Legal delegation */
}
- crm_trace("Processing msg for user '%s'", crm_element_value(request, field));
+ crm_trace("Processing msg as user '%s'", crm_element_value(request, field));
}
#endif
View
250 lib/common/xml.c
@@ -108,6 +108,7 @@ enum xml_private_flags {
xpf_acl_deny = 0x0800,
xpf_acl_create = 0x1000,
+ xpf_acl_denied = 0x2000,
};
typedef struct xml_private_s
@@ -154,7 +155,15 @@ static int add_xml_comment(xmlNode * parent, xmlNode * target, xmlNode * update)
static bool __xml_acl_check(xmlNode *xml, const char *name, enum xml_private_flags mode);
#define CHUNK_SIZE 1024
-#define TRACKING_CHANGES(xml) xml->doc?is_set(((xml_private_t *)xml->doc->_private)->flags, xpf_tracking):FALSE
+static inline bool TRACKING_CHANGES(xmlNode *xml)
+{
+ if(xml == NULL || xml->doc == NULL || xml->doc->_private == NULL) {
+ return FALSE;
+ } else if(is_set(((xml_private_t *)xml->doc->_private)->flags, xpf_tracking)) {
+ return TRUE;
+ }
+ return FALSE;
+}
#define buffer_print(buffer, max, offset, fmt, args...) do { \
int rc = (max); \
@@ -300,6 +309,54 @@ crm_first_attr(xmlNode * xml)
return xml->properties;
}
+#define XML_PRIVATE_MAGIC (long) 0x81726354
+
+static void
+__xml_acl_free(void *data)
+{
+ if(data) {
+ xml_acl_t *acl = data;
+
+ free(acl->xpath);
+ free(acl);
+ }
+}
+
+static void
+__xml_private_clean(xml_private_t *p)
+{
+ if(p) {
+ CRM_ASSERT(p->check == XML_PRIVATE_MAGIC);
+
+ free(p->user);
+ p->user = NULL;
+
+ if(p->acls) {
+ g_list_free_full(p->acls, __xml_acl_free);
+ p->acls = NULL;
+ }
+
+ if(p->deleted_paths) {
+ g_list_free_full(p->deleted_paths, free);
+ p->deleted_paths = NULL;
+ }
+ }
+}
+
+
+static void
+__xml_private_free(xml_private_t *p)
+{
+ __xml_private_clean(p);
+ free(p);
+}
+
+static void
+pcmkDeregisterNode(xmlNodePtr node)
+{
+ __xml_private_free(node->_private);
+}
+
static void
pcmkRegisterNode(xmlNodePtr node)
{
@@ -311,7 +368,7 @@ pcmkRegisterNode(xmlNodePtr node)
case XML_ATTRIBUTE_NODE:
case XML_COMMENT_NODE:
p = calloc(1, sizeof(xml_private_t));
- p->check = (long) 0x81726354;
+ p->check = XML_PRIVATE_MAGIC;
/* Flags will be reset if necessary when tracking is enabled */
p->flags |= (xpf_dirty|xpf_created);
node->_private = p;
@@ -321,6 +378,7 @@ pcmkRegisterNode(xmlNodePtr node)
default:
/* Ignore */
crm_trace("Ignoring %p %d", node, node->type);
+ CRM_LOG_ASSERT(node->type == XML_ELEMENT_NODE);
break;
}
@@ -333,36 +391,6 @@ pcmkRegisterNode(xmlNodePtr node)
}
}
-static void
-pcmkDeregisterNode(xmlNodePtr node)
-{
- xml_private_t *p = node->_private;
-
- switch(node->type) {
- case XML_ELEMENT_NODE:
- case XML_DOCUMENT_NODE:
- case XML_ATTRIBUTE_NODE:
- CRM_ASSERT(node->_private != NULL);
- CRM_ASSERT(p->check == (long) 0x81726354);
- free(p->user);
- free(node->_private);
- break;
- default:
- break;
- }
-}
-
-static void
-__xml_acl_free(void *data)
-{
- if(data) {
- xml_acl_t *acl = data;
-
- free(acl->xpath);
- free(acl);
- }
-}
-
static xml_acl_t *
__xml_acl_create(xmlNode * xml, xmlNode *target, enum xml_private_flags mode)
{
@@ -380,6 +408,7 @@ __xml_acl_create(xmlNode * xml, xmlNode *target, enum xml_private_flags mode)
return NULL;
} else if (tag == NULL && ref == NULL && xpath == NULL) {
+ crm_trace("No criteria %p", xml);
return NULL;
}
@@ -391,6 +420,7 @@ __xml_acl_create(xmlNode * xml, xmlNode *target, enum xml_private_flags mode)
acl->mode = mode;
if(xpath) {
acl->xpath = strdup(xpath);
+ crm_trace("Using xpath: %s", acl->xpath);
} else {
int offset = 0;
@@ -440,6 +470,7 @@ __xml_acl_parse_entry(xmlNode * acl_top, xmlNode * acl_entry, xmlNode *target)
for (child = __xml_first_child(acl_entry); child; child = __xml_next(child)) {
const char *tag = crm_element_name(child);
+ crm_trace("Processing %s %p", tag, child);
if(tag == NULL) {
CRM_ASSERT(tag != NULL);
@@ -454,7 +485,7 @@ __xml_acl_parse_entry(xmlNode * acl_top, xmlNode * acl_entry, xmlNode *target)
const char *role_id = crm_element_value(role, XML_ATTR_ID);
if (role_id && strcmp(ref_role, role_id) == 0) {
- crm_debug("Unpacking referenced role: %s", role);
+ crm_debug("Unpacking referenced role: %s", role_id);
__xml_acl_parse_entry(acl_top, role, target);
break;
}
@@ -479,22 +510,6 @@ __xml_acl_parse_entry(xmlNode * acl_top, xmlNode * acl_entry, xmlNode *target)
return TRUE;
}
-static bool
-__xml_acl_required(const char *user)
-{
- if(user == NULL || strlen(user) == 0) {
- crm_trace("no user set");
- return FALSE;
-
- } else if (strcmp(user, CRM_DAEMON_USER) == 0) {
- return FALSE;
-
- } else if (strcmp(user, "root") == 0) {
- return FALSE;
- }
- return TRUE;
-}
-
/*
<acls>
<acl_user id="lmb">
@@ -537,15 +552,21 @@ static void
__xml_acl_unpack(xmlNode *xml, const char *user)
{
#if ENABLE_ACL
- if(__xml_acl_required(user)) {
+ xml_private_t *p = NULL;
+
+ if(xml == NULL || xml->doc == NULL || xml->doc->_private == NULL) {
+ return;
+ }
+
+ p = xml->doc->_private;
+ if(pcmk_acl_required(user) == FALSE) {
crm_trace("no acls needed for '%s'", user);
- } else {
- xml_private_t *p = xml->doc->_private;
+ } else if(p->acls == NULL) {
xmlNode *acls = get_xpath_object("//"XML_CIB_TAG_ACLS, xml, LOG_TRACE);
+ free(p->user);
p->user = strdup(user);
- xml_acl_enable(xml);
if(acls) {
xmlNode *child = NULL;
@@ -621,16 +642,17 @@ __xml_purge_attributes(xmlNode *xml)
bool
xml_acl_filtered_copy(const char *user, xmlNode *xml, xmlNode ** result)
{
- bool filtered = FALSE;
GListPtr aIter = NULL;
xmlNode *target = NULL;
xml_private_t *doc = NULL;
*result = NULL;
- if(__xml_acl_required(user)) {
+ if(pcmk_acl_required(user) == FALSE) {
crm_trace("no acls needed for '%s'", user);
+ return FALSE;
}
+ crm_trace("filtered copy of %p for '%s'", xml, user);
target = copy_xml(xml);
__xml_acl_unpack(target, user);
@@ -650,7 +672,6 @@ xml_acl_filtered_copy(const char *user, xmlNode *xml, xmlNode ** result)
for(lpc = 0; lpc < max; lpc++) {
xmlNode *match = getXpathResult(xpathObj, lpc);
- filtered = TRUE;
if(__xml_purge_attributes(match) == FALSE) {
free_xml(match); /* Nothing readable under here, purge completely */
if(match == target) {
@@ -667,13 +688,18 @@ xml_acl_filtered_copy(const char *user, xmlNode *xml, xmlNode ** result)
if(doc->acls) {
g_list_free_full(doc->acls, __xml_acl_free);
doc->acls = NULL;
+
+ } else {
+ crm_trace("Ordinary user '%s' cannot access the CIB without any defined ACLs", doc->user);
+ free_xml(target);
+ target = NULL;
}
if(target) {
*result = target;
}
- return filtered;
+ return TRUE;
}
static void
@@ -682,11 +708,29 @@ __xml_acl_post_process(xmlNode * xml)
xmlNode *cIter = __xml_first_child(xml);
xml_private_t *p = xml->_private;
- if(is_set(p->flags, xpf_created) && __xml_acl_check(xml, NULL, xpf_acl_write) == FALSE) {
- char *path = xml_get_path(xml);
- crm_trace("Cannot add new node %s at %s", crm_element_name(xml), path);
- free_xml(xml);
- return;
+ if(is_set(p->flags, xpf_created)) {
+ xmlAttr *xIter = NULL;
+
+ /* Always allow new scaffolding, ie. node with no attributes or only an 'id' */
+
+ for (xIter = crm_first_attr(xml); xIter != NULL; xIter = xIter->next) {
+ const char *prop_name = (const char *)xIter->name;
+
+ if (strcmp(prop_name, XML_ATTR_ID) == 0) {
+ /* Delay the acl check */
+ continue;
+
+ } else if(__xml_acl_check(xml, NULL, xpf_acl_write)) {
+ crm_trace("Creation of %s=%s is allowed", crm_element_name(xml), ID(xml));
+ break;
+
+ } else {
+ char *path = xml_get_path(xml);
+ crm_trace("Cannot add new node %s at %s", crm_element_name(xml), path);
+ free_xml(xml);
+ return;
+ }
+ }
}
while (cIter != NULL) {
@@ -696,10 +740,37 @@ __xml_acl_post_process(xmlNode * xml)
}
}
+bool
+xml_acl_denied(xmlNode *xml)
+{
+ if(xml && xml->doc && xml->doc->_private){
+ xml_private_t *p = xml->doc->_private;
+
+ return is_set(p->flags, xpf_acl_denied);
+ }
+ return FALSE;
+}
+
void
-xml_acl_enable(xmlNode *xml)
+xml_acl_enable(xmlNode *xml, const char *user)
{
+ crm_trace("Enabling acls for '%s'", user);
set_doc_flag(xml, xpf_acl_enabled);
+ __xml_acl_unpack(xml, user);
+ __xml_acl_apply(xml);
+}
+
+void
+xml_acl_disable(xmlNode *xml)
+{
+ if(xml_acl_enabled(xml)) {
+ xml_private_t *p = xml->doc->_private;
+
+ /* Catch anything that was created but shouldn't have been */
+ __xml_acl_apply(xml);
+ __xml_acl_post_process(xml);
+ clear_bit(p->flags, xpf_acl_enabled);
+ }
}
bool
@@ -714,15 +785,13 @@ xml_acl_enabled(xmlNode *xml)
}
void
-xml_track_changes(xmlNode * xml, const char *user)
+xml_track_changes(xmlNode * xml, const char *user, bool enforce_acls)
{
- bool enable_acls = xml_acl_enabled(xml); /* Save the acl setting */
-
xml_accept_changes(xml);
- crm_trace("Tracking changes to %p", xml);
+ crm_trace("Tracking changes to %p %d", xml, enforce_acls);
set_doc_flag(xml, xpf_tracking);
- if(enable_acls) {
- __xml_acl_unpack(xml, user);
+ if(enforce_acls) {
+ xml_acl_enable(xml, user);
}
}
@@ -1132,11 +1201,7 @@ xml_create_patchset(int format, xmlNode *source, xmlNode *target, bool *config_c
xmlNode *patch = NULL;
const char *version = crm_element_value(source, XML_ATTR_CRM_VERSION);
- if(xml_acl_enabled(target)) {
- __xml_acl_apply(target);
- __xml_acl_post_process(target);
- }
-
+ xml_acl_disable(target);
if(xml_document_dirty(target) == FALSE) {
crm_trace("No change %d", format);
return NULL; /* No change */
@@ -1312,12 +1377,8 @@ xml_accept_changes(xmlNode * xml)
crm_trace("Accepting changes to %p", xml);
doc = xml->doc->_private;
top = xmlDocGetRootElement(xml->doc);
- if(doc->acls) {
- g_list_free_full(doc->acls, __xml_acl_free);
- doc->acls = NULL;
- }
- free(doc->user); doc->user = NULL;
+ __xml_private_clean(xml->doc->_private);
if(is_not_set(doc->flags, xpf_dirty)) {
doc->flags = xpf_none;
@@ -1326,9 +1387,6 @@ xml_accept_changes(xmlNode * xml)
doc->flags = xpf_none;
__xml_accept_changes(top);
-
- g_list_free_full(doc->deleted_paths, free);
- doc->deleted_paths = NULL;
}
/* Simplified version for applying v1-style XML patches */
@@ -2163,11 +2221,12 @@ __xml_acl_check(xmlNode *xml, const char *name, enum xml_private_flags mode)
xml_private_t *docp = xml->doc->_private;
if(docp->acls == NULL) {
- crm_trace("Ordinary users cannot access the CIB without any defined ACLs");
+ crm_trace("Ordinary user %s cannot access the CIB without any defined ACLs", docp->user);
+ set_doc_flag(xml, xpf_acl_denied);
return FALSE;
}
- __get_prefix(NULL, xml, buffer, offset);
+ offset = __get_prefix(NULL, xml, buffer, offset);
if(name) {
offset += snprintf(buffer + offset, XML_BUFFER_SIZE - offset, "[@%s]", name);
}
@@ -2189,13 +2248,17 @@ __xml_acl_check(xmlNode *xml, const char *name, enum xml_private_flags mode)
xml_private_t *p = parent->_private;
if(__xml_acl_mode_test(p->flags, mode)) {
return TRUE;
+
} else if(is_set(p->flags, xpf_acl_deny)) {
crm_trace("%x access denied to %s: parent", mode, buffer);
+ set_doc_flag(xml, xpf_acl_denied);
return FALSE;
}
parent = parent->parent;
}
+ crm_trace("%x access denied to %s: default", mode, buffer);
+ set_doc_flag(xml, xpf_acl_denied);
return FALSE;
}
}
@@ -2227,10 +2290,6 @@ crm_xml_add(xmlNode * node, const char *name, const char *value)
return value);
}
#endif
- if(__xml_acl_check(node, name, xpf_acl_create) == FALSE) {
- crm_trace("Cannot add %s=%s to %s", name, value, node->name);
- return NULL;
- }
if(TRACKING_CHANGES(node)) {
const char *old = crm_element_value(node, name);
@@ -2240,6 +2299,11 @@ crm_xml_add(xmlNode * node, const char *name, const char *value)
}
}
+ if(dirty && __xml_acl_check(node, name, xpf_acl_create) == FALSE) {
+ crm_trace("Cannot add %s=%s to %s", name, value, node->name);
+ return NULL;
+ }
+
attr = xmlSetProp(node, (const xmlChar *)name, (const xmlChar *)value);
if(dirty) {
crm_attr_dirty(attr);
@@ -2369,9 +2433,6 @@ free_xml(xmlNode * child)
if (doc != NULL && top == child) {
/* Free everything */
- if(p->acls) {
- g_list_free_full(p->acls, __xml_acl_free);
- }
xmlFreeDoc(doc);
} else if(__xml_acl_check(child, NULL, xpf_acl_write) == FALSE) {
@@ -3724,12 +3785,15 @@ __xml_diff_object(xmlNode * old, xmlNode * new)
}
void
-xml_calculate_changes(xmlNode * old, xmlNode * new, const char *user)
+xml_calculate_changes(xmlNode * old, xmlNode * new)
{
CRM_CHECK(safe_str_eq(crm_element_name(old), crm_element_name(new)), return);
CRM_CHECK(safe_str_eq(ID(old), ID(new)), return);
- xml_track_changes(new, user);
+ if(xml_tracking_changes(new) == FALSE) {
+ xml_track_changes(new, NULL, FALSE);
+ }
+
__xml_diff_object(old, new);
xml_log_changes(LOG_TRACE, __FUNCTION__, new);
}
View
76 tools/cibadmin.c
@@ -52,6 +52,7 @@ void cib_connection_destroy(gpointer user_data);
void cibadmin_op_callback(xmlNode * msg, int call_id, int rc, xmlNode * output, void *user_data);
int command_options = 0;
+const char *cib_user = NULL;
const char *cib_action = NULL;
typedef struct str_list_s {
@@ -90,20 +91,17 @@ static struct crm_option long_options[] = {
{"patch", 0, 0, 'P', "\tSupply an update in the form of an xml diff (See also: crm_diff)"},
{"replace", 0, 0, 'R', "\tRecursivly replace an object in the CIB"},
{"delete", 0, 0, 'D', "\tDelete the first object matching the supplied criteria, Eg. <op id=\"rsc1_op1\" name=\"monitor\"/>"},
- {"-spacer-", 0, 0, '-', "\n\tThe tagname and all attributes must match in order for the element to be deleted"},
- {"delete-all", 0, 0, 'd', "\tWhen used with --xpath, remove all matching objects in the configuration instead of just the first one"},
- {"md5-sum", 0, 0, '5', "\tCalculate the on-disk CIB digest"},
- {"md5-sum-versioned", 0, 0, '6', "\tCalculate an on-the-wire versioned CIB digest"},
- {"sync", 0, 0, 'S', "\t(Advanced) Force a refresh of the CIB to all nodes\n"},
- {"make-slave", 0, 0, 'r', NULL, 1},
- {"make-master", 0, 0, 'w', NULL, 1},
- {"is-master", 0, 0, 'm', NULL, 1},
+ {"-spacer-", 0, 0, '-', "\n\tThe tagname and all attributes must match in order for the element to be deleted\n"},
+ {"delete-all", 0, 0, 'd', "When used with --xpath, remove all matching objects in the configuration instead of just the first one"},
{"empty", 0, 0, 'a', "\tOutput an empty CIB"},
- {"blank", 0, 0, 'a', NULL, 1},
+ {"md5-sum", 0, 0, '5', "\tCalculate the on-disk CIB digest"},
+ {"md5-sum-versioned", 0, 0, '6', "Calculate an on-the-wire versioned CIB digest"},
+ {"blank", 0, 0, '-', NULL, 1},
{"-spacer-",1, 0, '-', "\nAdditional options:"},
{"force", 0, 0, 'f'},
{"timeout", 1, 0, 't', "Time (in seconds) to wait before declaring the operation failed"},
+ {"user", 1, 0, 'U', "Run the command with permissions of the named user (valid only for the root and "CRM_DAEMON_USER" accounts)"},
{"sync-call", 0, 0, 's', "Wait for call to complete before returning"},
{"local", 0, 0, 'l', "\tCommand takes effect locally. Should only be used for queries"},
{"allow-create",0, 0, 'c', "(Advanced) Allow the target of a --modify,-M operation to be created if they do not exist"},
@@ -162,21 +160,6 @@ static struct crm_option long_options[] = {
/* Legacy options */
{"host", 1, 0, 'h', NULL, 1},
- {"force-quorum", 0, 0, 'f', NULL, 1},
- {"obj_type", 1, 0, 'o', NULL, 1},
- {F_CRM_DATA, 1, 0, 'X', NULL, 1},
- {CIB_OP_ERASE, 0, 0, 'E', NULL, 1},
- {CIB_OP_QUERY, 0, 0, 'Q', NULL, 1},
- {CIB_OP_CREATE, 0, 0, 'C', NULL, 1},
- {CIB_OP_REPLACE, 0, 0, 'R', NULL, 1},
- {CIB_OP_UPDATE, 0, 0, 'U', NULL, 1},
- {CIB_OP_MODIFY, 0, 0, 'M', NULL, 1},
- {CIB_OP_DELETE, 0, 0, 'D', NULL, 1},
- {CIB_OP_BUMP, 0, 0, 'B', NULL, 1},
- {CIB_OP_SYNC, 0, 0, 'S', NULL, 1},
- {CIB_OP_SLAVE, 0, 0, 'r', NULL, 1},
- {CIB_OP_MASTER, 0, 0, 'w', NULL, 1},
- {CIB_OP_ISMASTER,0, 0, 'm', NULL, 1},
{0, 0, 0, 0}
};
@@ -274,10 +257,9 @@ main(int argc, char **argv)
case 'P':
cib_action = CIB_OP_APPLY_DIFF;
break;
- case 'S':
- cib_action = CIB_OP_SYNC;
- break;
case 'U':
+ cib_user = optarg;
+ break;
case 'M':
cib_action = CIB_OP_MODIFY;
break;
@@ -302,22 +284,9 @@ main(int argc, char **argv)
case 'n':
command_options |= cib_no_children;
break;
- case 'm':
- cib_action = CIB_OP_ISMASTER;
- command_options |= cib_scope_local;
- break;
case 'B':
cib_action = CIB_OP_BUMP;
break;
- case 'r':
- dangerous_cmd = TRUE;
- cib_action = CIB_OP_SLAVE;
- break;
- case 'w':
- dangerous_cmd = TRUE;
- cib_action = CIB_OP_MASTER;
- command_options |= cib_scope_local;
- break;
case 'V':
command_options = command_options | cib_verbose;
bump_log_num++;
@@ -557,22 +526,9 @@ do_work(xmlNode * input, int call_options, xmlNode ** output)
}
}
- if (strcasecmp(CIB_OP_SYNC, cib_action) == 0) {
- crm_trace("Performing %s op...", cib_action);
- return the_cib->cmds->sync_from(the_cib, host, obj_type, call_options);
-
- } else if (strcasecmp(CIB_OP_SLAVE, cib_action) == 0 && (call_options ^ cib_scope_local)) {
- crm_trace("Performing %s op on all nodes...", cib_action);
- return the_cib->cmds->set_slave_all(the_cib, call_options);
-
- } else if (strcasecmp(CIB_OP_MASTER, cib_action) == 0) {
- crm_trace("Performing %s op on all nodes...", cib_action);
- return the_cib->cmds->set_master(the_cib, call_options);
-
- } else if (cib_action != NULL) {
+ if (cib_action != NULL) {
crm_trace("Passing \"%s\" to variant_op...", cib_action);
- return cib_internal_op(the_cib, cib_action, host, obj_type, input, output, call_options,
- NULL);
+ return cib_internal_op(the_cib, cib_action, host, obj_type, input, output, call_options, cib_user);
} else {
crm_err("You must specify an operation");
@@ -608,15 +564,7 @@ cibadmin_op_callback(xmlNode * msg, int call_id, int rc, xmlNode * output, void
{
exit_code = rc;
- if (safe_str_eq(cib_action, CIB_OP_ISMASTER) && rc != pcmk_ok) {
- crm_info("CIB on %s is _not_ the master instance", host ? host : "localhost");
- fprintf(stderr, "CIB on %s is _not_ the master instance\n", host ? host : "localhost");
-
- } else if (safe_str_eq(cib_action, CIB_OP_ISMASTER)) {
- crm_info("CIB on %s _is_ the master instance", host ? host : "localhost");
- fprintf(stderr, "CIB on %s _is_ the master instance\n", host ? host : "localhost");
-
- } else if (rc != 0) {
+ if (rc != 0) {
crm_warn("Call %s failed (%d): %s", cib_action, rc, pcmk_strerror(rc));
fprintf(stderr, "Call %s failed (%d): %s\n", cib_action, rc, pcmk_strerror(rc));
print_xml_output(output);
View
4 tools/crm_resource.c
@@ -2233,8 +2233,10 @@ main(int argc, char **argv)
bail:
- if (cib_conn != NULL) {
+ if (data_set.input != NULL) {
cleanup_alloc_calculations(&data_set);
+ }
+ if (cib_conn != NULL) {
cib_conn->cmds->signoff(cib_conn);
cib_delete(cib_conn);
}
View
517 tools/regression.acls.exp
@@ -0,0 +1,517 @@
+Setting up shadow instance
+A new shadow instance was created. To begin using it paste the following into your shell:
+ CIB_shadow=tools-regression ; export CIB_shadow
+=#=#=#= Begin test: Configure some ACLs =#=#=#=
+<cib epoch="1" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config/>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Configure some ACLs - OK (0) =#=#=#=
+* Passed: cibadmin - Configure some ACLs
+=#=#=#= Begin test: Enable ACLs =#=#=#=
+<cib epoch="2" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Enable ACLs - OK (0) =#=#=#=
+* Passed: crm_attribute - Enable ACLs
+=#=#=#= Begin test: Set cluster option =#=#=#=
+<cib epoch="3" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Set cluster option - OK (0) =#=#=#=
+* Passed: crm_attribute - Set cluster option
+=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Query configuration - Permission denied (13) =#=#=#=
+* Passed: cibadmin - unknownguy: Query configuration
+=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set enable-acl - Permission denied (13) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set enable-acl
+=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set stonith-enabled - Permission denied (13) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set stonith-enabled
+=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Create a resource - Permission denied (13) =#=#=#=
+* Passed: cibadmin - unknownguy: Create a resource
+=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Query configuration - Permission denied (13) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Query configuration
+=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set enable-acl - Permission denied (13) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set enable-acl
+=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set stonith-enabled - Permission denied (13) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
+=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource - Permission denied (13) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Create a resource
+=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
+<cib epoch="3" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+<cib epoch="3" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - niceguy: Query configuration
+=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
+<cib epoch="3" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Set enable-acl - Permission denied (13) =#=#=#=
+* Passed: crm_attribute - niceguy: Set enable-acl
+=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
+<cib epoch="4" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - niceguy: Set stonith-enabled
+=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
+Call failed: Permission denied
+<cib epoch="4" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource - Permission denied (13) =#=#=#=
+* Passed: cibadmin - niceguy: Create a resource
+=#=#=#= Begin test: root: Query configuration =#=#=#=
+<cib epoch="4" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+<cib epoch="4" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - root: Query configuration
+=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
+<cib epoch="5" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - root: Set stonith-enabled
+=#=#=#= Begin test: root: Create a resource =#=#=#=
+<cib epoch="6" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
+* Passed: cibadmin - root: Create a resource
+=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+ error: crm_abort: update_validation: Triggered assert at xml.c:5118 : *xml_blob != NULL
+ error: crm_element_value: Couldn't find validate-with in NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+Your current configuration could only be upgraded to <null>... the minimum requirement is pacemaker-1.0.
+Error performing operation: Required key not available
+=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Required key not available (126) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+ error: crm_abort: update_validation: Triggered assert at xml.c:5118 : *xml_blob != NULL
+ error: crm_element_value: Couldn't find validate-with in NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+Your current configuration could only be upgraded to <null>... the minimum requirement is pacemaker-1.0.
+Error performing operation: Required key not available
+=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Required key not available (126) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+ error: crm_abort: update_validation: Triggered assert at xml.c:5118 : *xml_blob != NULL
+ error: crm_element_value: Couldn't find validate-with in NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+Your current configuration could only be upgraded to <null>... the minimum requirement is pacemaker-1.0.
+Error performing operation: Required key not available
+=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Required key not available (126) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="7" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
+Stopped
+<cib epoch="7" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Query a resource meta attribute
+=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
+Deleted dummy option: id=dummy-meta_attributes-target-role name=target-role
+<cib epoch="8" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes"/>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Remove a resource meta attribute
View
236 tools/regression.dates.exp
@@ -0,0 +1,236 @@
+=#=#=#= Begin test: 2006-W01-7 =#=#=#=
+Date: 2006-01-08 00:00:00Z
+=#=#=#= End test: 2006-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2006-W01-7
+=#=#=#= Begin test: 2006-W01-7 - round-trip =#=#=#=
+Date: 2006-W01-7 00:00:00Z
+=#=#=#= End test: 2006-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2006-W01-7 - round-trip
+=#=#=#= Begin test: 2006-W01-1 =#=#=#=
+Date: 2006-01-02 00:00:00Z
+=#=#=#= End test: 2006-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2006-W01-1
+=#=#=#= Begin test: 2006-W01-1 - round-trip =#=#=#=
+Date: 2006-W01-1 00:00:00Z
+=#=#=#= End test: 2006-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2006-W01-1 - round-trip
+=#=#=#= Begin test: 2007-W01-7 =#=#=#=
+Date: 2007-01-07 00:00:00Z
+=#=#=#= End test: 2007-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2007-W01-7
+=#=#=#= Begin test: 2007-W01-7 - round-trip =#=#=#=
+Date: 2007-W01-7 00:00:00Z
+=#=#=#= End test: 2007-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2007-W01-7 - round-trip
+=#=#=#= Begin test: 2007-W01-1 =#=#=#=
+Date: 2007-01-01 00:00:00Z
+=#=#=#= End test: 2007-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2007-W01-1
+=#=#=#= Begin test: 2007-W01-1 - round-trip =#=#=#=
+Date: 2007-W01-1 00:00:00Z
+=#=#=#= End test: 2007-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2007-W01-1 - round-trip
+=#=#=#= Begin test: 2008-W01-7 =#=#=#=
+Date: 2008-01-06 00:00:00Z
+=#=#=#= End test: 2008-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2008-W01-7
+=#=#=#= Begin test: 2008-W01-7 - round-trip =#=#=#=
+Date: 2008-W01-7 00:00:00Z
+=#=#=#= End test: 2008-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2008-W01-7 - round-trip
+=#=#=#= Begin test: 2008-W01-1 =#=#=#=
+Date: 2007-12-31 00:00:00Z
+=#=#=#= End test: 2008-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2008-W01-1
+=#=#=#= Begin test: 2008-W01-1 - round-trip =#=#=#=
+Date: 2008-W01-1 00:00:00Z
+=#=#=#= End test: 2008-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2008-W01-1 - round-trip
+=#=#=#= Begin test: 2009-W01-7 =#=#=#=
+Date: 2009-01-04 00:00:00Z
+=#=#=#= End test: 2009-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-W01-7
+=#=#=#= Begin test: 2009-W01-7 - round-trip =#=#=#=
+Date: 2009-W01-7 00:00:00Z
+=#=#=#= End test: 2009-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-W01-7 - round-trip
+=#=#=#= Begin test: 2009-W01-1 =#=#=#=
+Date: 2008-12-29 00:00:00Z
+=#=#=#= End test: 2009-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-W01-1
+=#=#=#= Begin test: 2009-W01-1 - round-trip =#=#=#=
+Date: 2009-W01-1 00:00:00Z
+=#=#=#= End test: 2009-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-W01-1 - round-trip
+=#=#=#= Begin test: 2010-W01-7 =#=#=#=
+Date: 2010-01-10 00:00:00Z
+=#=#=#= End test: 2010-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2010-W01-7
+=#=#=#= Begin test: 2010-W01-7 - round-trip =#=#=#=
+Date: 2010-W01-7 00:00:00Z
+=#=#=#= End test: 2010-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2010-W01-7 - round-trip
+=#=#=#= Begin test: 2010-W01-1 =#=#=#=
+Date: 2010-01-04 00:00:00Z
+=#=#=#= End test: 2010-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2010-W01-1
+=#=#=#= Begin test: 2010-W01-1 - round-trip =#=#=#=
+Date: 2010-W01-1 00:00:00Z
+=#=#=#= End test: 2010-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2010-W01-1 - round-trip
+=#=#=#= Begin test: 2011-W01-7 =#=#=#=
+Date: 2011-01-09 00:00:00Z
+=#=#=#= End test: 2011-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2011-W01-7
+=#=#=#= Begin test: 2011-W01-7 - round-trip =#=#=#=
+Date: 2011-W01-7 00:00:00Z
+=#=#=#= End test: 2011-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2011-W01-7 - round-trip
+=#=#=#= Begin test: 2011-W01-1 =#=#=#=
+Date: 2011-01-03 00:00:00Z
+=#=#=#= End test: 2011-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2011-W01-1
+=#=#=#= Begin test: 2011-W01-1 - round-trip =#=#=#=
+Date: 2011-W01-1 00:00:00Z
+=#=#=#= End test: 2011-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2011-W01-1 - round-trip
+=#=#=#= Begin test: 2012-W01-7 =#=#=#=
+Date: 2012-01-08 00:00:00Z
+=#=#=#= End test: 2012-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2012-W01-7
+=#=#=#= Begin test: 2012-W01-7 - round-trip =#=#=#=
+Date: 2012-W01-7 00:00:00Z
+=#=#=#= End test: 2012-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2012-W01-7 - round-trip
+=#=#=#= Begin test: 2012-W01-1 =#=#=#=
+Date: 2012-01-02 00:00:00Z
+=#=#=#= End test: 2012-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2012-W01-1
+=#=#=#= Begin test: 2012-W01-1 - round-trip =#=#=#=
+Date: 2012-W01-1 00:00:00Z
+=#=#=#= End test: 2012-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2012-W01-1 - round-trip
+=#=#=#= Begin test: 2013-W01-7 =#=#=#=
+Date: 2013-01-06 00:00:00Z
+=#=#=#= End test: 2013-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2013-W01-7
+=#=#=#= Begin test: 2013-W01-7 - round-trip =#=#=#=
+Date: 2013-W01-7 00:00:00Z
+=#=#=#= End test: 2013-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2013-W01-7 - round-trip
+=#=#=#= Begin test: 2013-W01-1 =#=#=#=
+Date: 2012-12-31 00:00:00Z
+=#=#=#= End test: 2013-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2013-W01-1
+=#=#=#= Begin test: 2013-W01-1 - round-trip =#=#=#=
+Date: 2013-W01-1 00:00:00Z
+=#=#=#= End test: 2013-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2013-W01-1 - round-trip
+=#=#=#= Begin test: 2014-W01-7 =#=#=#=
+Date: 2014-01-05 00:00:00Z
+=#=#=#= End test: 2014-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2014-W01-7
+=#=#=#= Begin test: 2014-W01-7 - round-trip =#=#=#=
+Date: 2014-W01-7 00:00:00Z
+=#=#=#= End test: 2014-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2014-W01-7 - round-trip
+=#=#=#= Begin test: 2014-W01-1 =#=#=#=
+Date: 2013-12-30 00:00:00Z
+=#=#=#= End test: 2014-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2014-W01-1
+=#=#=#= Begin test: 2014-W01-1 - round-trip =#=#=#=
+Date: 2014-W01-1 00:00:00Z
+=#=#=#= End test: 2014-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2014-W01-1 - round-trip
+=#=#=#= Begin test: 2015-W01-7 =#=#=#=
+Date: 2015-01-04 00:00:00Z
+=#=#=#= End test: 2015-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2015-W01-7
+=#=#=#= Begin test: 2015-W01-7 - round-trip =#=#=#=
+Date: 2015-W01-7 00:00:00Z
+=#=#=#= End test: 2015-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2015-W01-7 - round-trip
+=#=#=#= Begin test: 2015-W01-1 =#=#=#=
+Date: 2014-12-29 00:00:00Z
+=#=#=#= End test: 2015-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2015-W01-1
+=#=#=#= Begin test: 2015-W01-1 - round-trip =#=#=#=
+Date: 2015-W01-1 00:00:00Z
+=#=#=#= End test: 2015-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2015-W01-1 - round-trip
+=#=#=#= Begin test: 2016-W01-7 =#=#=#=
+Date: 2016-01-10 00:00:00Z
+=#=#=#= End test: 2016-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2016-W01-7
+=#=#=#= Begin test: 2016-W01-7 - round-trip =#=#=#=
+Date: 2016-W01-7 00:00:00Z
+=#=#=#= End test: 2016-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2016-W01-7 - round-trip
+=#=#=#= Begin test: 2016-W01-1 =#=#=#=
+Date: 2016-01-04 00:00:00Z
+=#=#=#= End test: 2016-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2016-W01-1
+=#=#=#= Begin test: 2016-W01-1 - round-trip =#=#=#=
+Date: 2016-W01-1 00:00:00Z
+=#=#=#= End test: 2016-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2016-W01-1 - round-trip
+=#=#=#= Begin test: 2017-W01-7 =#=#=#=
+Date: 2017-01-08 00:00:00Z
+=#=#=#= End test: 2017-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2017-W01-7
+=#=#=#= Begin test: 2017-W01-7 - round-trip =#=#=#=
+Date: 2017-W01-7 00:00:00Z
+=#=#=#= End test: 2017-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2017-W01-7 - round-trip
+=#=#=#= Begin test: 2017-W01-1 =#=#=#=
+Date: 2017-01-02 00:00:00Z
+=#=#=#= End test: 2017-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2017-W01-1
+=#=#=#= Begin test: 2017-W01-1 - round-trip =#=#=#=
+Date: 2017-W01-1 00:00:00Z
+=#=#=#= End test: 2017-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2017-W01-1 - round-trip
+=#=#=#= Begin test: 2018-W01-7 =#=#=#=
+Date: 2018-01-07 00:00:00Z
+=#=#=#= End test: 2018-W01-7 - OK (0) =#=#=#=
+* Passed: iso8601 - 2018-W01-7
+=#=#=#= Begin test: 2018-W01-7 - round-trip =#=#=#=
+Date: 2018-W01-7 00:00:00Z
+=#=#=#= End test: 2018-W01-7 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2018-W01-7 - round-trip
+=#=#=#= Begin test: 2018-W01-1 =#=#=#=
+Date: 2018-01-01 00:00:00Z
+=#=#=#= End test: 2018-W01-1 - OK (0) =#=#=#=
+* Passed: iso8601 - 2018-W01-1
+=#=#=#= Begin test: 2018-W01-1 - round-trip =#=#=#=
+Date: 2018-W01-1 00:00:00Z
+=#=#=#= End test: 2018-W01-1 - round-trip - OK (0) =#=#=#=
+* Passed: iso8601 - 2018-W01-1 - round-trip
+=#=#=#= Begin test: 2009-W53-07 =#=#=#=
+Date: 2009-W53-7 00:00:00Z
+=#=#=#= End test: 2009-W53-07 - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-W53-07
+=#=#=#= Begin test: 2009-01-31 + 1 Month =#=#=#=
+Date: 2009-01-31 00:00:00Z
+Duration: 0000-01-00 00:00:00Z
+Duration ends at: 2009-02-28 00:00:00Z
+=#=#=#= End test: 2009-01-31 + 1 Month - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-01-31 + 1 Month
+=#=#=#= Begin test: 2009-01-31 + 2 Months =#=#=#=
+Date: 2009-01-31 00:00:00Z
+Duration: 0000-02-00 00:00:00Z
+Duration ends at: 2009-03-31 00:00:00Z
+=#=#=#= End test: 2009-01-31 + 2 Months - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-01-31 + 2 Months
+=#=#=#= Begin test: 2009-01-31 + 3 Months =#=#=#=
+Date: 2009-01-31 00:00:00Z
+Duration: 0000-03-00 00:00:00Z
+Duration ends at: 2009-04-30 00:00:00Z
+=#=#=#= End test: 2009-01-31 + 3 Months - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-01-31 + 3 Months
+=#=#=#= Begin test: 2009-03-31 - 1 Month =#=#=#=
+Date: 2009-03-31 00:00:00Z
+Duration: 0000--01-00 00:00:00Z
+Duration ends at: 2009-02-28 00:00:00Z
+=#=#=#= End test: 2009-03-31 - 1 Month - OK (0) =#=#=#=
+* Passed: iso8601 - 2009-03-31 - 1 Month
View
184 tools/regression.sh
@@ -5,6 +5,8 @@ test_home=`dirname $0`
num_errors=0
num_passed=0
GREP_OPTIONS=
+verbose=0
+tests="dates tools acls"
function test_assert() {
target=$1; shift
@@ -45,6 +47,7 @@ do_save=0
VALGRIND_CMD=
while test "$done" = "0"; do
case "$1" in
+ -t) tests=$2; shift; shift;;
-V|--verbose) verbose=1; shift;;
-v|--valgrind)
export G_SLICE=always-malloc
@@ -293,7 +296,7 @@ function test_tools() {
test_assert 0
}
-function test_date() {
+function test_dates() {
for y in 06 07 08 09 10 11 12 13 14 15 16 17 18; do
desc="20$y-W01-7"
cmd="iso8601 -d '20$y-W01-7 00Z'"
@@ -331,36 +334,169 @@ function test_date() {
desc="2009-03-31 - 1 Month"
cmd="iso8601 -d '2009-03-31 00:00:00Z' -D P-1M -E '2009-02-28 00:00:00Z'"
test_assert 0 0
- }
+}
-echo "Testing dates"
-test_date > $test_home/regression.out
-echo "Testing tools"
-test_tools >> $test_home/regression.out
-sed -i -e 's/cib-last-written.*>/>/' \
- -e 's/ last-run=\"[0-9]*\"//' \
- -e 's/crm_feature_set="[^"]*"//' \
- -e 's/ last-rc-change=\"[0-9]*\"//' $test_home/regression.out
-
-sed -i -e 's/cib-last-written.*>/>/' \
- -e 's/ last-run=\"[0-9]*\"//' \
- -e 's/crm_feature_set="[^"]*"//' \
- -e 's/ last-rc-change=\"[0-9]*\"//' $test_home/regression.exp
-
-if [ $do_save = 1 ]; then
- cp $test_home/regression.out $test_home/regression.exp
-fi
+function test_acls() {
+ export CIB_shadow_dir=$test_home
+ $VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow 2>&1
+ export CIB_shadow=$shadow
+
+ cat<<EOF>/tmp/$$.acls.xml
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+EOF
+
+ desc="Configure some ACLs"
+ cmd="cibadmin -M -o acls --xml-file /tmp/$$.acls.xml"
+ test_assert 0
+
+ desc="Enable ACLs"
+ cmd="crm_attribute -n enable-acl -v true"
+ test_assert 0
+
+ desc="Set cluster option"
+ cmd="crm_attribute -n no-quorum-policy -v ignore"
+ test_assert 0
+
+ export CIB_user=unknownguy
+ desc="$CIB_user: Query configuration"
+ cmd="cibadmin -Q"
+ test_assert 13
+ desc="$CIB_user: Set enable-acl"
+ cmd="crm_attribute -n enable-acl -v false"
+ test_assert 13
+
+ desc="$CIB_user: Set stonith-enabled"
+ cmd="crm_attribute -n stonith-enabled -v false"
+ test_assert 13
+
+ desc="$CIB_user: Create a resource"
+ cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
+ test_assert 13
+
+ export CIB_user=l33t-haxor
+ desc="$CIB_user: Query configuration"
+ cmd="cibadmin -Q"
+ test_assert 13
+
+ desc="$CIB_user: Set enable-acl"
+ cmd="crm_attribute -n enable-acl -v false"
+ test_assert 13
+
+ desc="$CIB_user: Set stonith-enabled"
+ cmd="crm_attribute -n stonith-enabled -v false"
+ test_assert 13
+
+ desc="$CIB_user: Create a resource"
+ cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
+ test_assert 13
+
+ export CIB_user=niceguy
+ desc="$CIB_user: Query configuration"
+ cmd="cibadmin -Q"
+ test_assert 0
+
+ desc="$CIB_user: Set enable-acl"
+ cmd="crm_attribute -n enable-acl -v false"
+ test_assert 13
+
+ desc="$CIB_user: Set stonith-enabled"
+ cmd="crm_attribute -n stonith-enabled -v false"
+ test_assert 0
+
+ desc="$CIB_user: Create a resource"
+ cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
+ test_assert 13
+
+ export CIB_user=root
+ desc="$CIB_user: Query configuration"
+ cmd="cibadmin -Q"
+ test_assert 0
+
+ desc="$CIB_user: Set stonith-enabled"
+ cmd="crm_attribute -n stonith-enabled -v true"
+ test_assert 0
+
+ desc="$CIB_user: Create a resource"
+ cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
+ test_assert 0
+
+ export CIB_user=l33t-haxor
+
+ desc="$CIB_user: Create a resource meta attribute"
+ cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
+ test_assert 126
+
+ desc="$CIB_user: Query a resource meta attribute"
+ cmd="crm_resource -r dummy --meta -g target-role"
+ test_assert 126
+
+ desc="$CIB_user: Remove a resource meta attribute"
+ cmd="crm_resource -r dummy --meta -d target-role"
+ test_assert 126
+
+ export CIB_user=niceguy
+
+ desc="$CIB_user: Create a resource meta attribute"
+ cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
+ test_assert 0
+
+ desc="$CIB_user: Query a resource meta attribute"
+ cmd="crm_resource -r dummy --meta -g target-role"
+ test_assert 0
+
+ desc="$CIB_user: Remove a resource meta attribute"
+ cmd="crm_resource -r dummy --meta -d target-role"
+ test_assert 0
+}
+
+for t in $tests; do
+ echo "Testing $t"
+ test_$t > $test_home/regression.$t.out
+
+ sed -i -e 's/cib-last-written.*>/>/'\
+ -e 's/ last-run=\"[0-9]*\"//' \
+ -e 's/crm_feature_set="[^"]*"//'\
+ -e 's/ last-rc-change=\"[0-9]*\"//' $test_home/regression.$t.out
+
+ if [ $do_save = 1 ]; then
+ cp $test_home/regression.$t.out $test_home/regression.$t.exp
+ fi
+done
+
failed=0
echo -e "\n\nResults"
-diff -wu $test_home/regression.exp $test_home/regression.out