Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also .
Choose a Base Repository
ClusterLabs/pacemaker
beekhof/pacemaker
359887612/pacemaker
6779660/pacemaker
AnchorCat/pacemaker
ChrisKowalczyk/pacemaker
FinchYang/pacemaker
FumihiroSaito/pacemaker
HyunKwangYong/pacemaker
JDfantasy/pacemaker
JamesGuthrie/pacemaker
KevenChang/pacemaker
MaheshWaidande/pacemaker
Mr-Yamauchi/pacemaker
NealSCarffery/pacemaker
PangHua/pacemaker
RichardChen3511/pacemaker
RomeroMalaquias/pacemaker
SynetoNet/pacemaker
Thermi/pacemaker
WeiRG/pacemaker
Werkov/pacemaker
Xarthisius/pacemaker
Yreham/pacemaker
actatux/pacemaker
adrianlzt/pacemaker
andrei4ka/pacemaker
aravind-kumar/pacemaker
arzhna/pacemaker
aspiers/pacemaker
b1-systems/pacemaker
bak724/pacemaker
bcavanagh/pacemaker
beess/pacemaker
biddyweb/pacemaker
boda2004/pacemaker
brhellman/pacemaker
buaaspy/pacemaker
bubble75/pacemaker
carbondai/pacemaker
carriercomm/pacemaker
cedricbu/pacemaker
chen1994/pacemaker
chjohnst/pacemaker
chutzimir/pacemaker
creativewild/pacemaker
danfrincu/pacemaker
dangzhiqiang/pacemaker
davidvossel/pacemaker
dawsongzhao/pacemaker
dbasabe/pacemaker
dbgtmaster/pacemaker
digimer/pacemaker
dirkmueller/pacemaker
dpejesh/pacemaker
drgogeta86/pacemaker
dubrsl/pacemaker
dvance/pacemaker
efenshi/pacemaker
esimone74/pacemaker
esupport14/pacemaker
fangqingsong/pacemaker
feldsam/pacemaker
fghaas/pacemaker
foomango/pacemaker
freishutz/pacemaker
gao-yan/pacemaker
gari/pacemaker
gksasiwakoti/pacemaker
gkyildirim/pacemaker
gopark/pacemaker
greenx/pacemaker
grueni/pacemaker
haySwim/pacemaker
hfuCN/pacemaker
hitsub2/pacemaker
huiser/pacemaker
huzhijiang/pacemaker
hzruandd/pacemaker
icaas/pacemaker
igor-tsiglyar/pacemaker
imccie/pacemaker
inouekazu/pacemaker
ioguix/pacemaker
jamiepg1/pacemaker-1
javacruft/pacemaker
jawed123/pacemaker
jianzi123/pacemaker
jjinno/pacemaker
jjzhang/pacemaker
jmartign/pacemaker
jnewland/pacemaker
jnpkrn/pacemaker
johnruemker/pacemaker
jonnary/pacemaker
jrjeon/pacemaker
k0da/pacemaker
kgaillot/pacemaker
kiranmurari/pacemaker
kjperry/pacemaker
kk30496/pacemaker
knakahira/pacemaker
koponomarenko/pacemaker
krast/pacemaker
krig/pacemaker
kskmori/pacemaker
kyupltd/pacemaker
ldzhong/pacemaker
lge/pacemaker
lidi100/pacemaker
linuskohl/pacemaker
liu4480/pacemaker
liumorgan/pacemaker
lmtwga/pacemaker
lusoheart/pacemaker
macpoint/pacemaker
magarciasopo/pacemaker
markandrewj/pacemaker
mbaldessari/pacemaker
mii/pacemaker
miz-take/pacemaker
mkubecek/pacemaker
morris-stock/pacemaker
my76128/pacemaker
n3world/pacemaker
nacc/pacemaker
neilsonpan/pacemaker
nozawat/pacemaker
nyetwurk/pacemaker
oalbrigt/pacemaker
oallart/pacemaker
optionalg/pacemaker
osman1/pacemaker
patyupin/pacemaker
pcaruana/pacemaker
pfangyaoyaom/pacemaker
phemmer/pacemaker
prettyshuang/pacemaker
qezz/pacemaker
qinguanri/pacemaker
qinzhao168/pacemaker
rasto/pacemaker
renzhengeek/pacemaker
rikkotec/pacemaker
rockloveli/pacemaker
rockysays/pacemaker
roger2uu/pacemaker
roidelapluie/pacemaker
rrmichel/pacemaker
rubenk/pacemaker
ruo91/pacemaker
sashatoday/pacemaker
satoyoshi/pacemaker
seabres/pacemaker
seinocluster2/pacemaker
shakamunyi/pacemaker
simeji/pacemaker
sixstone-qq/pacemaker
skynet/pacemaker
smellman/pacemaker
spurti-chopra/pacemaker
srznew/pacemaker
t-matsuo/pacemaker
tatsuyaw/pacemaker
tdb/pacemaker
tgjonestx/pacemaker
thaihust/pacemaker
thisislife/pacemaker
timosachsenberg/pacemaker
tjyang/pacemaker
toabctl/pacemaker
tomerazran/pacemaker
tonyskapunk/pacemaker
tradej/pacemaker
tserong/pacemaker
tukeJonny/pacemaker
ultrabug/pacemaker
urusha/pacemaker
vicdeveloper/pacemaker
vishnumitraha/pacemaker
voitra/pacemaker
vvidic/pacemaker
w4ngyi/pacemaker
wangww631/pacemaker
wenningerk/pacemaker
wferi/pacemaker
whyshan/pacemaker
windyon9/pacemaker
wyatt88/pacemaker
xiali/pacemaker
xrobau/pacemaker
y-mori0110/pacemaker
yangxg89/pacemaker
ytakeshita/pacemaker
yuebaibai/pacemaker
yuusuke/pacemaker
zhangjingli35/pacemaker
zhangzhichao1030/pacemaker
zhuangzeqiang/pacemaker
zoumaguanhua/pacemaker
Nothing to show
...
Choose a Head Repository
ClusterLabs/pacemaker
beekhof/pacemaker
359887612/pacemaker
6779660/pacemaker
AnchorCat/pacemaker
ChrisKowalczyk/pacemaker
FinchYang/pacemaker
FumihiroSaito/pacemaker
HyunKwangYong/pacemaker
JDfantasy/pacemaker
JamesGuthrie/pacemaker
KevenChang/pacemaker
MaheshWaidande/pacemaker
Mr-Yamauchi/pacemaker
NealSCarffery/pacemaker
PangHua/pacemaker
RichardChen3511/pacemaker
RomeroMalaquias/pacemaker
SynetoNet/pacemaker
Thermi/pacemaker
WeiRG/pacemaker
Werkov/pacemaker
Xarthisius/pacemaker
Yreham/pacemaker
actatux/pacemaker
adrianlzt/pacemaker
andrei4ka/pacemaker
aravind-kumar/pacemaker
arzhna/pacemaker
aspiers/pacemaker
b1-systems/pacemaker
bak724/pacemaker
bcavanagh/pacemaker
beess/pacemaker
biddyweb/pacemaker
boda2004/pacemaker
brhellman/pacemaker
buaaspy/pacemaker
bubble75/pacemaker
carbondai/pacemaker
carriercomm/pacemaker
cedricbu/pacemaker
chen1994/pacemaker
chjohnst/pacemaker
chutzimir/pacemaker
creativewild/pacemaker
danfrincu/pacemaker
dangzhiqiang/pacemaker
davidvossel/pacemaker
dawsongzhao/pacemaker
dbasabe/pacemaker
dbgtmaster/pacemaker
digimer/pacemaker
dirkmueller/pacemaker
dpejesh/pacemaker
drgogeta86/pacemaker
dubrsl/pacemaker
dvance/pacemaker
efenshi/pacemaker
esimone74/pacemaker
esupport14/pacemaker
fangqingsong/pacemaker
feldsam/pacemaker
fghaas/pacemaker
foomango/pacemaker
freishutz/pacemaker
gao-yan/pacemaker
gari/pacemaker
gksasiwakoti/pacemaker
gkyildirim/pacemaker
gopark/pacemaker
greenx/pacemaker
grueni/pacemaker
haySwim/pacemaker
hfuCN/pacemaker
hitsub2/pacemaker
huiser/pacemaker
huzhijiang/pacemaker
hzruandd/pacemaker
icaas/pacemaker
igor-tsiglyar/pacemaker
imccie/pacemaker
inouekazu/pacemaker
ioguix/pacemaker
jamiepg1/pacemaker-1
javacruft/pacemaker
jawed123/pacemaker
jianzi123/pacemaker
jjinno/pacemaker
jjzhang/pacemaker
jmartign/pacemaker
jnewland/pacemaker
jnpkrn/pacemaker
johnruemker/pacemaker
jonnary/pacemaker
jrjeon/pacemaker
k0da/pacemaker
kgaillot/pacemaker
kiranmurari/pacemaker
kjperry/pacemaker
kk30496/pacemaker
knakahira/pacemaker
koponomarenko/pacemaker
krast/pacemaker
krig/pacemaker
kskmori/pacemaker
kyupltd/pacemaker
ldzhong/pacemaker
lge/pacemaker
lidi100/pacemaker
linuskohl/pacemaker
liu4480/pacemaker
liumorgan/pacemaker
lmtwga/pacemaker
lusoheart/pacemaker
macpoint/pacemaker
magarciasopo/pacemaker
markandrewj/pacemaker
mbaldessari/pacemaker
mii/pacemaker
miz-take/pacemaker
mkubecek/pacemaker
morris-stock/pacemaker
my76128/pacemaker
n3world/pacemaker
nacc/pacemaker
neilsonpan/pacemaker
nozawat/pacemaker
nyetwurk/pacemaker
oalbrigt/pacemaker
oallart/pacemaker
optionalg/pacemaker
osman1/pacemaker
patyupin/pacemaker
pcaruana/pacemaker
pfangyaoyaom/pacemaker
phemmer/pacemaker
prettyshuang/pacemaker
qezz/pacemaker
qinguanri/pacemaker
qinzhao168/pacemaker
rasto/pacemaker
renzhengeek/pacemaker
rikkotec/pacemaker
rockloveli/pacemaker
rockysays/pacemaker
roger2uu/pacemaker
roidelapluie/pacemaker
rrmichel/pacemaker
rubenk/pacemaker
ruo91/pacemaker
sashatoday/pacemaker
satoyoshi/pacemaker
seabres/pacemaker
seinocluster2/pacemaker
shakamunyi/pacemaker
simeji/pacemaker
sixstone-qq/pacemaker
skynet/pacemaker
smellman/pacemaker
spurti-chopra/pacemaker
srznew/pacemaker
t-matsuo/pacemaker
tatsuyaw/pacemaker
tdb/pacemaker
tgjonestx/pacemaker
thaihust/pacemaker
thisislife/pacemaker
timosachsenberg/pacemaker
tjyang/pacemaker
toabctl/pacemaker
tomerazran/pacemaker
tonyskapunk/pacemaker
tradej/pacemaker
tserong/pacemaker
tukeJonny/pacemaker
ultrabug/pacemaker
urusha/pacemaker
vicdeveloper/pacemaker
vishnumitraha/pacemaker
voitra/pacemaker
vvidic/pacemaker
w4ngyi/pacemaker
wangww631/pacemaker
wenningerk/pacemaker
wferi/pacemaker
whyshan/pacemaker
windyon9/pacemaker
wyatt88/pacemaker
xiali/pacemaker
xrobau/pacemaker
y-mori0110/pacemaker
yangxg89/pacemaker
ytakeshita/pacemaker
yuebaibai/pacemaker
yuusuke/pacemaker
zhangjingli35/pacemaker
zhangzhichao1030/pacemaker
zhuangzeqiang/pacemaker
zoumaguanhua/pacemaker
Nothing to show
  • 15 commits
  • 13 files changed
  • 0 commit comments
  • 1 contributor
View
@@ -368,7 +368,7 @@ process_ping_reply(xmlNode *reply)
digest, remote_cib);
if(remote_cib) {
/* Additional debug */
- xml_calculate_changes(the_cib, remote_cib, NULL);
+ xml_calculate_changes(the_cib, remote_cib);
xml_log_changes(LOG_INFO, __FUNCTION__, remote_cib);
free_xml(remote_cib);
}
@@ -1035,19 +1035,6 @@ cib_process_request(xmlNode * request, gboolean force_synchronous, gboolean priv
return;
}
-static bool
-acl_enabled(GHashTable * config_hash)
-{
- bool rc = FALSE;
- const char *value = NULL;
-
- value = cib_pref(config_hash, "enable-acl");
- rc = crm_is_true(value);
-
- crm_debug("CIB ACL is %s", rc ? "enabled" : "disabled");
- return rc;
-}
-
int
cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gboolean privileged)
{
@@ -1056,10 +1043,6 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
xmlNode *result_cib = NULL;
xmlNode *current_cib = NULL;
-#if ENABLE_ACL
- xmlNode *filtered_current_cib = NULL;
-#endif
-
int call_type = 0;
int call_options = 0;
@@ -1106,26 +1089,9 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
goto done;
} else if (cib_op_modifies(call_type) == FALSE) {
- xmlNode *cib_ro = current_cib;
-
-#if ENABLE_ACL
- if (acl_enabled(config_hash)) {
- const char *user = crm_element_value(request, F_CIB_USER);
-
- if(xml_acl_filtered_copy(user, current_cib, &filtered_current_cib)) {
- if (filtered_current_cib == NULL) {
- crm_debug("Pre-filtered the entire cib");
- rc = -EACCES;
- goto done;
- }
- cib_ro = filtered_current_cib;
- }
- }
-#endif
-
rc = cib_perform_op(op, call_options, cib_op_func(call_type), TRUE,
section, request, input, FALSE, &config_changed,
- cib_ro, &result_cib, NULL, &output);
+ current_cib, &result_cib, NULL, &output);
CRM_CHECK(result_cib == NULL, free_xml(result_cib));
goto done;
@@ -1158,9 +1124,6 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
clear_bit(call_options, cib_zero_copy);
}
- if(acl_enabled(config_hash)) {
- xml_acl_enable(current_cib);
- }
/* result_cib must not be modified after cib_perform_op() returns */
rc = cib_perform_op(op, call_options, cib_op_func(call_type), FALSE,
section, request, input, manage_counters, &config_changed,
@@ -1220,21 +1183,6 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
}
output = result_cib;
-#if ENABLE_ACL
- if (acl_enabled(config_hash)) {
- const char *user = crm_element_value(request, F_CIB_USER);
-
- if(xml_acl_filtered_copy(user, current_cib, &filtered_current_cib)) {
- if (filtered_current_cib == NULL) {
- crm_debug("Pre-filtered the entire cib");
- rc = -EACCES;
- goto done;
- }
- free_xml(result_cib);
- output = filtered_current_cib;
- }
- }
-#endif
} else {
CRM_ASSERT(is_not_set(call_options, cib_zero_copy));
@@ -1282,15 +1230,15 @@ cib_process_command(xmlNode * request, xmlNode ** reply, xmlNode ** cib_diff, gb
}
crm_trace("cleanup");
-#if ENABLE_ACL
- if (filtered_current_cib != NULL) {
- free_xml(filtered_current_cib);
+
+ if (cib_op_modifies(call_type) == FALSE && output != current_cib) {
+ free_xml(output);
}
-#endif
if (call_type >= 0) {
cib_op_cleanup(call_type, call_options, &input, &output);
}
+
crm_trace("done");
return rc;
}
@@ -120,5 +120,6 @@ void crm_build_path(const char *path_c, mode_t mode);
int crm_user_lookup(const char *name, uid_t * uid, gid_t * gid);
int crm_exit(int rc);
+bool pcmk_acl_required(const char *user);
#endif
View
@@ -251,19 +251,24 @@ static inline int numXpathResults(xmlXPathObjectPtr xpathObj)
}
bool xml_acl_enabled(xmlNode *xml);
-void xml_acl_enable(xmlNode *xml); /* Call prior to xml_track_changes() */
+void xml_acl_enable(xmlNode *xml, const char *user); /* Call prior to xml_track_changes() */
+void xml_acl_disable(xmlNode *xml);
+bool xml_acl_denied(xmlNode *xml); /* Part or all of a change was rejected */
bool xml_acl_filtered_copy(const char *user, xmlNode *xml, xmlNode ** result);
-void xml_track_changes(xmlNode * xml, const char *user);
-void xml_calculate_changes(xmlNode * old, xmlNode * new, const char *user);
-void xml_accept_changes(xmlNode * xml);
+
bool xml_tracking_changes(xmlNode * xml);
bool xml_document_dirty(xmlNode *xml);
-xmlNode *xml_create_patchset(
- int format, xmlNode *source, xmlNode *target, bool *config, bool manage_version, bool with_digest);
-int xml_apply_patchset(xmlNode *xml, xmlNode *patchset, bool check_version);
+void xml_track_changes(xmlNode * xml, const char *user, bool enforce_acls);
+void xml_calculate_changes(xmlNode * old, xmlNode * new); /* For comparing two documents after the fact */
+void xml_accept_changes(xmlNode * xml);
void xml_log_changes(uint8_t level, const char *function, xmlNode *xml);
void xml_log_patchset(uint8_t level, const char *function, xmlNode *xml);
bool xml_patch_versions(xmlNode *patchset, int add[3], int del[3]);
+
+xmlNode *xml_create_patchset(
+ int format, xmlNode *source, xmlNode *target, bool *config, bool manage_version, bool with_digest);
+int xml_apply_patchset(xmlNode *xml, xmlNode *patchset, bool check_version);
+
void save_xml_to_file(xmlNode * xml, const char *desc, const char *filename);
char *xml_get_path(xmlNode *xml);
View
@@ -254,8 +254,10 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
const char *user_name)
{
int rc = pcmk_ok;
+ char *effective_user = NULL;
gboolean query = FALSE;
gboolean changed = FALSE;
+ xmlNode *request = NULL;
xmlNode *output = NULL;
xmlNode *cib_diff = NULL;
xmlNode *result_cib = NULL;
@@ -264,6 +266,7 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
static int max_msg_types = DIMOF(cib_file_ops);
crm_info("%s on %s", op, section);
+ call_options |= (cib_no_mtime | cib_inhibit_bcast | cib_scope_local);
if (cib->state == cib_disconnected) {
return -ENOTCONN;
@@ -290,10 +293,20 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
}
cib->call_id++;
- rc = cib_perform_op(op, call_options | cib_no_mtime | cib_inhibit_bcast, fn, query,
- section, NULL, data, TRUE, &changed, in_mem_cib, &result_cib, &cib_diff,
+ request = cib_create_op(cib->call_id, "dummy-token", op, host, section, data, call_options, user_name);
+#if ENABLE_ACL
+ if(user_name != NULL) {
+ effective_user = uid2username(geteuid());
+ crm_trace("Checking if %s can impersonate %s", effective_user, user_name);
+ determine_request_user(effective_user, request, F_CIB_USER);
+ }
+ crm_trace("Performing %s operation as %s", op, crm_element_value(request, F_CIB_USER));
+#endif
+ rc = cib_perform_op(op, call_options, fn, query,
+ section, request, data, TRUE, &changed, in_mem_cib, &result_cib, &cib_diff,
&output);
+ free_xml(request);
if (rc == -pcmk_err_dtd_validation) {
validate_xml_verbose(result_cib);
}
@@ -314,14 +327,16 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
}
if (output_data && output) {
- *output_data = copy_xml(output);
- }
+ if(output == in_mem_cib) {
+ *output_data = copy_xml(output);
+ } else {
+ *output_data = output;
+ }
- if (query == FALSE || (call_options & cib_no_children)) {
- free_xml(output);
- } else if (safe_str_eq(crm_element_name(output), "xpath-query")) {
+ } else if(output != in_mem_cib) {
free_xml(output);
}
+ free(effective_user);
return rc;
}
View
@@ -114,9 +114,12 @@ get_cib_copy(cib_t * cib)
if (cib->cmds->query(cib, NULL, &xml_cib, options) != pcmk_ok) {
crm_err("Couldnt retrieve the CIB");
+ free_xml(xml_cib);
return NULL;
+
} else if (xml_cib == NULL) {
crm_err("The CIB result was empty");
+ free_xml(xml_cib);
return NULL;
}
@@ -289,6 +292,27 @@ createEmptyCib(void)
return cib_root;
}
+static bool
+cib_acl_enabled(xmlNode *xml, const char *user)
+{
+ bool rc = FALSE;
+
+#if ENABLE_ACL
+ if(pcmk_acl_required(user)) {
+ const char *value = NULL;
+ GHashTable *options = g_hash_table_new_full(crm_str_hash, g_str_equal, g_hash_destroy_str, g_hash_destroy_str);
+
+ cib_read_config(options, xml);
+ value = cib_pref(options, "enable-acl");
+ rc = crm_is_true(value);
+ g_hash_table_destroy(options);
+ }
+
+ crm_debug("CIB ACL is %s", rc ? "enabled" : "disabled");
+#endif
+ return rc;
+}
+
int
cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_query,
const char *section, xmlNode * req, xmlNode * input,
@@ -301,9 +325,9 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
xmlNode *scratch = NULL;
xmlNode *local_diff = NULL;
- const char *user = crm_element_value(req, F_CIB_USER);
const char *new_version = NULL;
static struct qb_log_callsite *diff_cs = NULL;
+ const char *user = crm_element_value(req, F_CIB_USER);
crm_trace("Begin %s%s op", is_query ? "read-only " : "", op);
@@ -320,7 +344,38 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
}
if (is_query) {
- rc = (*fn) (op, call_options, section, req, input, current_cib, result_cib, output);
+ xmlNode *cib_ro = current_cib;
+ xmlNode *cib_filtered = NULL;
+
+ if(cib_acl_enabled(cib_ro, user)) {
+ if(xml_acl_filtered_copy(user, cib_ro, &cib_filtered)) {
+ if (cib_filtered == NULL) {
+ crm_debug("Pre-filtered the entire cib");
+ return -EACCES;
+ }
+ cib_ro = cib_filtered;
+ crm_log_xml_trace(cib_ro, "filtered");
+ }
+ }
+
+ rc = (*fn) (op, call_options, section, req, input, cib_ro, result_cib, output);
+
+ if(output == NULL) {
+ /* nothing */
+
+ } else if(cib_filtered == *output) {
+ cib_filtered = NULL; /* Let them have this copy */
+
+ } else if(cib_filtered) {
+ /* We're about to free the document of which *output is a part */
+ *output = copy_xml(*output);
+
+ } else if(*output != current_cib) {
+ /* Give them a copy they can free */
+ *output = copy_xml(*output);
+ }
+
+ free_xml(cib_filtered);
return rc;
}
@@ -335,26 +390,33 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
copy_in_properties(current_cib, scratch);
top = current_cib;
- xml_track_changes(scratch, user);
+ xml_track_changes(scratch, user, cib_acl_enabled(scratch, user));
rc = (*fn) (op, call_options, section, req, input, scratch, &scratch, output);
} else {
scratch = copy_xml(current_cib);
-
- xml_track_changes(scratch, user);
+ xml_track_changes(scratch, user, cib_acl_enabled(scratch, user));
rc = (*fn) (op, call_options, section, req, input, current_cib, &scratch, output);
if(xml_tracking_changes(scratch) == FALSE) {
crm_trace("Inferring changes after %s op", op);
- xml_calculate_changes(current_cib, scratch, user);
+ xml_track_changes(scratch, user, cib_acl_enabled(scratch, user));
+ xml_calculate_changes(current_cib, scratch);
}
CRM_CHECK(current_cib != scratch, return -EINVAL);
}
+ xml_acl_disable(scratch); /* Allow the system to make any additional changes */
+
if (rc == pcmk_ok && scratch == NULL) {
rc = -EINVAL;
goto done;
+ } else if(rc == pcmk_ok && xml_acl_denied(scratch)) {
+ crm_trace("ACL rejected part or all of the proposed changes");
+ rc = -EACCES;
+ goto done;
+
} else if (rc != pcmk_ok) {
goto done;
}
@@ -511,7 +573,19 @@ cib_perform_op(const char *op, int call_options, cib_op_t * fn, gboolean is_quer
}
done:
+
*result_cib = scratch;
+#if ENABLE_ACL
+ if(rc != pcmk_ok && cib_acl_enabled(current_cib, user)) {
+ if(xml_acl_filtered_copy(user, scratch, result_cib)) {
+ if (*result_cib == NULL) {
+ crm_debug("Pre-filtered the entire cib result");
+ }
+ free_xml(scratch);
+ }
+ }
+#endif
+
if(diff) {
*diff = local_diff;
} else {
@@ -766,5 +840,11 @@ cib_internal_op(cib_t * cib, const char *op, const char *host,
xmlNode ** output_data, int call_options, const char *user_name) =
cib->delegate_fn;
+#if ENABLE_ACL
+ if(user_name == NULL) {
+ user_name = getenv("CIB_user");
+ }
+#endif
+
return delegate(cib, op, host, section, data, output_data, call_options, user_name);
}
Oops, something went wrong.

No commit comments for this range