Bug 1166160
| Summary: | 'pcs acl role create' does not check syntax properly | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | michal novacek <mnovacek> | ||||||
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 7.1 | CC: | cfeist, cluster-maint, mlisik, rsteiger, tojeline | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | pcs-0.9.142-2.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Cause:
User runs a 'pcs acl role create' command with a mistake in it.
Consequence:
pcs creates an empty acl role and does not report any error to the user.
Fix:
Validate parameters of the 'pcs acl role create' command properly and report any errors found.
Result:
pcs reports an error and does not create any acl role.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-11-19 09:33:41 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1015590 [details]
proposed fix
Before Fix:
[root@rh71-node1 ~]# rpm -q pcs
pcs-0.9.137-13.el7_1.2.x86_64
[root@rh71-node1:~]# pcs acl role create no-resources2 deny '//resources'
[root@rh71-node1:~]# echo $?
0
[root@rh71-node1:~]# pcs acl show
ACLs are disabled, run 'pcs acl enable' to enable
Role: no-resources2
[root@rh71-node1:~]# pcs cluster cib | grep acl
<acls>
<acl_role id="no-resources2"/>
</acls>
After Fix:
[root@rh71-node1:~]# rpm -q pcs
pcs-0.9.140-1.el6.x86_64
[root@rh71-node1:~]# pcs acl role create no-resources2 deny '//resources'
Usage: pcs acl role create...
role create <role name> [description=<description>] [((read | write | deny)
(xpath <query> | id <id>))...]
Create a role with the name and (optional) description specified.
Each role can also have an unlimited number of permissions
(read/write/deny) applied to either an xpath query or the id
of a specific element in the cib
[root@rh71-node1:~]# echo $?
1
[root@rh71-node1:~]# pcs acl show
ACLs are disabled, run 'pcs acl enable' to enable
[root@rh71-node1:~]# pcs cluster cib | grep acl
Created attachment 1044306 [details]
proposed fix 2
Before Fix:
[root@rh71-node1 ~]# rpm -q pcs
pcs-0.9.141-1.el7.x86_64
[root@rh71-node1:~]# pcs acl role create test-role read XPath /
Usage: pcs acl role create...
role create <role name> [description=<description>] [((read | write | deny)
(xpath <query> | id <id>))...]
Create a role with the name and (optional) description specified.
Each role can also have an unlimited number of permissions
(read/write/deny) applied to either an xpath query or the id
of a specific element in the cib
[root@rh71-node1:~]# echo $?
1
[root@rh71-node1:~]# pcs acl role create test-role read xpath /
[root@rh71-node1:~]# echo $?
0
[root@rh71-node1:~]# pcs acl permission add test-role write XPath /
Usage: pcs acl permission add...
permission add <role name> ((read | write | deny) (xpath <query> |
id <id>))...
Add the listed permissions to the role specified
[root@rh71-node1:~]# echo $?
1
[root@rh71-node1:~]# pcs acl
ACLs are disabled, run 'pcs acl enable' to enable
Role: test-role
Permission: read xpath / (test-role-read)
Also it is not possible to add permissions to a role using web UI.
After Fix:
[root@rh71-node1:~]# rpm -q pcs
pcs-0.9.142-2.el7.x86_64
[root@rh71-node1:~]# pcs acl role create test-role read XPath /
[root@rh71-node1:~]# echo $?
0
[root@rh71-node1:~]# pcs acl permission add test-role write XPath /
[root@rh71-node1:~]# echo $?
0
[root@rh71-node1:~]# pcs acl
ACLs are disabled, run 'pcs acl enable' to enable
Role: test-role
Permission: read xpath / (test-role-read)
Permission: write xpath / (test-role-write)
It is possible to add permissions to a role using web UI.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2290.html |
Description of problem: 'pcs acl create role' accepts incorrect syntax that leads to empty acl role which is confusing behaviour. Version-Release number of selected component (if applicable): pcs-0.9.135-1.el7.x86_64 How reproducible: always Steps to Reproduce: 1. pcs acl role create no-resources2 deny '//resources' 2. pcs acl show Actual results: role created with no content Expected results: pcs would not run and complaint about incorrect syntax (id or xpath missing in this case.) Additional info: [root@host-004 pcsd]# pcs acl role create all-except-resources deny '//resources' [root@host-004 pcsd]# echo $? 0 [root@host-004 pcsd]# pcs acl show User: misacek Roles: Role: all-except-resources [root@host-004 pcsd]# pcs cluster cib | grep acl <acls> <acl_target id="misacek"/> <acl_role id="all-except-resources"/> </acls>