Bug 1441673

Summary: Make pcs avoid a full CIB replacement
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.4CC: cfeist, cluster-maint, idevat, ofamera, omular, rsteiger, slevine, tojeline
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.9.160-1.el7 Doc Type: No Doc Update
Doc Text:
The fix only applies to pcs commands moved to the new pcs architecture. The list of these command is changing as we are working on moving all pcs commands to the new architecture. This may be confusing to the users so I think we can skip documenting this bz.
 Story Points: ---
Clone Of:
: 1482623 (view as bug list) Environment:
Last Closed: 2018-04-10 15:39:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1412309    
Bug Blocks: 1482623    
Attachments:
Description Flags
proposed fix + tests
none
additional fix none

Description Tomas Jelinek 2017-04-12 12:34:17 UTC 
Description of problem:
This has been partially implemented in bz1404233 - the "pcs cluster cib-push" command has now an option to obtain and push just a diff instead of the whole CIB.

It is required to make this approach a standard way of pushing cib in all pcs commands. The only exception is the "pcs cluster cib-push" command where the user may want to really overwrite the existing CIB and make the live CIB look exactly like what has been provided to the command.

Reasoning:
1) avoid conflicts when editing the CIB simultaneously
See bz1404233 for more details.

2) replacing the whole CIB fails when ACLs are in place, see reproducer

3) performance reasons
When pushing the whole CIB, it takes more time to process it in pacemaker.


Version-Release number of selected component (if applicable):
pcs-0.9.157-1.el7.x86_64


How reproducible:
always, easily


Steps to Reproduce:
[root@rh73-node1:~]# pcs resource create dummy1 ocf:pacemaker:Dummy    
[root@rh73-node1:~]# pcs resource create dummy2 ocf:pacemaker:Dummy
[root@rh73-node1:~]# pcs acl user create user1
[root@rh73-node1:~]# pcs acl role create role1
[root@rh73-node1:~]# pcs acl permission add role1 write xpath /
[root@rh73-node1:~]# pcs acl permission add role1 write xpath /cib/configuration
[root@rh73-node1:~]# pcs acl permission add role1 deny id dummy1
# avoid bz1441669
[root@rh73-node1:~]# pcs acl permission add role1 deny xpath /cib/configuration/acls
[root@rh73-node1:~]# pcs acl role assign role1 user user1
[root@rh73-node1:~]# pcs acl enable

# now switch to user1
[user1@rh73-node1 ~]$ pcs resource disable dummy2
Error: Unable to update cib
Call cib_replace failed (-13): Permission denied


Actual results:
It is not possible to edit the CIB.


Expected results:
It is possible to edit CIB.


Additional info:
The command fails, because:
* When reading the CIB, dummy1 resource is filtered out because of the configured ACLs.
* Dummy2 resource is updated in memory.
* The whole CIB is pushed, but it does not contain dummy1 resource - see above.
* Pacemaker evaluates this as an attempt to remove dummy1 resource, which is prohibited by the ACLs.

If only a diff is pushed, everything works, as the diff does not contain any changes to dummy1 resource.
Comment 2 Tomas Jelinek 2017-08-28 14:49:13 UTC 
Created attachment 1319106 [details]
proposed fix + tests
Comment 3 Tomas Jelinek 2017-08-28 15:25:12 UTC 
This is an internal change. The only effect users can notice is that issues described in comment 0 are fixed. However the fix only applies to pcs commands moved to the new pcs architecture. The list of these command is changing as we are working on moving all pcs commands to the new architecture.
Comment 4 Ivan Devat 2017-09-01 12:52:54 UTC 
Created attachment 1320928 [details]
additional fix

This patch fixes the following problem:

[vm-rhel72-1 ~] $ pcs resource bundle create B container docker image=pcs:test
CIB has been upgraded to the latest schema version.
[vm-rhel72-1 ~] $ pcs resource bundle update B container extra=
Error: Unable to update cib
Couldn't parse input from STDIN.
Comment 7 Ivan Devat 2017-10-11 08:09:47 UTC 
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.160-1.el7.x86_64

vm-rhel72-1 ~] $ pcs resource create dummy1 ocf:pacemaker:Dummy
[vm-rhel72-1 ~] $ pcs resource create dummy2 ocf:pacemaker:Dummy
[vm-rhel72-1 ~] $ pcs acl user create user1
[vm-rhel72-1 ~] $ pcs acl role create role1
[vm-rhel72-1 ~] $ pcs acl permission add role1 write xpath /
[vm-rhel72-1 ~] $ pcs acl permission add role1 write xpath /cib/configuration
[vm-rhel72-1 ~] $ pcs acl permission add role1 deny id dummy1
[vm-rhel72-1 ~] $ pcs acl permission add role1 deny xpath /cib/configuration/acls
[vm-rhel72-1 ~] $ pcs acl role assign role1 user user1
[vm-rhel72-1 ~] $ pcs acl enable

[user1@vm-rhel72-1 ~]$ pcs resource disable dummy2
[user1@vm-rhel72-1 ~]$ echo $?
0

> the problem with zero change is not there anymore

[vm-rhel72-1 ~] $ pcs resource bundle create B container docker image=pcs:test
[vm-rhel72-1 ~] $ pcs resource bundle update B container extra=
[vm-rhel72-1 ~] $ echo $?
0
Comment 9 Tomas Jelinek 2017-10-12 08:56:23 UTC 
*** Bug 1499796 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2018-04-10 15:39:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0866