Red Hat Bugzilla – Bug 1166160
'pcs acl role create' does not check syntax properly
Last modified: 2015-11-19 04:33:41 EST
Description of problem: 'pcs acl create role' accepts incorrect syntax that leads to empty acl role which is confusing behaviour. Version-Release number of selected component (if applicable): pcs-0.9.135-1.el7.x86_64 How reproducible: always Steps to Reproduce: 1. pcs acl role create no-resources2 deny '//resources' 2. pcs acl show Actual results: role created with no content Expected results: pcs would not run and complaint about incorrect syntax (id or xpath missing in this case.) Additional info: [root@host-004 pcsd]# pcs acl role create all-except-resources deny '//resources' [root@host-004 pcsd]# echo $? 0 [root@host-004 pcsd]# pcs acl show User: misacek Roles: Role: all-except-resources [root@host-004 pcsd]# pcs cluster cib | grep acl <acls> <acl_target id="misacek"/> <acl_role id="all-except-resources"/> </acls>
Created attachment 1015590 [details] proposed fix
Before Fix: [root@rh71-node1 ~]# rpm -q pcs pcs-0.9.137-13.el7_1.2.x86_64 [root@rh71-node1:~]# pcs acl role create no-resources2 deny '//resources' [root@rh71-node1:~]# echo $? 0 [root@rh71-node1:~]# pcs acl show ACLs are disabled, run 'pcs acl enable' to enable Role: no-resources2 [root@rh71-node1:~]# pcs cluster cib | grep acl <acls> <acl_role id="no-resources2"/> </acls> After Fix: [root@rh71-node1:~]# rpm -q pcs pcs-0.9.140-1.el6.x86_64 [root@rh71-node1:~]# pcs acl role create no-resources2 deny '//resources' Usage: pcs acl role create... role create <role name> [description=<description>] [((read | write | deny) (xpath <query> | id <id>))...] Create a role with the name and (optional) description specified. Each role can also have an unlimited number of permissions (read/write/deny) applied to either an xpath query or the id of a specific element in the cib [root@rh71-node1:~]# echo $? 1 [root@rh71-node1:~]# pcs acl show ACLs are disabled, run 'pcs acl enable' to enable [root@rh71-node1:~]# pcs cluster cib | grep acl
Created attachment 1044306 [details] proposed fix 2
Before Fix: [root@rh71-node1 ~]# rpm -q pcs pcs-0.9.141-1.el7.x86_64 [root@rh71-node1:~]# pcs acl role create test-role read XPath / Usage: pcs acl role create... role create <role name> [description=<description>] [((read | write | deny) (xpath <query> | id <id>))...] Create a role with the name and (optional) description specified. Each role can also have an unlimited number of permissions (read/write/deny) applied to either an xpath query or the id of a specific element in the cib [root@rh71-node1:~]# echo $? 1 [root@rh71-node1:~]# pcs acl role create test-role read xpath / [root@rh71-node1:~]# echo $? 0 [root@rh71-node1:~]# pcs acl permission add test-role write XPath / Usage: pcs acl permission add... permission add <role name> ((read | write | deny) (xpath <query> | id <id>))... Add the listed permissions to the role specified [root@rh71-node1:~]# echo $? 1 [root@rh71-node1:~]# pcs acl ACLs are disabled, run 'pcs acl enable' to enable Role: test-role Permission: read xpath / (test-role-read) Also it is not possible to add permissions to a role using web UI. After Fix: [root@rh71-node1:~]# rpm -q pcs pcs-0.9.142-2.el7.x86_64 [root@rh71-node1:~]# pcs acl role create test-role read XPath / [root@rh71-node1:~]# echo $? 0 [root@rh71-node1:~]# pcs acl permission add test-role write XPath / [root@rh71-node1:~]# echo $? 0 [root@rh71-node1:~]# pcs acl ACLs are disabled, run 'pcs acl enable' to enable Role: test-role Permission: read xpath / (test-role-read) Permission: write xpath / (test-role-write) It is possible to add permissions to a role using web UI.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2290.html