Bug 1248990 - Specifying a non-existing id in ACL role permission produces an invalid CIB
Specifying a non-existing id in ACL role permission produces an invalid CIB
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs (Show other bugs)
7.1
x86_64 Linux
low Severity unspecified
: rc
: ---
Assigned To: Ivan Devat
cluster-qe@redhat.com
:
: 1249071 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-31 05:39 EDT by Miroslav Lisik
Modified: 2016-11-03 16:55 EDT (History)
2 users (show)

See Also:
Fixed In Version: pcs-0.9.151-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: pcs do not validate existence of id in cib when setting permission for it Consequence: pcs ends with an invalid cib report Fix: add validation of existence of id in cib Result: pcs exits gracefully with explanatory error message
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 16:55:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Lisik 2015-07-31 05:39:16 EDT
Description of problem:
If you try to create a acl role with permission defined by non-existent id, an invalid cib report is produced instead of a proper error message.


Version-Release number of selected component (if applicable):
pcs-0.9.137-13.el7_1.3.x86_64
pcs-0.9.142-2.el7.x86_64

How reproducible:
always

Steps to Reproduce:

1. Check the pcs's acls:
[root@virt-082 ~]# pcs acl
ACLs are disabled, run 'pcs acl enable' to enable


2. Try to create role using some non-existent id
[root@virt-082 ~]# pcs acl role create test-role read id non-existent-id


Actual results:
Error: Unable to update cib
Call cib_replace failed (-203): Update does not conform to the configured schema
...

Expected results:
Error: unable to find id: non-existent-id
Comment 3 Tomas Jelinek 2015-11-13 07:31:39 EST
Description of problem:
If you try to add an acl permission defined by non-existent id to a role, an invalid cib report is produced instead of a proper error message.

Version-Release number of selected component (if applicable):
pcs-0.9.137-13.el7_1.3.x86_64
pcs-0.9.142-2.el7.x86_64

How reproducible:
always


Steps to Reproduce:
1) Run command:
# pcs acl permission add test-role read id non-existent-id

> Id 'non-existend-id' must not be defined in cib xml.


Actual results:

Error: Unable to update cib
Call cib_replace failed (-203): Update does not conform to the configured schema
...
> Long cib report truncated


Expected results:

Error: unable to find id: non-existent-id
Comment 4 Tomas Jelinek 2015-11-13 07:32:04 EST
*** Bug 1249071 has been marked as a duplicate of this bug. ***
Comment 5 Ivan Devat 2016-02-04 10:01:05 EST
proposed fix:
https://github.com/feist/pcs/commit/e142a3f3d50545e1146e625d81fe04aa844a1546

Setup:
[vm-rhel72-1 ~pcs/pcs] $ pcs acl role create test-role

Test:
[vm-rhel72-1 ~pcs/pcs] $ pcs acl permission add test-role read id missing-id
Error: id "missing-id" does not exist.
Comment 6 Mike McCune 2016-03-28 18:42:18 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 7 Ivan Devat 2016-05-31 08:05:19 EDT
Before fix:
[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.143-15.el7.x86_64

[vm-rhel72-1 ~] $ pcs acl enable
[vm-rhel72-1 ~] $ pcs acl role create test-role read id non-existent-id
Error: Unable to update cib
Call cib_replace failed (-203): Update does not conform to the configured schema
<cib...

After Fix:
[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.151-1.el7.x86_64

[vm-rhel72-1 ~] $ pcs acl role create test-role read id non-existent-id
Error: id 'non-existent-id' does not exist
Comment 11 errata-xmlrpc 2016-11-03 16:55:02 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2596.html

Note You need to log in before you can comment on or make changes to this bug.