Description of problem:
If you try to add an acl permission defined by non-existent id to a role, an invalid cib report is produced instead of a proper error message.

Version-Release number of selected component (if applicable):
pcs-0.9.137-13.el7_1.3.x86_64
pcs-0.9.142-2.el7.x86_64

How reproducible:
always


Steps to Reproduce:
1) Run command:
# pcs acl permission add test-role read id non-existent-id

> Id 'non-existend-id' must not be defined in cib xml.


Actual results:

Error: Unable to update cib
Call cib_replace failed (-203): Update does not conform to the configured schema
...
> Long cib report truncated


Expected results:

Error: unable to find id: non-existent-id

*** Bug 1249071 has been marked as a duplicate of this bug. ***

proposed fix:
https://github.com/feist/pcs/commit/e142a3f3d50545e1146e625d81fe04aa844a1546

Setup:
[vm-rhel72-1 ~pcs/pcs] $ pcs acl role create test-role

Test:
[vm-rhel72-1 ~pcs/pcs] $ pcs acl permission add test-role read id missing-id
Error: id "missing-id" does not exist.

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Before fix:
[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.143-15.el7.x86_64

[vm-rhel72-1 ~] $ pcs acl enable
[vm-rhel72-1 ~] $ pcs acl role create test-role read id non-existent-id
Error: Unable to update cib
Call cib_replace failed (-203): Update does not conform to the configured schema
<cib...

After Fix:
[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.151-1.el7.x86_64

[vm-rhel72-1 ~] $ pcs acl role create test-role read id non-existent-id
Error: id 'non-existent-id' does not exist

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2596.html