1384420 – Id of acl group cannot be same as id of any other element in CIB

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1384420 - Id of acl group cannot be same as id of any other element in CIB

Summary: Id of acl group cannot be same as id of any other element in CIB

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pacemaker
Sub Component:
Version:	8.0
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	pre-dev-freeze
Target Release:	8.6
Assignee:	gchin
QA Contact:	cluster-qe@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1384428
TreeView+	depends on / blocked

Reported:	2016-10-13 09:20 UTC by Ondrej Mular
Modified:	2022-06-07 17:33 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pacemaker-2.1.2-1.el8
Doc Type:	No Doc Update
Doc Text:	This is preparation for a future implementation of ACL groups, and will not be visible to users at this time.
Clone Of:
Environment:
Last Closed:	2022-05-10 14:09:46 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Cluster Labs	5446	None	None	None	2020-10-13 21:46:56 UTC
Red Hat Issue Tracker	CLUSTERQE-5187	None	None	None	2021-10-26 15:02:51 UTC
Red Hat Product Errata	RHBA-2022:1885	None	None	None	2022-05-10 14:10:01 UTC

Description Ondrej Mular 2016-10-13 09:20:33 UTC

Description of problem:
It is not possible to have group id (id group should represent name of unix group) in ACL configuration same as id of resource or other element. This is possible in case of acl_target (attribute id of element acl_target is not unique id in CIB).


Version-Release number of selected component (if applicable):
[root@rhel72-node5 ~]# rpm -q pacemaker
pacemaker-1.1.13-10.el7.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Have CIB with one resource configured:
[root@rhel72-node5 ~]# CIB_file=cib.xml cibadmin -Q
<cib crm_feature_set="3.0.10" validate-with="pacemaker-2.3" epoch="3" num_updates="0" admin_epoch="0" cib-last-written="Thu Oct 13 10:40:28 2016" update-origin="rh72-5" update-client="crmd" update-user="hacluster">
  <configuration>
    <crm_config/>
    <nodes>
      <node id="1" uname="rh72-5"/>
      <node id="2" uname="rh72-6"/>
    </nodes>
    <resources>
      <primitive class="ocf" id="testname" provider="heartbeat" type="my-resource"/>
    </resources>
    <constraints/>
  </configuration>
  <status/>
</cib>

2. Try to create acl_target element with same id as resource (this is possible):
[root@rhel72-node5 ~]# CIB_file=cib2.xml cibadmin -R -A "//acls" -X '<acls><acl_target id="testname"/></acls>'; echo $?
0

3. Then try to create acl_group element with same id as resource
[root@rhel72-node5 ~]# CIB_file=cib.xml cibadmin -R -A "//acls" -X '<acls><acl_group id="testname"/></acls>'
   1 <cib crm_feature_set="3.0.10" validate-with="pacemaker-2.3" epoch="9" num_updates="0" admin_epoch="0" cib-last-written="Thu Oct 13 10:40:28 2016" update-origin="rh72-5" update-client="crmd" update-user="hacluster">
   2   <configuration>
   3     <crm_config/>
   4     <nodes>
   5       <node id="1" uname="rh72-5"/>
   6       <node id="2" uname="rh72-6"/>
   7     </nodes>
   8     <resources>
   9       <primitive class="ocf" id="testname" provider="heartbeat" type="my-resource"/>
  10     </resources>
  11     <constraints/>
  12     <acls>
  13       <acl_group id="testname"/>
  14     </acls>
  15   </configuration>
  16   <status/>
  17 </cib>
  18 
Call failed: Update does not conform to the configured schema


Actual results:
This is not allowed by CIB XML scheme.

Expected results:
Should be possible to have group with same name as resource id.

Comment 2 Ken Gaillot 2016-10-13 16:41:57 UTC

This happens because the schema defines the "id" attribute of both resources and acl_groups (but not acl_targets) as having the "ID" data type, which must be unique.

The "ID" data type also constrains what values must be used: it must start with a letter or underscore; any further characters may also be a digit, period, dash, or Unicode "combining character" or "extender" (used to make e.g. an accented character out of the base character plus an accent).

My feeling is that acl_target's id should also be restricted to the ID type, but that could invalidate existing configurations, so it might not be a good idea to change that.

One way to address the issue mentioned here would be to add a "name" attribute that defaults to the value of "id". So, id would still have to be unique, but the group name could be supplied as name. I think that implementation should be relatively simple.

Comment 3 Ken Gaillot 2017-03-06 23:30:47 UTC

This will not be addressed in the 7.4 timeframe.

Comment 4 Ken Gaillot 2017-10-09 17:44:07 UTC

Due to time constraints, this will not make 7.5

Comment 5 Jan Pokorný [poki] 2018-08-23 20:44:16 UTC

> My feeling is that acl_target's id should also be restricted to the ID
> type, but that could invalidate existing configurations, so it might
> not be a good idea to change that.

Few notes:

1. current situation seems to allow for quirks like sketched in
   https://github.com/ClusterLabs/pacemaker/pull/1563/files#r212441702

2. reasonable solution might be in duality:
   rough validation as a whole vs. detailed validation per-partes

re 2.:

In the raw files, some "locally unique" fields would be overapproximated
as NCName type from XMLSchema datatypes (mere <text/> for "acl_target"
was a pretty poor choice), and rough validation would work out of the box.

But also the "local enough" scopes (imposed requirement: with level-unique
tag to avoid any ambiguities and keep the implementation simple) would be
specially annotated, ditto particular fields that should be considered
as ID datatype for the purpose of this detailed validation.

The task would then be:
- figure out all the unique scopes that can be of interest,
  per the annotations
- for each such scope, fetch the respective sub-schema,
  perform in-memory change of the datatypes per the annotations
- for each such scope, iterate through all (disjunct) instances
  present in the document, turn each such sub-stanza into
  document on its own, and validate it with the respective
  in-memory change sub-schema, i.e., imposing strict uniqueness
  requirements

In case of "acls", the nice property is that respective sub-schema
directly matches acls-2.0.rng, hence the whole procedure would
be relatively easily scriptable also in shell if the "scope annotation"
contained XPath to match particular occurrences of the mentioned
sub-stanzas.  Such light-weight shell script (assurably detached
from any pacemaker machinery) could then be offered for consumption
by higher level tools, independently of heavy weight crm_verify
(which could implement the same in C, though, rather then calling
out to this shell).

Comment 6 Ken Gaillot 2018-11-19 19:22:08 UTC

Because this will require new configuration syntax, for technical reasons this will only be addressed in RHEL 8

Comment 9 Ken Gaillot 2020-10-13 21:46:56 UTC

Due to developer time prioritization constraints, an upstream bug has been opened for this issue, and this report is being closed. If time becomes available, we will reopen this.

Comment 10 Ken Gaillot 2021-10-04 17:00:21 UTC

It is worth noting that this will not be useful until Bug 1724310 is fixed (ACL groups are currently not functional).

Comment 14 Ken Gaillot 2021-11-05 19:08:29 UTC

The XML schema has been updated upstream as of commit 7838213fc, which will allow specifying a "name" attribute separately from "id". The name will still default to the id for backward compatibility. As mentioned in Comment 10, this is just the configuration side; the functionality will be implemented separately.

QA: To verify, configure a cluster with ACLs including a group, then use "pcs cluster edit" to edit the XML directly to add name="whatever" to the acl_group element. Before the fix, the change will be rejected; after the fix, the change will be accepted.

Comment 18 Markéta Smazová 2022-01-26 16:31:50 UTC

before fix
-----------

>   [root@virt-530 ~]# rpm -q pacemaker
>   pacemaker-2.1.0-8.el8.x86_64

Configure a cluster with ACLs including a group, create dummy resource named "test":

>   [root@virt-530 ~]# pcs resource create test ocf:pacemaker:Dummy
>   [root@virt-530 ~]# pcs status
>   Cluster name: STSRHTS25391
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-543 (version 2.1.0-8.el8-7c3f660707) - partition with quorum
>     * Last updated: Wed Jan 26 15:32:18 2022
>     * Last change:  Wed Jan 26 15:32:15 2022 by root via cibadmin on virt-530
>     * 2 nodes configured
>     * 3 resource instances configured

>   Node List:
>     * Online: [ virt-530 virt-543 ]

>   Full List of Resources:
>     * fence-virt-530	(stonith:fence_xvm):	 Started virt-530
>     * fence-virt-543	(stonith:fence_xvm):	 Started virt-543
>     * test	(ocf::pacemaker:Dummy):	 Started virt-530

>   Daemon Status:
>     corosync: active/disabled
>     pacemaker: active/disabled
>     pcsd: active/enabled

>   [root@virt-530 ~]# pcs acl enable

Try to name the ACL group the same as dummy resource. It should fail.

>   [root@virt-530 ~]# pcs acl group create test
>   Error: 'test' already exists

Choose another name for ACL group:

>   [root@virt-530 ~]# pcs acl group create testgroup
>   [root@virt-530 ~]# pcs acl
>   ACLs are enabled

>   Group: testgroup
>     Roles:

Try to add name="test" to acl_group element in CIB using `pcs cluster edit`:

>   [root@virt-530 ~]# pcs cluster edit scope=acls
>   Error: unable to push cib
>   Call cib_replace failed (-203): Update does not conform to the configured schema
>   <cib crm_feature_set="3.11.0" validate-with="pacemaker-3.7" epoch="13" num_updates="0" admin_epoch="0" cib-last-written="Wed Jan 26 16:18:34 2022" update-origin="virt-530" update-client="cibadmin" update-user="root" have-quorum="1" dc-uuid="1">
>     <configuration>

>   [...]

>       <acls>
>         <acl_group id="testgroup" name="test"/>
>       </acls>
>     </configuration>

The change is rejected.


after fix
-----------

>   [root@virt-525 ~]# rpm -q pacemaker
>   pacemaker-2.1.2-2.el8.x86_64

Configure a cluster with ACLs including a group, create dummy resource named "test":

>   [root@virt-525 ~]# pcs resource create test ocf:pacemaker:Dummy
>   [root@virt-525 ~]# pcs status
>   Cluster name: STSRHTS9364
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-525 (version 2.1.2-2.el8-ada5c3b36e2) - partition with quorum
>     * Last updated: Wed Jan 26 17:14:58 2022
>     * Last change:  Wed Jan 26 17:14:45 2022 by root via cibadmin on virt-525
>     * 2 nodes configured
>     * 3 resource instances configured

>   Node List:
>     * Online: [ virt-524 virt-525 ]

>   Full List of Resources:
>     * fence-virt-524	(stonith:fence_xvm):	 Started virt-524
>     * fence-virt-525	(stonith:fence_xvm):	 Started virt-525
>     * test	(ocf::pacemaker:Dummy):	 Started virt-524

>   Daemon Status:
>     corosync: active/disabled
>     pacemaker: active/disabled
>     pcsd: active/enabled

Try to name the ACL group the same as dummy resource. It should fail.

>   [root@virt-525 ~]# pcs acl group create test
>   Error: 'test' already exists

Choose another name for ACL group:

>   [root@virt-525 ~]# pcs acl group create testgroup
>   [root@virt-525 ~]# pcs acl
>   ACLs are enabled

>   Group: testgroup
>     Roles:

Try to add name="test" to acl_group element in CIB using `pcs cluster edit`:

>   [root@virt-525 ~]# pcs cluster edit scope=acls
>   CIB updated

>   [root@virt-525 ~]# cibadmin --query --scope acls
>   <acls>
>     <acl_group id="testgroup" name="test"/>
>   </acls>

The change is accepted and CIB is updated.

Marking verified in pacemaker-2.1.2-2.el8

Comment 20 errata-xmlrpc 2022-05-10 14:09:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pacemaker bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1885

Note You need to log in before you can comment on or make changes to this bug.