Bug 1441673 - Make pcs avoid a full CIB replacement
Summary: Make pcs avoid a full CIB replacement
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Jelinek
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
: 1499796 (view as bug list)
Depends On: 1412309
Blocks: 1482623
TreeView+ depends on / blocked
 
Reported: 2017-04-12 12:34 UTC by Tomas Jelinek
Modified: 2018-05-23 12:13 UTC (History)
8 users (show)

Fixed In Version: pcs-0.9.160-1.el7
Doc Type: No Doc Update
Doc Text:
The fix only applies to pcs commands moved to the new pcs architecture. The list of these command is changing as we are working on moving all pcs commands to the new architecture. This may be confusing to the users so I think we can skip documenting this bz.
Clone Of:
: 1482623 (view as bug list)
Environment:
Last Closed: 2018-04-10 15:39:15 UTC


Attachments (Terms of Use)
proposed fix + tests (236.53 KB, patch)
2017-08-28 14:49 UTC, Tomas Jelinek
no flags Details | Diff
additional fix (1.51 KB, patch)
2017-09-01 12:52 UTC, Ivan Devat
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0866 None None None 2018-04-10 15:40:17 UTC
Red Hat Bugzilla 1404233 None CLOSED Make pcs avoid a full CIB replacement when possible 2019-05-03 17:53:37 UTC
Red Hat Bugzilla 1441669 None NEW cibadmin can return a CIB not conforming to the schema if deny ACLs are in use 2019-05-03 17:53:37 UTC
Red Hat Knowledge Base (Solution) 3456901 None None None 2018-05-23 12:13:18 UTC

Internal Links: 1404233 1441669

Description Tomas Jelinek 2017-04-12 12:34:17 UTC
Description of problem:
This has been partially implemented in bz1404233 - the "pcs cluster cib-push" command has now an option to obtain and push just a diff instead of the whole CIB.

It is required to make this approach a standard way of pushing cib in all pcs commands. The only exception is the "pcs cluster cib-push" command where the user may want to really overwrite the existing CIB and make the live CIB look exactly like what has been provided to the command.

Reasoning:
1) avoid conflicts when editing the CIB simultaneously
See bz1404233 for more details.

2) replacing the whole CIB fails when ACLs are in place, see reproducer

3) performance reasons
When pushing the whole CIB, it takes more time to process it in pacemaker.


Version-Release number of selected component (if applicable):
pcs-0.9.157-1.el7.x86_64


How reproducible:
always, easily


Steps to Reproduce:
[root@rh73-node1:~]# pcs resource create dummy1 ocf:pacemaker:Dummy    
[root@rh73-node1:~]# pcs resource create dummy2 ocf:pacemaker:Dummy
[root@rh73-node1:~]# pcs acl user create user1
[root@rh73-node1:~]# pcs acl role create role1
[root@rh73-node1:~]# pcs acl permission add role1 write xpath /
[root@rh73-node1:~]# pcs acl permission add role1 write xpath /cib/configuration
[root@rh73-node1:~]# pcs acl permission add role1 deny id dummy1
# avoid bz1441669
[root@rh73-node1:~]# pcs acl permission add role1 deny xpath /cib/configuration/acls
[root@rh73-node1:~]# pcs acl role assign role1 user user1
[root@rh73-node1:~]# pcs acl enable

# now switch to user1
[user1@rh73-node1 ~]$ pcs resource disable dummy2
Error: Unable to update cib
Call cib_replace failed (-13): Permission denied


Actual results:
It is not possible to edit the CIB.


Expected results:
It is possible to edit CIB.


Additional info:
The command fails, because:
* When reading the CIB, dummy1 resource is filtered out because of the configured ACLs.
* Dummy2 resource is updated in memory.
* The whole CIB is pushed, but it does not contain dummy1 resource - see above.
* Pacemaker evaluates this as an attempt to remove dummy1 resource, which is prohibited by the ACLs.

If only a diff is pushed, everything works, as the diff does not contain any changes to dummy1 resource.

Comment 2 Tomas Jelinek 2017-08-28 14:49:13 UTC
Created attachment 1319106 [details]
proposed fix + tests

Comment 3 Tomas Jelinek 2017-08-28 15:25:12 UTC
This is an internal change. The only effect users can notice is that issues described in comment 0 are fixed. However the fix only applies to pcs commands moved to the new pcs architecture. The list of these command is changing as we are working on moving all pcs commands to the new architecture.

Comment 4 Ivan Devat 2017-09-01 12:52:54 UTC
Created attachment 1320928 [details]
additional fix

This patch fixes the following problem:

[vm-rhel72-1 ~] $ pcs resource bundle create B container docker image=pcs:test
CIB has been upgraded to the latest schema version.
[vm-rhel72-1 ~] $ pcs resource bundle update B container extra=
Error: Unable to update cib
Couldn't parse input from STDIN.

Comment 7 Ivan Devat 2017-10-11 08:09:47 UTC
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.160-1.el7.x86_64

vm-rhel72-1 ~] $ pcs resource create dummy1 ocf:pacemaker:Dummy
[vm-rhel72-1 ~] $ pcs resource create dummy2 ocf:pacemaker:Dummy
[vm-rhel72-1 ~] $ pcs acl user create user1
[vm-rhel72-1 ~] $ pcs acl role create role1
[vm-rhel72-1 ~] $ pcs acl permission add role1 write xpath /
[vm-rhel72-1 ~] $ pcs acl permission add role1 write xpath /cib/configuration
[vm-rhel72-1 ~] $ pcs acl permission add role1 deny id dummy1
[vm-rhel72-1 ~] $ pcs acl permission add role1 deny xpath /cib/configuration/acls
[vm-rhel72-1 ~] $ pcs acl role assign role1 user user1
[vm-rhel72-1 ~] $ pcs acl enable

[user1@vm-rhel72-1 ~]$ pcs resource disable dummy2
[user1@vm-rhel72-1 ~]$ echo $?
0

> the problem with zero change is not there anymore

[vm-rhel72-1 ~] $ pcs resource bundle create B container docker image=pcs:test
[vm-rhel72-1 ~] $ pcs resource bundle update B container extra=
[vm-rhel72-1 ~] $ echo $?
0

Comment 9 Tomas Jelinek 2017-10-12 08:56:23 UTC
*** Bug 1499796 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2018-04-10 15:39:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0866


Note You need to log in before you can comment on or make changes to this bug.