summaryrefslogtreecommitdiffstats
path: root/cts/cli/regression.acls.exp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 06:53:20 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 06:53:20 +0000
commite5a812082ae033afb1eed82c0f2df3d0f6bdc93f (patch)
treea6716c9275b4b413f6c9194798b34b91affb3cc7 /cts/cli/regression.acls.exp
parentInitial commit. (diff)
downloadpacemaker-e5a812082ae033afb1eed82c0f2df3d0f6bdc93f.tar.xz
pacemaker-e5a812082ae033afb1eed82c0f2df3d0f6bdc93f.zip
Adding upstream version 2.1.6.upstream/2.1.6
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'cts/cli/regression.acls.exp')
-rw-r--r--cts/cli/regression.acls.exp4408
1 files changed, 4408 insertions, 0 deletions
diff --git a/cts/cli/regression.acls.exp b/cts/cli/regression.acls.exp
new file mode 100644
index 0000000..c0b0c4f
--- /dev/null
+++ b/cts/cli/regression.acls.exp
@@ -0,0 +1,4408 @@
+Created new pacemaker configuration
+A new shadow instance was created. To begin using it, enter the following into your shell:
+ export CIB_shadow=cts-cli
+=#=#=#= Begin test: Configure some ACLs =#=#=#=
+=#=#=#= Current cib after: Configure some ACLs =#=#=#=
+<cib epoch="2" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config/>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Configure some ACLs - OK (0) =#=#=#=
+* Passed: cibadmin - Configure some ACLs
+=#=#=#= Begin test: Enable ACLs =#=#=#=
+=#=#=#= Current cib after: Enable ACLs =#=#=#=
+<cib epoch="3" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Enable ACLs - OK (0) =#=#=#=
+* Passed: crm_attribute - Enable ACLs
+=#=#=#= Begin test: Set cluster option =#=#=#=
+=#=#=#= Current cib after: Set cluster option =#=#=#=
+<cib epoch="4" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Set cluster option - OK (0) =#=#=#=
+* Passed: crm_attribute - Set cluster option
+=#=#=#= Begin test: New ACL =#=#=#=
+=#=#=#= Current cib after: New ACL =#=#=#=
+<cib epoch="5" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: New ACL - OK (0) =#=#=#=
+* Passed: cibadmin - New ACL
+=#=#=#= Begin test: Another ACL =#=#=#=
+=#=#=#= Current cib after: Another ACL =#=#=#=
+<cib epoch="6" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Another ACL - OK (0) =#=#=#=
+* Passed: cibadmin - Another ACL
+=#=#=#= Begin test: Updated ACL =#=#=#=
+=#=#=#= Current cib after: Updated ACL =#=#=#=
+<cib epoch="7" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: Updated ACL - OK (0) =#=#=#=
+* Passed: cibadmin - Updated ACL
+=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Query configuration
+=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set enable-acl
+=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set stonith-enabled
+=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
+pcmk__apply_creation_acl trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
+Call failed: Permission denied
+<failed>
+ <failed_update id="dummy" object_type="primitive" operation="cib_create" reason="Permission denied">
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </failed_update>
+</failed>
+=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Create a resource
+=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Query configuration
+=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set enable-acl
+=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
+=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Create a resource
+=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
+<cib epoch="7" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - niceguy: Query configuration
+=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
+Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - niceguy: Set enable-acl
+=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
+pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-stonith-enabled"
+=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
+<cib epoch="8" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - niceguy: Set stonith-enabled
+=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Create a resource
+=#=#=#= Begin test: root: Query configuration =#=#=#=
+<cib epoch="8" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - root: Query configuration
+=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - root: Set stonith-enabled
+=#=#=#= Begin test: root: Create a resource =#=#=#=
+=#=#=#= Current cib after: root: Create a resource =#=#=#=
+<cib epoch="10" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
+* Passed: cibadmin - root: Create a resource
+=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
+crm_resource: Error performing operation: Insufficient privileges
+=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
+crm_resource: Error performing operation: Insufficient privileges
+=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
+crm_resource: Error performing operation: Insufficient privileges
+=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
+pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="11" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Stopped
+=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
+<cib epoch="11" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Query a resource meta attribute
+=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
+=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
+<cib epoch="12" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes"/>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="13" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
+<cib>
+ <configuration>
+ <resources>
+ <primitive id="dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ </configuration>
+</cib>
+=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
+* Passed: cibadmin - badidea: Query configuration - implied deny
+=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
+<cib>
+ <configuration>
+ <resources>
+ <primitive id="dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ </configuration>
+</cib>
+=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
+* Passed: cibadmin - betteridea: Query configuration - explicit deny
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - remove acls
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create resource
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - create attribute (direct allow)
+<cib epoch="15" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - modify attribute (direct allow)
+<cib epoch="16" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - delete attribute (direct allow)
+<cib epoch="17" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - create attribute (inherited allow)
+<cib epoch="18" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - modify attribute (inherited allow)
+<cib epoch="19" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - delete attribute (inherited allow)
+<cib epoch="20" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - create attribute (allow overrides deny)
+<cib epoch="21" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - modify attribute (allow overrides deny)
+<cib epoch="22" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - delete attribute (allow overrides deny)
+<cib epoch="23" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - create attribute (deny overrides allow)
+<cib epoch="24" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - modify attribute (deny overrides allow)
+<cib epoch="25" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_user id="bob">
+ <role_ref id="admin"/>
+ </acl_user>
+ <acl_user id="joe">
+ <role_ref id="super_user"/>
+ </acl_user>
+ <acl_user id="mike">
+ <role_ref id="rsc_writer"/>
+ </acl_user>
+ <acl_user id="chris">
+ <role_ref id="rsc_denied"/>
+ </acl_user>
+ <acl_role id="observer">
+ <read id="observer-read-1" xpath="/cib"/>
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <read id="admin-read-1" xpath="/cib"/>
+ <write id="admin-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <write id="super_user-write-1" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <deny id="rsc-writer-deny-1" xpath="/cib"/>
+ <write id="rsc-writer-write-1" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <write id="rsc-denied-write-1" xpath="/cib"/>
+ <deny id="rsc-denied-deny-1" xpath="//resources"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ <acl_user id="betteridea">
+ <deny id="betteridea-nothing" xpath="/cib"/>
+ <read id="betteridea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - delete attribute (deny overrides allow)
+
+
+ !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!
+=#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#=
+=#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#=
+<cib epoch="2" num_updates="0" admin_epoch="1">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#=
+* Passed: cibadmin - root: Upgrade to latest CIB schema
+=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Query configuration
+=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set enable-acl
+=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - unknownguy: Set stonith-enabled
+=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
+pcmk__check_acl trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
+pcmk__apply_creation_acl trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
+Call failed: Permission denied
+<failed>
+ <failed_update id="dummy" object_type="primitive" operation="cib_create" reason="Permission denied">
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </failed_update>
+</failed>
+=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - unknownguy: Create a resource
+=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Query configuration
+=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set enable-acl
+=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - l33t-haxor: Set stonith-enabled
+=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - l33t-haxor: Create a resource
+=#=#=#= Begin test: niceguy: Query configuration =#=#=#=
+<cib epoch="2" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - niceguy: Query configuration
+=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
+Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
+crm_attribute: Error performing operation: Permission denied
+=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute - niceguy: Set enable-acl
+=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
+<cib epoch="3" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - niceguy: Set stonith-enabled
+=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Create a resource
+=#=#=#= Begin test: root: Query configuration =#=#=#=
+<cib epoch="3" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - root: Query configuration
+=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
+<cib epoch="4" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources/>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute - root: Set stonith-enabled
+=#=#=#= Begin test: root: Create a resource =#=#=#=
+=#=#=#= Current cib after: root: Create a resource =#=#=#=
+<cib epoch="5" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
+* Passed: cibadmin - root: Create a resource
+=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
+crm_resource: Error performing operation: Insufficient privileges
+=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
+crm_resource: Error performing operation: Insufficient privileges
+=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
+crm_resource: Error performing operation: Insufficient privileges
+=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource - l33t-haxor: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
+pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="6" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Stopped
+=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
+<cib epoch="6" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Query a resource meta attribute
+=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
+=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
+<cib epoch="7" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes"/>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="8" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
+<cib>
+ <configuration>
+ <resources>
+ <primitive id="dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ </configuration>
+</cib>
+=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
+* Passed: cibadmin - badidea: Query configuration - implied deny
+=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
+<cib>
+ <configuration>
+ <resources>
+ <primitive id="dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ </configuration>
+</cib>
+=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
+* Passed: cibadmin - betteridea: Query configuration - explicit deny
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - remove acls
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
+pcmk__apply_creation_acl trace: ACLs disallow creation of <primitive> with id="dummy2"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create resource
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - modify attribute (deny)
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - delete attribute (deny)
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - niceguy: Replace - create attribute (deny)
+<cib epoch="9" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - create attribute (direct allow)
+<cib epoch="10" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - modify attribute (direct allow)
+<cib epoch="11" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin - bob: Replace - delete attribute (direct allow)
+<cib epoch="12" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - create attribute (inherited allow)
+<cib epoch="13" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - modify attribute (inherited allow)
+<cib epoch="14" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin - joe: Replace - delete attribute (inherited allow)
+<cib epoch="15" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - create attribute (allow overrides deny)
+<cib epoch="16" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - modify attribute (allow overrides deny)
+<cib epoch="17" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin - mike: Replace - delete attribute (allow overrides deny)
+<cib epoch="18" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - create attribute (deny overrides allow)
+<cib epoch="19" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - modify attribute (deny overrides allow)
+<cib epoch="20" num_updates="0" admin_epoch="0">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_target id="l33t-haxor">
+ <role id="auto-l33t-haxor"/>
+ </acl_target>
+ <acl_role id="auto-l33t-haxor">
+ <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+ </acl_role>
+ <acl_target id="niceguy">
+ <role id="observer"/>
+ </acl_target>
+ <acl_target id="bob">
+ <role id="admin"/>
+ </acl_target>
+ <acl_target id="joe">
+ <role id="super_user"/>
+ </acl_target>
+ <acl_target id="mike">
+ <role id="rsc_writer"/>
+ </acl_target>
+ <acl_target id="chris">
+ <role id="rsc_denied"/>
+ </acl_target>
+ <acl_role id="observer">
+ <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_role id="admin">
+ <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+ <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="super_user">
+ <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+ </acl_role>
+ <acl_role id="rsc_writer">
+ <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+ <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+ </acl_role>
+ <acl_role id="rsc_denied">
+ <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+ <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+ </acl_role>
+ <acl_target id="badidea">
+ <role id="auto-badidea"/>
+ </acl_target>
+ <acl_role id="auto-badidea">
+ <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ <acl_target id="betteridea">
+ <role id="auto-betteridea"/>
+ </acl_target>
+ <acl_role id="auto-betteridea">
+ <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+ <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin - chris: Replace - delete attribute (deny overrides allow)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 00:50:11 +0000