rpms / pacemaker

Clone
Source Code
GIT

Blame SOURCES/pacemaker-f43678b-to-fe1ef5c-acl-fix.patch

c4 c5 c5-plus c6 c6-plus c7 c7-armhfp c7-beta c8 c8-beta c8-sig-altarch-armhfp c8s c9 c9-beta
  1.   1f016acd09968c6ffbdb3adf173629b739936787
  2.   SOURCES
  3.   pacemaker-f43678b-to-fe1ef5c-acl-fix.patch
Blob History Raw
1f016a 
diff --git a/lib/cib/cib_file.c b/lib/cib/cib_file.c
1f016a 
index 5562e9e..aa68679 100644
1f016a 
--- a/lib/cib/cib_file.c
1f016a 
+++ b/lib/cib/cib_file.c
1f016a 
@@ -310,6 +310,12 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
1f016a 
     }
1f016a 
     crm_trace("Performing %s operation as %s", op, user_name);
1f016a 
 #endif
1f016a 
+
1f016a 
+    /* Mirror the logic in cib_prepare_common() */
1f016a 
+    if (section != NULL && data != NULL && crm_str_eq(crm_element_name(data), XML_TAG_CIB, TRUE)) {
1f016a 
+        data = get_object_root(section, data);
1f016a 
+    }
1f016a 
+
1f016a 
     rc = cib_perform_op(op, call_options, fn, query,
1f016a 
                         section, request, data, TRUE, &changed, in_mem_cib, &result_cib, &cib_diff,
1f016a 
                         &output);
1f016a 
diff --git a/lib/common/xml.c b/lib/common/xml.c
1f016a 
index f7779f5..54f1aa7 100644
1f016a 
--- a/lib/common/xml.c
1f016a 
+++ b/lib/common/xml.c
1f016a 
@@ -4848,8 +4848,13 @@ replace_xml_child(xmlNode * parent, xmlNode * child, xmlNode * update, gboolean
1f016a
1f016a 
             xml_accept_changes(tmp);
1f016a 
             old = xmlReplaceNode(child, tmp);
1f016a 
-            xml_calculate_changes(old, tmp);
1f016a
1f016a 
+            if(xml_tracking_changes(tmp)) {
1f016a 
+                /* Replaced sections may have included relevant ACLs */
1f016a 
+                __xml_acl_apply(tmp);
1f016a 
+            }
1f016a 
+
1f016a 
+            xml_calculate_changes(old, tmp);
1f016a 
             xmlDocSetRootElement(doc, old);
1f016a 
             free_xml(old);
1f016a 
         }
1f016a 
diff --git a/tools/regression.acls.exp b/tools/regression.acls.exp
1f016a 
index 2cea125..e05e339 100644
1f016a 
--- a/tools/regression.acls.exp
1f016a 
+++ b/tools/regression.acls.exp
1f016a 
@@ -17,11 +17,18 @@ A new shadow instance was created.  To begin using it paste the following into y
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
     </acls>
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
@@ -47,11 +54,18 @@ A new shadow instance was created.  To begin using it paste the following into y
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
     </acls>
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
@@ -78,11 +92,18 @@ A new shadow instance was created.  To begin using it paste the following into y
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
     </acls>
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
@@ -109,11 +130,18 @@ A new shadow instance was created.  To begin using it paste the following into y
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -143,11 +171,18 @@ A new shadow instance was created.  To begin using it paste the following into y
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -180,11 +215,18 @@ A new shadow instance was created.  To begin using it paste the following into y
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -255,11 +297,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -301,11 +350,18 @@ __xml_acl_post_process: 	Creation of nvpair=cib-bootstrap-options-stonith-enable
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -345,11 +401,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -384,11 +447,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -425,11 +495,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -486,11 +563,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -535,11 +619,18 @@ Stopped
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -582,11 +673,18 @@ Deleted dummy option: id=dummy-meta_attributes-target-role name=target-role
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -631,11 +729,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -730,11 +835,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -778,11 +890,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -794,12 +913,12 @@ Call failed: Permission denied
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
 </cib>
1f016a 
-=#=#=#= Begin test: niceguy: Replace - modify attribute =#=#=#=
1f016a 
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
1f016a 
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
1f016a 
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
1f016a 
 Call failed: Permission denied
1f016a 
-=#=#=#= End test: niceguy: Replace - modify attribute - Permission denied (13) =#=#=#=
1f016a 
-* Passed: cibadmin       - niceguy: Replace - modify attribute
1f016a 
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#=
1f016a 
+* Passed: cibadmin       - niceguy: Replace - modify attribute (deny)
1f016a 
 <cib epoch="13" num_updates="0" admin_epoch="0">
1f016a 
   <configuration>
1f016a 
     <crm_config>
1f016a 
@@ -825,11 +944,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -841,12 +967,12 @@ Call failed: Permission denied
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
 </cib>
1f016a 
-=#=#=#= Begin test: niceguy: Replace - delete attribute =#=#=#=
1f016a 
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
1f016a 
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
1f016a 
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default
1f016a 
 Call failed: Permission denied
1f016a 
-=#=#=#= End test: niceguy: Replace - delete attribute - Permission denied (13) =#=#=#=
1f016a 
-* Passed: cibadmin       - niceguy: Replace - delete attribute
1f016a 
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#=
1f016a 
+* Passed: cibadmin       - niceguy: Replace - delete attribute (deny)
1f016a 
 <cib epoch="13" num_updates="0" admin_epoch="0">
1f016a 
   <configuration>
1f016a 
     <crm_config>
1f016a 
@@ -872,11 +998,18 @@ Call failed: Permission denied
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_user id="badidea">
1f016a 
         <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
       </acl_user>
1f016a 
@@ -888,12 +1021,161 @@ Call failed: Permission denied
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
 </cib>
1f016a 
-=#=#=#= Begin test: niceguy: Replace - create attribute =#=#=#=
1f016a 
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
1f016a 
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
1f016a 
 __xml_acl_check: 	400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default
1f016a 
 Call failed: Permission denied
1f016a 
-=#=#=#= End test: niceguy: Replace - create attribute - Permission denied (13) =#=#=#=
1f016a 
-* Passed: cibadmin       - niceguy: Replace - create attribute
1f016a 
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#=
1f016a 
+* Passed: cibadmin       - niceguy: Replace - create attribute (deny)
1f016a 
+<cib epoch="13" num_updates="0" admin_epoch="0">
1f016a 
+  <configuration>
1f016a 
+    <crm_config>
1f016a 
+      <cluster_property_set id="cib-bootstrap-options">
1f016a 
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
1f016a 
+      </cluster_property_set>
1f016a 
+    </crm_config>
1f016a 
+    <nodes/>
1f016a 
+    <resources>
1f016a 
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
1f016a 
+        <meta_attributes id="dummy-meta_attributes">
1f016a 
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
1f016a 
+        </meta_attributes>
1f016a 
+      </primitive>
1f016a 
+    </resources>
1f016a 
+    <constraints/>
1f016a 
+    <acls>
1f016a 
+      <acl_user id="l33t-haxor">
1f016a 
+        <deny id="crook-nothing" xpath="/cib"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="niceguy">
1f016a 
+        <role_ref id="observer"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_role id="observer">
1f016a 
+        <read id="observer-read-1" xpath="/cib"/>
1f016a 
+        <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
+        <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_user id="badidea">
1f016a 
+        <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="betteridea">
1f016a 
+        <deny id="betteridea-nothing" xpath="/cib"/>
1f016a 
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
1f016a 
+      </acl_user>
1f016a 
+    </acls>
1f016a 
+  </configuration>
1f016a 
+  <status/>
1f016a 
+</cib>
1f016a 
+=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
1f016a 
+=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
1f016a 
+* Passed: cibadmin       - bob: Replace - create attribute (allow)
1f016a 
+<cib epoch="14" num_updates="0" admin_epoch="0">
1f016a 
+  <configuration>
1f016a 
+    <crm_config>
1f016a 
+      <cluster_property_set id="cib-bootstrap-options">
1f016a 
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
1f016a 
+      </cluster_property_set>
1f016a 
+    </crm_config>
1f016a 
+    <nodes/>
1f016a 
+    <resources>
1f016a 
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
1f016a 
+        <meta_attributes id="dummy-meta_attributes">
1f016a 
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
1f016a 
+        </meta_attributes>
1f016a 
+      </primitive>
1f016a 
+    </resources>
1f016a 
+    <constraints/>
1f016a 
+    <acls>
1f016a 
+      <acl_user id="l33t-haxor">
1f016a 
+        <deny id="crook-nothing" xpath="/cib"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="niceguy">
1f016a 
+        <role_ref id="observer"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_role id="observer">
1f016a 
+        <read id="observer-read-1" xpath="/cib"/>
1f016a 
+        <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
+        <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_user id="badidea">
1f016a 
+        <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="betteridea">
1f016a 
+        <deny id="betteridea-nothing" xpath="/cib"/>
1f016a 
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
1f016a 
+      </acl_user>
1f016a 
+    </acls>
1f016a 
+  </configuration>
1f016a 
+  <status/>
1f016a 
+</cib>
1f016a 
+=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
1f016a 
+=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
1f016a 
+* Passed: cibadmin       - bob: Replace - modify attribute (allow)
1f016a 
+<cib epoch="15" num_updates="0" admin_epoch="0">
1f016a 
+  <configuration>
1f016a 
+    <crm_config>
1f016a 
+      <cluster_property_set id="cib-bootstrap-options">
1f016a 
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
1f016a 
+      </cluster_property_set>
1f016a 
+    </crm_config>
1f016a 
+    <nodes/>
1f016a 
+    <resources>
1f016a 
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
1f016a 
+    </resources>
1f016a 
+    <constraints/>
1f016a 
+    <acls>
1f016a 
+      <acl_user id="l33t-haxor">
1f016a 
+        <deny id="crook-nothing" xpath="/cib"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="niceguy">
1f016a 
+        <role_ref id="observer"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_role id="observer">
1f016a 
+        <read id="observer-read-1" xpath="/cib"/>
1f016a 
+        <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
+        <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_user id="badidea">
1f016a 
+        <read id="badidea-resources" xpath="//meta_attributes"/>
1f016a 
+      </acl_user>
1f016a 
+      <acl_user id="betteridea">
1f016a 
+        <deny id="betteridea-nothing" xpath="/cib"/>
1f016a 
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
1f016a 
+      </acl_user>
1f016a 
+    </acls>
1f016a 
+  </configuration>
1f016a 
+  <status/>
1f016a 
+</cib>
1f016a 
+=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
1f016a 
+=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
1f016a 
+* Passed: cibadmin       - bob: Replace - delete attribute (allow)
1f016a
1f016a
1f016a 
     !#!#!#!#! Upgrading to pacemaker-2.0 and retesting !#!#!#!#!
1f016a 
@@ -901,6 +1183,8 @@ Call failed: Permission denied
1f016a 
 __xml_acl_post_process: 	Creation of acl_permission=observer-read-1 is allowed
1f016a 
 __xml_acl_post_process: 	Creation of acl_permission=observer-write-1 is allowed
1f016a 
 __xml_acl_post_process: 	Creation of acl_permission=observer-write-2 is allowed
1f016a 
+__xml_acl_post_process: 	Creation of acl_permission=admin-read-1 is allowed
1f016a 
+__xml_acl_post_process: 	Creation of acl_permission=admin-write-1 is allowed
1f016a 
 __xml_acl_post_process: 	Creation of acl_permission=crook-nothing is allowed
1f016a 
 __xml_acl_post_process: 	Creation of acl_permission=badidea-resources is allowed
1f016a 
 __xml_acl_post_process: 	Creation of acl_permission=betteridea-nothing is allowed
1f016a 
@@ -917,11 +1201,7 @@ __xml_acl_post_process: 	Creation of acl_permission=betteridea-resources is allo
1f016a 
     </crm_config>
1f016a 
     <nodes/>
1f016a 
     <resources>
1f016a 
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
1f016a 
-        <meta_attributes id="dummy-meta_attributes">
1f016a 
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
1f016a 
-        </meta_attributes>
1f016a 
-      </primitive>
1f016a 
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
1f016a 
     </resources>
1f016a 
     <constraints/>
1f016a 
     <acls>
1f016a 
@@ -934,11 +1214,18 @@ __xml_acl_post_process: 	Creation of acl_permission=betteridea-resources is allo
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1019,11 +1306,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1073,11 +1367,18 @@ Error setting enable-acl=false (section=crm_config, set=<null>): Permission deni
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1126,11 +1427,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1174,11 +1482,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1224,11 +1539,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1294,11 +1616,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1352,11 +1681,18 @@ Stopped
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1408,11 +1744,18 @@ Deleted dummy option: id=dummy-meta_attributes-target-role name=target-role
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1466,11 +1809,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1574,11 +1924,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1631,11 +1988,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1653,12 +2017,12 @@ Call failed: Permission denied
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
 </cib>
1f016a 
-=#=#=#= Begin test: niceguy: Replace - modify attribute =#=#=#=
1f016a 
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
1f016a 
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
1f016a 
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
1f016a 
 Call failed: Permission denied
1f016a 
-=#=#=#= End test: niceguy: Replace - modify attribute - Permission denied (13) =#=#=#=
1f016a 
-* Passed: cibadmin       - niceguy: Replace - modify attribute
1f016a 
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#=
1f016a 
+* Passed: cibadmin       - niceguy: Replace - modify attribute (deny)
1f016a 
 <cib epoch="14" num_updates="0" admin_epoch="0">
1f016a 
   <configuration>
1f016a 
     <crm_config>
1f016a 
@@ -1687,11 +2051,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1709,12 +2080,12 @@ Call failed: Permission denied
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
 </cib>
1f016a 
-=#=#=#= Begin test: niceguy: Replace - delete attribute =#=#=#=
1f016a 
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
1f016a 
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
1f016a 
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default
1f016a 
 Call failed: Permission denied
1f016a 
-=#=#=#= End test: niceguy: Replace - delete attribute - Permission denied (13) =#=#=#=
1f016a 
-* Passed: cibadmin       - niceguy: Replace - delete attribute
1f016a 
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#=
1f016a 
+* Passed: cibadmin       - niceguy: Replace - delete attribute (deny)
1f016a 
 <cib epoch="14" num_updates="0" admin_epoch="0">
1f016a 
   <configuration>
1f016a 
     <crm_config>
1f016a 
@@ -1743,11 +2114,18 @@ Call failed: Permission denied
1f016a 
       <acl_target id="niceguy">
1f016a 
         <role id="observer"/>
1f016a 
       </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
       <acl_role id="observer">
1f016a 
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
       <acl_target id="badidea">
1f016a 
         <role id="auto-badidea"/>
1f016a 
       </acl_target>
1f016a 
@@ -1765,9 +2143,185 @@ Call failed: Permission denied
1f016a 
   </configuration>
1f016a 
   <status/>
1f016a 
 </cib>
1f016a 
-=#=#=#= Begin test: niceguy: Replace - create attribute =#=#=#=
1f016a 
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
1f016a 
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
1f016a 
 __xml_acl_check: 	400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default
1f016a 
 Call failed: Permission denied
1f016a 
-=#=#=#= End test: niceguy: Replace - create attribute - Permission denied (13) =#=#=#=
1f016a 
-* Passed: cibadmin       - niceguy: Replace - create attribute
1f016a 
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#=
1f016a 
+* Passed: cibadmin       - niceguy: Replace - create attribute (deny)
1f016a 
+<cib epoch="14" num_updates="0" admin_epoch="0">
1f016a 
+  <configuration>
1f016a 
+    <crm_config>
1f016a 
+      <cluster_property_set id="cib-bootstrap-options">
1f016a 
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
1f016a 
+      </cluster_property_set>
1f016a 
+    </crm_config>
1f016a 
+    <nodes/>
1f016a 
+    <resources>
1f016a 
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
1f016a 
+        <meta_attributes id="dummy-meta_attributes">
1f016a 
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
1f016a 
+        </meta_attributes>
1f016a 
+      </primitive>
1f016a 
+    </resources>
1f016a 
+    <constraints/>
1f016a 
+    <acls>
1f016a 
+      <acl_target id="l33t-haxor">
1f016a 
+        <role id="auto-l33t-haxor"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-l33t-haxor">
1f016a 
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="niceguy">
1f016a 
+        <role id="observer"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="observer">
1f016a 
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="badidea">
1f016a 
+        <role id="auto-badidea"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-badidea">
1f016a 
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="betteridea">
1f016a 
+        <role id="auto-betteridea"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-betteridea">
1f016a 
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
1f016a 
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
1f016a 
+      </acl_role>
1f016a 
+    </acls>
1f016a 
+  </configuration>
1f016a 
+  <status/>
1f016a 
+</cib>
1f016a 
+=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
1f016a 
+=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
1f016a 
+* Passed: cibadmin       - bob: Replace - create attribute (allow)
1f016a 
+<cib epoch="15" num_updates="0" admin_epoch="0">
1f016a 
+  <configuration>
1f016a 
+    <crm_config>
1f016a 
+      <cluster_property_set id="cib-bootstrap-options">
1f016a 
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
1f016a 
+      </cluster_property_set>
1f016a 
+    </crm_config>
1f016a 
+    <nodes/>
1f016a 
+    <resources>
1f016a 
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
1f016a 
+        <meta_attributes id="dummy-meta_attributes">
1f016a 
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
1f016a 
+        </meta_attributes>
1f016a 
+      </primitive>
1f016a 
+    </resources>
1f016a 
+    <constraints/>
1f016a 
+    <acls>
1f016a 
+      <acl_target id="l33t-haxor">
1f016a 
+        <role id="auto-l33t-haxor"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-l33t-haxor">
1f016a 
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="niceguy">
1f016a 
+        <role id="observer"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="observer">
1f016a 
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="badidea">
1f016a 
+        <role id="auto-badidea"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-badidea">
1f016a 
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="betteridea">
1f016a 
+        <role id="auto-betteridea"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-betteridea">
1f016a 
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
1f016a 
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
1f016a 
+      </acl_role>
1f016a 
+    </acls>
1f016a 
+  </configuration>
1f016a 
+  <status/>
1f016a 
+</cib>
1f016a 
+=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
1f016a 
+=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
1f016a 
+* Passed: cibadmin       - bob: Replace - modify attribute (allow)
1f016a 
+<cib epoch="16" num_updates="0" admin_epoch="0">
1f016a 
+  <configuration>
1f016a 
+    <crm_config>
1f016a 
+      <cluster_property_set id="cib-bootstrap-options">
1f016a 
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
1f016a 
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
1f016a 
+      </cluster_property_set>
1f016a 
+    </crm_config>
1f016a 
+    <nodes/>
1f016a 
+    <resources>
1f016a 
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
1f016a 
+    </resources>
1f016a 
+    <constraints/>
1f016a 
+    <acls>
1f016a 
+      <acl_target id="l33t-haxor">
1f016a 
+        <role id="auto-l33t-haxor"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-l33t-haxor">
1f016a 
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="niceguy">
1f016a 
+        <role id="observer"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_target id="bob">
1f016a 
+        <role id="admin"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="observer">
1f016a 
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
1f016a 
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="badidea">
1f016a 
+        <role id="auto-badidea"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-badidea">
1f016a 
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
1f016a 
+      </acl_role>
1f016a 
+      <acl_target id="betteridea">
1f016a 
+        <role id="auto-betteridea"/>
1f016a 
+      </acl_target>
1f016a 
+      <acl_role id="auto-betteridea">
1f016a 
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
1f016a 
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
1f016a 
+      </acl_role>
1f016a 
+    </acls>
1f016a 
+  </configuration>
1f016a 
+  <status/>
1f016a 
+</cib>
1f016a 
+=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
1f016a 
+=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
1f016a 
+* Passed: cibadmin       - bob: Replace - delete attribute (allow)
1f016a 
diff --git a/tools/regression.sh b/tools/regression.sh
1f016a 
index 0c4896c..63f4445 100755
1f016a 
--- a/tools/regression.sh
1f016a 
+++ b/tools/regression.sh
1f016a 
@@ -487,7 +487,7 @@ function test_acl_loop() {
1f016a 
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" crm_attribute -n enable-acl -v false
1f016a 
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
1f016a
1f016a 
-    desc="$CIB_user: Replace - modify attribute"
1f016a 
+    desc="$CIB_user: Replace - modify attribute (deny)"
1f016a 
     cmd="cibadmin --replace --xml-file /tmp/$$.haxor.xml"
1f016a 
     test_assert 13 0
1f016a
1f016a 
@@ -495,7 +495,7 @@ function test_acl_loop() {
1f016a 
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --replace --xml-text '<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>'
1f016a 
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
1f016a
1f016a 
-    desc="$CIB_user: Replace - delete attribute"
1f016a 
+    desc="$CIB_user: Replace - delete attribute (deny)"
1f016a 
     cmd="cibadmin --replace --xml-file /tmp/$$.haxor.xml"
1f016a 
     test_assert 13 0
1f016a
1f016a 
@@ -503,10 +503,36 @@ function test_acl_loop() {
1f016a 
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
1f016a 
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
1f016a
1f016a 
-    desc="$CIB_user: Replace - create attribute"
1f016a 
+    desc="$CIB_user: Replace - create attribute (deny)"
1f016a 
     cmd="cibadmin --replace --xml-file /tmp/$$.haxor.xml"
1f016a 
     test_assert 13 0
1f016a 
     rm -rf /tmp/$$.haxor.xml
1f016a 
+
1f016a 
+
1f016a 
+    CIB_user=bob
1f016a 
+    CIB_user=root cibadmin -Q > /tmp/$$.haxor.xml
1f016a 
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
1f016a 
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
1f016a 
+
1f016a 
+    desc="$CIB_user: Replace - create attribute (allow)"
1f016a 
+    cmd="cibadmin --replace -o resources --xml-file /tmp/$$.haxor.xml"
1f016a 
+    test_assert 0 0
1f016a 
+
1f016a 
+    CIB_user=root cibadmin -Q > /tmp/$$.haxor.xml
1f016a 
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
1f016a 
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
1f016a 
+
1f016a 
+    desc="$CIB_user: Replace - modify attribute (allow)"
1f016a 
+    cmd="cibadmin --replace -o resources --xml-file /tmp/$$.haxor.xml"
1f016a 
+    test_assert 0 0
1f016a 
+
1f016a 
+    CIB_user=root cibadmin -Q > /tmp/$$.haxor.xml
1f016a 
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
1f016a 
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
1f016a 
+
1f016a 
+    desc="$CIB_user: Replace - delete attribute (allow)"
1f016a 
+    cmd="cibadmin --replace -o resources --xml-file /tmp/$$.haxor.xml"
1f016a 
+    test_assert 0 0
1f016a 
 }
1f016a
1f016a 
 function test_acls() {
1f016a 
@@ -522,11 +548,18 @@ function test_acls() {
1f016a 
       <acl_user id="niceguy">
1f016a 
         <role_ref id="observer"/>
1f016a 
       </acl_user>
1f016a 
+      <acl_user id="bob">
1f016a 
+        <role_ref id="admin"/>
1f016a 
+      </acl_user>
1f016a 
       <acl_role id="observer">
1f016a 
         <read id="observer-read-1" xpath="/cib"/>
1f016a 
         <write id="observer-write-1" xpath="//nvpair[@name='stonith-enabled']"/>
1f016a 
         <write id="observer-write-2" xpath="//nvpair[@name='target-role']"/>
1f016a 
       </acl_role>
1f016a 
+      <acl_role id="admin">
1f016a 
+        <read id="admin-read-1" xpath="/cib"/>
1f016a 
+        <write id="admin-write-1" xpath="//resources"/>
1f016a 
+      </acl_role>
1f016a 
     </acls>
1f016a 
 EOF
1f016a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation