ClusterLabs · nrwahl2 · Dec 28, 2025 · Dec 28, 2025 · Dec 26, 2025 · Dec 26, 2025
diff --git a/cts/cli/regression.acls.exp b/cts/cli/regression.acls.exp
@@ -537,7 +537,7 @@ crm_attribute: Error performing operation: Permission denied
 * Passed: crm_attribute         - unknownguy: Set fencing-enabled
 =#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
 pcmk__check_acl 	trace: Lack of ACL denies user 'unknownguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
+check_creation_disallowed 	trace: ACLs disallow creation of <primitive> with id="dummy"
 cibadmin: CIB API call failed: Permission denied
 =#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin              - unknownguy: Create a resource
@@ -555,7 +555,7 @@ crm_attribute: Error performing operation: Permission denied
 * Passed: crm_attribute         - l33t-haxor: Set fencing-enabled
 =#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
 pcmk__check_acl 	trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
+check_creation_disallowed 	trace: ACLs disallow creation of <primitive> with id="dummy"
 cibadmin: CIB API call failed: Permission denied
 =#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin              - l33t-haxor: Create a resource
@@ -639,7 +639,7 @@ crm_attribute: Error performing operation: Permission denied
 =#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
 * Passed: crm_attribute         - niceguy: Set enable-acl
 =#=#=#= Begin test: niceguy: Set fencing-enabled =#=#=#=
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-fencing-enabled"
+check_creation_disallowed 	trace: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-fencing-enabled"
 =#=#=#= Current cib after: niceguy: Set fencing-enabled =#=#=#=
 <cib admin_epoch="0" epoch="10" num_updates="0">
   <configuration>
@@ -716,7 +716,7 @@ pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="cib-bo
 * Passed: crm_attribute         - niceguy: Set fencing-enabled
 =#=#=#= Begin test: niceguy: Create a resource =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
+check_creation_disallowed 	trace: ACLs disallow creation of <primitive> with id="dummy"
 cibadmin: CIB API call failed: Permission denied
 =#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin              - niceguy: Create a resource
@@ -1041,8 +1041,8 @@ crm_resource: Error performing operation: Insufficient privileges
 * Passed: crm_resource          - l33t-haxor: Remove a resource meta attribute
 =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
 unpack_resources 	error: Resource start-up disabled since no fencing resources have been defined. Either configure some or disable fencing with the fencing-enabled option. NOTE: Clusters with shared data need fencing to ensure data integrity.
-pcmk__apply_creation_acl 	trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+check_creation_disallowed 	trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
+check_creation_disallowed 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
 Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
 =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
 <cib admin_epoch="0" epoch="14" num_updates="0">
@@ -1293,7 +1293,7 @@ Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
 * Passed: crm_resource          - niceguy: Remove a resource meta attribute
 =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
 unpack_resources 	error: Resource start-up disabled since no fencing resources have been defined. Either configure some or disable fencing with the fencing-enabled option. NOTE: Clusters with shared data need fencing to ensure data integrity.
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+check_creation_disallowed 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
 Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
 =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
 <cib admin_epoch="0" epoch="16" num_updates="0">
@@ -1514,7 +1514,7 @@ cibadmin: CIB API call failed: Permission denied
 =#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
-pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy2"
+check_creation_disallowed 	trace: ACLs disallow creation of <primitive> with id="dummy2"
 cibadmin: CIB API call failed: Permission denied
 =#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin              - niceguy: Replace - create resource
@@ -2546,7 +2546,7 @@ cibadmin: CIB API call failed: Permission denied
   <status/>
 </cib>
 =#=#=#= Begin test: mike: Create another resource =#=#=#=
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <primitive> with id="dummy2"
+check_creation_disallowed 	trace: ACLs allow creation of <primitive> with id="dummy2"
 =#=#=#= Current cib after: mike: Create another resource =#=#=#=
 <cib admin_epoch="0" epoch="26" num_updates="0">
   <configuration>

diff --git a/cts/cts-cli.in b/cts/cts-cli.in
@@ -249,6 +249,7 @@ def sanitize_output(s):
         (r'(<change-attr name="crm_feature_set" .* value=")[0-9.]*"', r'\1"'),
         (r'(<change-attr name="validate-with" .* value="pacemaker-)[0-9.]+"', r'\1X"'),
         (r'(<cib.*) cib-last-written="[^"]*"', r'\1'),
+        (r'\((check_creation_disallowed.*)@.*\.c:[0-9]+\)', r'\1'),
         (r'crm_feature_set="[^"]*" ', r''),
         (r'@crm_feature_set=[0-9.]+, ', r''),
         (r'\(crm_time_parse_duration@.*\.c:[0-9]+\)', r'crm_time_parse_duration'),
@@ -2946,7 +2947,7 @@ class AclsRegressionTest(RegressionTest):
         return [
             ShadowTestGroup(basic_tests + [
                             TestGroup(loop_tests,
-                                      env={"PCMK_trace_functions": "pcmk__check_acl,pcmk__apply_creation_acl"})]),
+                                      env={"PCMK_trace_functions": "pcmk__check_acl,check_creation_disallowed"})]),
         ]
 
 

diff --git a/daemons/attrd/attrd_messages.c b/daemons/attrd/attrd_messages.c
@@ -24,9 +24,10 @@ int minimum_protocol_version = -1;
 static GHashTable *attrd_handlers = NULL;
 
 static bool
-is_sync_point_attr(xmlAttrPtr attr, void *data)
+is_sync_point_attr(const xmlAttr *attr, void *data)
 {
-    return pcmk__str_eq((const char *) attr->name, PCMK__XA_ATTR_SYNC_POINT, pcmk__str_none);
+    return pcmk__str_eq((const char *) attr->name, PCMK__XA_ATTR_SYNC_POINT,
+                        pcmk__str_none);
 }
 
 static int

diff --git a/include/crm/common/acl.h b/include/crm/common/acl.h
@@ -25,8 +25,6 @@ extern "C" {
 
 void xml_acl_disable(xmlNode *xml);
 bool xml_acl_denied(const xmlNode *xml);
-bool xml_acl_filtered_copy(const char *user, xmlNode* acl_source, xmlNode *xml,
-                           xmlNode **result);
 
 bool pcmk_acl_required(const char *user);
 

diff --git a/include/crm/common/acl_compat.h b/include/crm/common/acl_compat.h
@@ -30,6 +30,10 @@ extern "C" {
 //! \deprecated Do not use
 bool xml_acl_enabled(const xmlNode *xml);
 
+//! \deprecated Do not use
+bool xml_acl_filtered_copy(const char *user, xmlNode *acl_source, xmlNode *xml,
+                           xmlNode **result);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/include/crm/common/acl_internal.h b/include/crm/common/acl_internal.h
@@ -38,6 +38,9 @@ pcmk__is_privileged(const char *user)
 
 void pcmk__enable_acls(xmlDoc *source, xmlDoc *target, const char *user);
 
+xmlNode *pcmk__acl_filtered_copy(const char *user, xmlDoc *acl_source,
+                                 xmlNode *xml);
+
 bool pcmk__check_acl(xmlNode *xml, const char *attr_name,
                      enum pcmk__xml_flags mode);
 

diff --git a/include/crm/common/xml_element_internal.h b/include/crm/common/xml_element_internal.h
@@ -48,7 +48,7 @@ xmlNode *pcmk__xe_first_child(const xmlNode *parent, const char *node_name,
 void pcmk__xe_remove_attr(xmlNode *element, const char *name);
 bool pcmk__xe_remove_attr_cb(xmlNode *xml, void *user_data);
 void pcmk__xe_remove_matching_attrs(xmlNode *element, bool force,
-                                    bool (*match)(xmlAttr *, void *),
+                                    bool (*match)(const xmlAttr *, void *),
                                     void *user_data);
 int pcmk__xe_delete_match(xmlNode *xml, xmlNode *search);
 int pcmk__xe_replace_match(xmlNode *xml, xmlNode *replace);

diff --git a/lib/cib/cib_utils.c b/lib/cib/cib_utils.c
@@ -235,9 +235,9 @@ cib__perform_op_ro(cib__op_fn_t fn, xmlNode *req, xmlNode **current_cib,
 
     cib = *current_cib;
 
-    if (cib_acl_enabled(*current_cib, user)
-        && xml_acl_filtered_copy(user, *current_cib, *current_cib,
-                                 &cib_filtered)) {
+    if (cib_acl_enabled(*current_cib, user)) {
+        cib_filtered = pcmk__acl_filtered_copy(user, (*current_cib)->doc,
+                                               *current_cib);
 
         if (cib_filtered == NULL) {
             pcmk__debug("Pre-filtered the entire cib");
@@ -671,12 +671,12 @@ cib__perform_op_rw(enum cib_variant variant, cib__op_fn_t fn, xmlNode *req,
     if ((rc != pcmk_rc_ok) && cib_acl_enabled(old_versions, user)) {
         xmlNode *saved_cib = *cib;
 
-        if (xml_acl_filtered_copy(user, old_versions, *cib, cib)) {
-            if (*cib == NULL) {
-                pcmk__debug("Pre-filtered the entire cib result");
-            }
-            pcmk__xml_free(saved_cib);
+        *cib = pcmk__acl_filtered_copy(user, old_versions->doc, *cib);
+        if (*cib == NULL) {
+            pcmk__debug("Pre-filtered the entire cib result");
         }
+
+        pcmk__xml_free(saved_cib);
     }
 
     pcmk__xml_free(top);