Config: Flag config uidgid entries

Uidgid entries parsed from configuration files now has prefix
(uidgid.config.) so they are distinguishable from dynamically added
entries. Entries added from config file are pruned on reload if no
longer exists in config file (dynamic one stays unaffected). Also whole
uidgid.config. prefix is made read only.

This make PCMK work again after configuration reload is called.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>

exec/cfg.c

@@ -703,7 +703,7 @@ static void message_handler_req_exec_cfg_reload_config (
 	remove_deleted_entries(temp_map, "totem.");
 	remove_deleted_entries(temp_map, "nodelist.");
 	remove_deleted_entries(temp_map, "quorum.");
-	remove_deleted_entries(temp_map, "uidgid.");
+	remove_deleted_entries(temp_map, "uidgid.config.");
 
 	/* Remove entries that cannot be changed */
 	remove_ro_entries(temp_map);

exec/coroparse.c

@@ -794,7 +794,7 @@ static int main_config_parser_cb(const char *path,
 					*error_string = error_string_response;
 					return (0);
 				}
-				snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.uid.%u",
+				snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.uid.%u",
 						uid);
 				icmap_set_uint8_r(config_map, key_name, 1);
 				add_as_string = 0;
@@ -804,7 +804,7 @@ static int main_config_parser_cb(const char *path,
 					*error_string = error_string_response;
 					return (0);
 				}
-				snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.gid.%u",
+				snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.gid.%u",
 						gid);
 				icmap_set_uint8_r(config_map, key_name, 1);
 				add_as_string = 0;
@@ -1203,7 +1203,7 @@ static int uidgid_config_parser_cb(const char *path,
 				*error_string = error_string_response;
 				return (0);
 			}
-			snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.uid.%u",
+			snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.uid.%u",
 					uid);
 			icmap_set_uint8_r(config_map, key_name, 1);
 		} else if (strcmp(path, "uidgid.gid") == 0) {
@@ -1212,7 +1212,7 @@ static int uidgid_config_parser_cb(const char *path,
 				*error_string = error_string_response;
 				return (0);
 			}
-			snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.gid.%u",
+			snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.gid.%u",
 					gid);
 			icmap_set_uint8_r(config_map, key_name, 1);
 		} else {

exec/ipc_glue.c

@@ -194,10 +194,18 @@ static int32_t cs_ipcs_connection_accept (qb_ipcs_connection_t *c, uid_t euid, g
 	if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
 		return 0;
 
+	snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.uid.%u", euid);
+	if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
+		return 0;
+
 	snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.gid.%u", egid);
 	if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
 		return 0;
 
+	snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.gid.%u", egid);
+	if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
+		return 0;
+
 	log_printf(LOGSYS_LEVEL_ERROR, "Denied connection attempt from %d:%d", euid, egid);
 
 	return -EACCES;

exec/main.c

@@ -1011,6 +1011,7 @@ static void set_icmap_ro_keys_flag (void)
 	icmap_set_ro_access("runtime.totem.", CS_TRUE, CS_TRUE);
 	icmap_set_ro_access("runtime.services.", CS_TRUE, CS_TRUE);
 	icmap_set_ro_access("runtime.config.", CS_TRUE, CS_TRUE);
+	icmap_set_ro_access("uidgid.config.", CS_TRUE, CS_TRUE);
 
 	/*
 	 * Set RO flag for constrete keys of configuration which can't be changed

man/cmap_keys.8

@@ -275,7 +275,9 @@ State of the client. Can be one of failed, stopped, running and waiting for quor
 .TP
 uidgid.*
 Information about users/groups which are allowed to make IPC connections to
-corosync.
+corosync. Entries loaded from configuration file are stored with
+uidgid.config.* prefix and are pruned on configuration file reload. Dynamic
+entries has uidgid.* prefix and a configuration file reload doesn't affect them.
 
 .TP
 quorum.cancel_wait_for_all