Log: xml: Warn about post-transform behavior changes for ACLs with xpath

Closes T898

Signed-off-by: Reid Wahl <nrwahl@protonmail.com>

cts/schemas/test-3/ref.err/acl-drop.ref.err-99

@@ -0,0 +1 @@
+WARNING: CIB syntax changes may invalidate ACLs that use "xpath". It is strongly recommended to run "cibadmin --upgrade" and then examine the updated CIB carefully to ensure ACLs still match the desired intent.

cts/schemas/test-3/ref/acl-drop.ref-1

@@ -28,7 +28,9 @@
          * The other ACL permissions should remain unchanged.
       -->
     <crm_config original="1">
-      <cluster_property_set id="cib-bootstrap-options" original="1"/>
+      <cluster_property_set id="cib-bootstrap-options" original="1">
+        <dropped/>
+      </cluster_property_set>
     </crm_config>
     <nodes original="1"/>
     <resources original="1">

cts/schemas/test-3/ref/acl-drop.ref-2

@@ -28,7 +28,9 @@
          * The other ACL permissions should remain unchanged.
       -->
     <crm_config original="1">
-      <cluster_property_set id="cib-bootstrap-options" original="1"/>
+      <cluster_property_set id="cib-bootstrap-options" original="1">
+        <dropped/>
+      </cluster_property_set>
     </crm_config>
     <nodes original="1"/>
     <resources original="1">
@@ -52,7 +54,7 @@
     <acls original="1">
       <acl_role id="role1" original="1">
         <acl_permission id="role1-deny-property-drop" kind="deny" reference="cib-bootstrap-options-remove-after-stop" original="1"/>
-        <acl_permission id="role1-deny-rsc1-loc-drop" kind="deny" xpath="//*[@id = 'pcmk__3_10_upgrade-rsc1-loc-1' or @id = 'pcmk__3_10_upgrade-rsc1-loc-2']" original="1"/>
+        <acl_permission id="role1-deny-rsc1-loc-drop" kind="deny" xpath="//*[@id = 'pcmk__3_10_upgrade-rsc1-loc-1' or @id = 'pcmk__3_10_upgrade-rsc1-loc-2']" changed="1" original="1"/>
         <acl_permission id="role1-deny-rsc2-meta_attributes-drop" kind="deny" reference="rsc2-meta_attributes" original="1"/>
         <acl_permission id="role1-deny-rsc1-keep" kind="deny" reference="rsc1" original="1"/>
         <acl_permission id="role1-deny-role1-deny-property-drop-keep" kind="deny" reference="role1-deny-property-drop" original="1"/>

cts/schemas/test-3/ref/acl-drop.ref-3

@@ -28,7 +28,9 @@
          * The other ACL permissions should remain unchanged.
       -->
     <crm_config original="1">
-      <cluster_property_set id="cib-bootstrap-options" original="1"/>
+      <cluster_property_set id="cib-bootstrap-options" original="1">
+        <dropped/>
+      </cluster_property_set>
     </crm_config>
     <nodes original="1"/>
     <resources original="1">
@@ -52,7 +54,7 @@
     <acls original="1">
       <acl_role id="role1" original="1">
         <acl_permission id="role1-deny-property-drop" kind="deny" reference="cib-bootstrap-options-remove-after-stop" original="1"/>
-        <acl_permission id="role1-deny-rsc1-loc-drop" kind="deny" xpath="//*[@id = 'pcmk__3_10_upgrade-rsc1-loc-1' or @id = 'pcmk__3_10_upgrade-rsc1-loc-2']" original="1"/>
+        <acl_permission id="role1-deny-rsc1-loc-drop" kind="deny" xpath="//*[@id = 'pcmk__3_10_upgrade-rsc1-loc-1' or @id = 'pcmk__3_10_upgrade-rsc1-loc-2']" changed="1" original="1"/>
         <acl_permission id="role1-deny-rsc2-meta_attributes-drop" kind="deny" reference="rsc2-meta_attributes" original="1"/>
         <acl_permission id="role1-deny-rsc1-keep" kind="deny" reference="rsc1" original="1"/>
         <acl_permission id="role1-deny-role1-deny-property-drop-keep" kind="deny" reference="role1-deny-property-drop" original="1"/>

cts/schemas/test-3/ref/acl-drop.ref-4

@@ -28,11 +28,14 @@
          * The other ACL permissions should remain unchanged.
       -->
     <crm_config original="1">
-      <cluster_property_set id="cib-bootstrap-options" original="1"/>
+      <cluster_property_set id="cib-bootstrap-options" original="1">
+        <dropped/>
+      </cluster_property_set>
     </crm_config>
     <nodes original="1"/>
     <resources original="1">
       <primitive id="rsc1" class="ocf" provider="pacemaker" type="Dummy" original="1"/>
+      <dropped/>
     </resources>
     <constraints original="1">
       <rsc_location id="pcmk__3_10_upgrade-rsc1-loc-1" rsc="rsc1" original="0">
@@ -49,7 +52,7 @@
     <acls original="1">
       <acl_role id="role1" original="1">
         <acl_permission id="role1-deny-property-drop" kind="deny" reference="cib-bootstrap-options-remove-after-stop" original="1"/>
-        <acl_permission id="role1-deny-rsc1-loc-drop" kind="deny" xpath="//*[@id = 'pcmk__3_10_upgrade-rsc1-loc-1' or @id = 'pcmk__3_10_upgrade-rsc1-loc-2']" original="1"/>
+        <acl_permission id="role1-deny-rsc1-loc-drop" kind="deny" xpath="//*[@id = 'pcmk__3_10_upgrade-rsc1-loc-1' or @id = 'pcmk__3_10_upgrade-rsc1-loc-2']" changed="1" original="1"/>
         <acl_permission id="role1-deny-rsc2-meta_attributes-drop" kind="deny" reference="rsc2-meta_attributes" original="1"/>
         <acl_permission id="role1-deny-rsc1-keep" kind="deny" reference="rsc1" original="1"/>
         <acl_permission id="role1-deny-role1-deny-property-drop-keep" kind="deny" reference="role1-deny-property-drop" original="1"/>

cts/schemas/test-3/ref/bundle-promoted-max-legacy.ref-2

@@ -11,13 +11,13 @@
     <nodes original="1"/>
     <resources original="1">
       <bundle id="bundle1" original="1">
-        <docker image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <docker image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
       <bundle id="bundle2" original="1">
-        <podman image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <podman image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
       <bundle id="bundle3" original="1">
-        <rkt image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <rkt image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
     </resources>
     <constraints original="1"/>

cts/schemas/test-3/ref/bundle-promoted-max-legacy.ref-3

@@ -11,13 +11,13 @@
     <nodes original="1"/>
     <resources original="1">
       <bundle id="bundle1" original="1">
-        <docker image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <docker image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
       <bundle id="bundle2" original="1">
-        <podman image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <podman image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
       <bundle id="bundle3" original="1">
-        <rkt image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <rkt image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
     </resources>
     <constraints original="1"/>

cts/schemas/test-3/ref/bundle-promoted-max-legacy.ref-4

@@ -11,11 +11,12 @@
     <nodes original="1"/>
     <resources original="1">
       <bundle id="bundle1" original="1">
-        <docker image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <docker image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
       <bundle id="bundle2" original="1">
-        <podman image="alpine:latest" promoted-max="2" run-command="sleep 60" original="1"/>
+        <podman image="alpine:latest" promoted-max="2" changed="1" run-command="sleep 60" original="1"/>
       </bundle>
+      <dropped/>
     </resources>
     <constraints original="1"/>
   </configuration>

cts/schemas/test-3/ref/can-fail.ref-4

@@ -30,6 +30,7 @@
         <operations original="1">
           <op id="template1_monitor_20000" interval="20s" name="monitor" original="1">
             <meta_attributes id="template1_monitor_20000-meta_attributes" original="1">
+              <dropped/>
               <nvpair id="template_monitor_20000-meta_attributes-other" name="other" value="true" original="1"/>
             </meta_attributes>
           </op>
@@ -39,6 +40,7 @@
         <operations original="1">
           <op id="rsc1_monitor_20000" interval="20s" name="monitor" original="1">
             <meta_attributes id="rsc1_monitor_20000-meta_attributes" original="1">
+              <dropped/>
               <nvpair id="rsc1_monitor_20000-meta_attributes-other" name="other" value="false" original="1"/>
             </meta_attributes>
           </op>
@@ -58,6 +60,7 @@
           <operations original="1">
             <op id="rsc2_monitor_20000" interval="20s" name="monitor" original="1">
               <meta_attributes id="rsc2_monitor_20000-meta_attributes" original="1">
+                <dropped/>
                 <nvpair id="rsc2_monitor_20000-meta_attributes-other" name="other" value="true" original="1"/>
               </meta_attributes>
             </op>
@@ -69,6 +72,7 @@
           <operations original="1">
             <op id="rsc3_monitor_20000" interval="20s" name="monitor" original="1">
               <meta_attributes id="rsc3_monitor_20000-meta_attributes" original="1">
+                <dropped/>
                 <nvpair id="rsc3_monitor_20000-meta_attributes-other" name="other" value="false" original="1"/>
               </meta_attributes>
             </op>
@@ -81,6 +85,7 @@
             <operations original="1">
               <op id="rsc4_monitor_20000" interval="20s" name="monitor" original="1">
                 <meta_attributes id="rsc4_monitor_20000-meta_attributes" original="1">
+                  <dropped/>
                   <nvpair id="rsc4_monitor_20000-meta_attributes-other" name="other" value="true" original="1"/>
                 </meta_attributes>
               </op>
@@ -94,6 +99,7 @@
           <operations original="1">
             <op id="rsc5_monitor_20000" interval="20s" name="monitor" original="1">
               <meta_attributes id="rsc5_monitor_20000-meta_attributes" original="1">
+                <dropped/>
                 <nvpair id="rsc5_monitor_20000-meta_attributes-other" name="other" value="false" original="1"/>
               </meta_attributes>
             </op>
@@ -104,6 +110,7 @@
     <constraints original="1"/>
     <op_defaults original="1">
       <meta_attributes id="op_defaults-meta_attributes" original="1">
+        <dropped/>
         <nvpair id="op_defaults-meta_attributes-other" name="other" value="true" original="1"/>
       </meta_attributes>
     </op_defaults>

cts/schemas/test-3/ref/crmd-finalization-timeout.ref-1

@@ -9,7 +9,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-finalization-timeout.ref-2

@@ -9,7 +9,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-finalization-timeout.ref-3

@@ -9,7 +9,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-finalization-timeout.ref-4

@@ -9,7 +9,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-finalization-timeout" name="join-finalization-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-integration-timeout.ref-1

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-integration-timeout.ref-2

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-integration-timeout.ref-3

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-integration-timeout.ref-4

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-integration-timeout" name="join-integration-timeout" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-transition-delay.ref-1

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-transition-delay.ref-2

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-transition-delay.ref-3

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/crmd-transition-delay.ref-4

@@ -8,7 +8,7 @@
       -->
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
-        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" value="30" original="1"/>
+        <nvpair id="cib-bootstrap-options-crmd-transition-delay" name="transition-delay" changed="1" value="30" original="1"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true" original="1"/>
       </cluster_property_set>
     </crm_config>

cts/schemas/test-3/ref/duplicate-nvpairs-no-default.ref-2

@@ -15,6 +15,8 @@
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
         <nvpair id="cib-bootstrap-options-option1" name="option" value="value1" original="1"/>
+        <dropped/>
+        <dropped/>
         <nvpair id="cib-bootstrap-options-other-option" name="other-option" value="value0" original="1"/>
       </cluster_property_set>
     </crm_config>
@@ -23,15 +25,21 @@
       <primitive class="ocf" id="rsc1" provider="heartbeat" type="apache" original="1">
         <instance_attributes id="rsc1-instance_attributes" original="1">
           <nvpair id="rsc1-instance_attributes-option1" name="option" value="value1" original="1"/>
+          <dropped/>
           <nvpair id="rsc1-instance_attributes-other-option" name="other-option" value="value0" original="1"/>
+          <dropped/>
         </instance_attributes>
         <meta_attributes id="rsc1-meta_attributes" original="1">
           <nvpair id="rsc1-meta_attributes-option1" name="option" value="value1" original="1"/>
           <nvpair id="rsc1-meta_attributes-other-option" name="other-option" value="value0" original="1"/>
+          <dropped/>
+          <dropped/>
         </meta_attributes>
         <utilization id="rsc1-utilization" original="1">
           <nvpair id="rsc1-utilization-other-option" name="other-option" value="valueX" original="1"/>
           <nvpair id="rsc1-meta_attributes-option1" name="option" value="value1" original="0"/>
+          <dropped/>
+          <dropped/>
         </utilization>
       </primitive>
     </resources>

cts/schemas/test-3/ref/duplicate-nvpairs-no-default.ref-3

@@ -15,6 +15,8 @@
     <crm_config original="1">
       <cluster_property_set id="cib-bootstrap-options" original="1">
         <nvpair id="cib-bootstrap-options-option1" name="option" value="value1" original="1"/>
+        <dropped/>
+        <dropped/>
         <nvpair id="cib-bootstrap-options-other-option" name="other-option" value="value0" original="1"/>
       </cluster_property_set>
     </crm_config>
@@ -23,15 +25,21 @@
       <primitive class="ocf" id="rsc1" provider="heartbeat" type="apache" original="1">
         <instance_attributes id="rsc1-instance_attributes" original="1">
           <nvpair id="rsc1-instance_attributes-option1" name="option" value="value1" original="1"/>
+          <dropped/>
           <nvpair id="rsc1-instance_attributes-other-option" name="other-option" value="value0" original="1"/>
+          <dropped/>
         </instance_attributes>
         <meta_attributes id="rsc1-meta_attributes" original="1">
           <nvpair id="rsc1-meta_attributes-option1" name="option" value="value1" original="1"/>
           <nvpair id="rsc1-meta_attributes-other-option" name="other-option" value="value0" original="1"/>
+          <dropped/>
+          <dropped/>
         </meta_attributes>
         <utilization id="rsc1-utilization" original="1">
           <nvpair id="rsc1-utilization-other-option" name="other-option" value="valueX" original="1"/>
           <nvpair id="rsc1-meta_attributes-option1" name="option" value="value1" original="0"/>
+          <dropped/>
+          <dropped/>
         </utilization>
       </primitive>
     </resources>