Bug 1253458
Summary: | ipa vault-add creates user vault with non-existent user | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | pvoborni, rcritten |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-02-15 17:54:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Scott Poore
2015-08-13 17:51:56 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5216 Was discussed offline and was decided that creating a vault for non-existent user/service is a valid use-case. Reopening this bug for either more detailed clarification of why adding a non-existent user is valid or to get this resolved. IMHO, we should not add a user vault until after the user is added. Thanks, Scott The reason is consistency with delete operation. Vault is not deleted when user is deleted to preserve secrets. So the state can be achieved even if it is not permitted. Maybe the add operation can print a warning that the user|service doesn't exist, e.g. to solve "typo" mistakes. A warning on add would be good but, is it possible instead to add a warning on user-del? To me it seems better to error on vault-add and show a warning on user-del (if possible) that the vaults and containers must be manually removed. This would prevent adding an initial orphan and/or prevent adding new ones for already deleted users. I've opened https://fedorahosted.org/freeipa/ticket/5674 to reflect comment 6. It will be resolved according to the triage. Since the proposal will be resolved elsewhere I'm closing this bug again. |