Bug 1430363

Summary: [RFE] HBAC rule names command rename
Product: Red Hat Enterprise Linux 7 Reporter: Andrey Bondarenko <abondare>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Varun Mylaraiah <mvarun>
Severity: low Docs Contact:
Priority: medium    
Version: 7.3CC: mvarun, nsoman, pvoborni, rcritten, slaznick, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.5.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:44:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrey Bondarenko 2017-03-08 13:06:01 UTC 
Description of problem:

In the IPA there is a possibility to rename users group with the command line interface:

     ipa  group-mod test_group --rename="test1_group"

However, hbacrule-mod does not have --rename option for HBAC rules.


Version-Release number of selected component (if applicable):

    IPA 4.4

Why does the customer need this? (List the business requirements here)  

Often customer havs internal clients renaming team names, systems etc, so it would be great if we could rename HBAC rules.

 How would the customer like to achieve this? (List the functional requirements here)  

    ipa hbacrule-mod name --rename="newname"
    

Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

    RHEL7

Is the sales team involved in this request and do they have any additional input?  
    
   No
  
List any affected packages or components.  
      
    ipa

Would the customer be able to assist in testing this functionality if implemented?

    Yes
Comment 2 Petr Vobornik 2017-03-17 16:03:59 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6784
Comment 3 Standa Laznicka 2017-03-28 10:52:28 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/28db6cd40100c6301121e3f82c074624fe53729c
https://pagure.io/freeipa/c/85f2a19f88eef94ff080a42246658f572b5275f4
https://pagure.io/freeipa/c/7d3229bfb88f0fdc559245c8741563faba716106
master:
https://pagure.io/freeipa/c/8e4408e6784f929b4c3d861f0dd509335238e951
https://pagure.io/freeipa/c/55424c8677ba7de464c820afd31260aa4a7678d0
https://pagure.io/freeipa/c/8c1409155e9a9a978d3d763045a84d1eac585dfd
Comment 5 Martin Kosek 2017-05-26 09:40:31 UTC 
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 7 Varun Mylaraiah 2017-05-30 10:09:36 UTC 
Varified
ipa-server-4.5.0-13.el7.x86_64

# ipa hbacrule-mod --help
Usage: ipa [global-options] hbacrule-mod NAME [options]

Modify an HBAC rule.
Options:
  -h, --help            show this help message and exit
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --servicecat=['all']  Service category the rule applies to
  --desc=STR            Description
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --delattr=STR         Delete an attribute/value pair. The option will be
                        evaluated last, after all sets and adds.
  --rights              Display the access rights of this entry (requires
                        --all). See ipa man page for details.
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.
  --no-members          Suppress processing of membership attributes.
  --rename=STR          Rename the HBAC rule object


# ipa hbacrule-add newrule
-------------------------
Added HBAC rule "newrule"
-------------------------
  Rule name: newrule
  Enabled: TRUE


# ipa hbacrule-mod newrule --rename=renamedrule
----------------------------
Modified HBAC rule "newrule"
----------------------------
  Rule name: renamedrule
  Enabled: TRUE

# ipa hbacrule-show newrule
ipa: ERROR: newrule: HBAC rule not found

# ipa hbacrule-show renamedrule
  Rule name: renamedrule
  Enabled: TRUE
Comment 8 errata-xmlrpc 2017-08-01 09:44:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304