Bug 1551141

Summary: ipa hbacrule-mod cannot change servicecategory once for all, while in web UI it can.
Product: Red Hat Enterprise Linux 7 Reporter: Seldon Sun <seldonsun>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: frenaud, pasik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-17 07:57:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Seldon Sun 2018-03-02 21:09:39 UTC 
Description of problem:
"ipa hbacrule-mod rulename --servicecat='all'" returns this error:

ipa: ERROR: service category cannot be set to 'all' while there are allowed services

But in the hbacrule property page on web UI, you can set "Service category the rule applies to" to "Any Service" from "Specified Services and Groups", then save the hbacrule, and it clears out all existing services and service groups automatically. no errors return.

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7.x86_64

How reproducible:


Steps to Reproduce:
1. in web UI, create a hbacrule with "services" and "service groups" defined in the bottom of its property page. by default it is "Any Service". change it to "Specified Services and Groups", then add some random services or service groups below.

2. run "ipa hbacrule-mod <rulename> --servicecat='all'" from console, you should see the fore-mentioned error messages:
ipa: ERROR: service category cannot be set to 'all' while there are allowed services

3. in the web UI, in the same hbacrule property page, change "Service category the rule applies to" from "Specified Services and Groups" to "Any Service", then click Save. now you can see all previously defined services and service groups are cleared out and save is successful.

Actual results:
described above

Expected results:
"ipa hbacrule-mod <rulename> --servicecat='all'" should be able to clear all defined services or service groups automatically, just like what is being done in web UI.

Additional info:
Comment 2 fbarreto 2018-03-05 21:45:29 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7428
Comment 5 Florence Blanc-Renaud 2018-10-17 07:57:32 UTC 
Hi,

the behavior described in this BZ is not an issue but rather a design choice:
- when an admin uses the GUI to change servicecategory='all' for an HBAC rule, he can see *before modification* if the rule already contains services because they would be displayed in the "Services" table. This means he is fully aware of the current HBAC rule definition, and that selecting 'Any service' will erase the list of services.
- when the CLI is used, the admin may not realize that servicecategory='all' would erase a potentially long list of services. The decision was made to protect from unintentional deletion by adding the check and the error "ERROR: service category cannot be set to 'all' while there are allowed services".

Hence this BZ will be closed as NOTABUG.