Bug 1690024
| Summary: | ipa role-mod DatabaseError changing cn[ZStream Clone] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | dpal, ds-qe-bugs, lkrispen, mhonek, mkosek, mreynolds, nkinder, nsoman, pvoborni, rcritten, rmeggins, snagar, spichugi, spoore, ssidhaye, tbordaz, toneata, tscherf, vashirov |
| Target Milestone: | rc | Keywords: | TestBlocker, ZStream |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1678517 | Environment: | |
| Last Closed: | 2019-05-07 04:17:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1678517, 1683259 | ||
| Bug Blocks: | |||
|
Comment 5
Sumedh Sidhaye
2019-04-10 08:06:39 UTC
Build used for verification: [root@yttrium ~]# rpm -qa 389-ds-base 389-ds-base-1.4.0.20-9.module+el8.0.0+2995+a5112768.x86_64 [root@yttrium ~]# rpm -qa ipa-server ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64 Steps used for verification: 1. install ipa server 2. setup rbac rules like this: ipa user-add --first=user --last=one userA ipa group-add groupA ipa group-add-member groupA --users=userA ipa permission-add permA --right=write --targetgroup=groupA --attr=description ipa privilege-add privA --desc=privA ipa privilege-add-permission privA --permission=permA ipa role-add roleA --desc=roleA ipa role-add-privilege roleA --privileges=privA ipa role-add-member roleA --users=userA --all ipa permission-mod permA --attrs=description --attrs=member ipa --debug role-mod roleA --setattr='cn=roleAb' --all [root@yttrium ~]# ipa user-add --first=user --last=one userA ------------------ Added user "usera" ------------------ User login: usera First name: user Last name: one Full name: user one Display name: user one Initials: uo Home directory: /home/usera GECOS: user one Login shell: /bin/sh Principal name: usera Principal alias: usera Email address: usera UID: 925000001 GID: 925000001 Password: False Member of groups: ipausers Kerberos keys available: False [root@yttrium ~]# ipa group-add groupA -------------------- Added group "groupa" -------------------- Group name: groupa GID: 925000003 [root@yttrium ~]# ipa group-add-member groupA --users=userA Group name: groupa GID: 925000003 Member users: usera ------------------------- Number of members added 1 ------------------------- [root@yttrium ~]# ipa permission-add permA --right=write --targetgroup=groupA --attr=description ------------------------ Added permission "permA" ------------------------ Permission name: permA Granted rights: write Effective attributes: description Bind rule type: permission Subtree: dc=testrelm,dc=test Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test Target group: groupa Permission flags: SYSTEM, V2 [root@yttrium ~]# ipa privilege-add privA --desc=privA ----------------------- Added privilege "privA" ----------------------- Privilege name: privA Description: privA [root@yttrium ~]# ipa privilege-add-permission privA --permission=permA Privilege name: privA Description: privA Permissions: permA ----------------------------- Number of permissions added 1 ----------------------------- [root@yttrium ~]# ipa role-add roleA --desc=roleA ------------------ Added role "roleA" ------------------ Role name: roleA Description: roleA [root@yttrium ~]# ipa role-add-privilege roleA --privileges=privA Role name: roleA Description: roleA Privileges: privA ---------------------------- Number of privileges added 1 ---------------------------- [root@yttrium ~]# ipa role-add-member roleA --users=userA --all dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test Role name: roleA Description: roleA Member users: usera Privileges: privA objectclass: groupofnames, nestedgroup, top ------------------------- Number of members added 1 ------------------------- [root@yttrium ~]# ipa permission-mod permA --attrs=description --attrs=member --------------------------- Modified permission "permA" --------------------------- Permission name: permA Granted rights: write Effective attributes: description, member Bind rule type: permission Subtree: dc=testrelm,dc=test Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test Target group: groupa Permission flags: SYSTEM, V2 Granted to Privilege: privA Indirect Member of roles: roleA [root@yttrium ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' ipa: DEBUG: trying https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_140006886972272 ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230') ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230') ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json' ipa: DEBUG: New HTTP connection (yttrium.idmqe.lab.eng.bos.redhat.com) ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' for principal admin ipa: DEBUG: Destroyed connection context.rpcclient_140006886972272 --------------------- Modified role "roleA" --------------------- dn: cn=roleAb,cn=roles,cn=accounts,dc=testrelm,dc=test Role name: roleAb Description: roleA Member users: usera Privileges: privA objectclass: groupofnames, nestedgroup, top [root@yttrium ~]# Also tried the ipa privilege-mod 'HBAC Administrator' --rename 'hbacadmins' command [root@yttrium ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins' ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' ipa: DEBUG: trying https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_140400883836296 ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230') ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230') ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json' ipa: DEBUG: New HTTP connection (yttrium.idmqe.lab.eng.bos.redhat.com) ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' for principal admin ipa: DEBUG: Destroyed connection context.rpcclient_140400883836296 --------------------------------------- Modified privilege "HBAC Administrator" --------------------------------------- Privilege name: hbacadmins Description: HBAC Administrator Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System: Add HBAC Services, System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups, System: Manage HBAC Service Group Membership Granting privilege to roles: IT Security Specialist [root@yttrium ~]# Note: Automated regression will be executed later Build used for verification: [root@vm-idm-026 ~]# rpm -qa 389-ds-base; rpm -qa ipa-server 389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5.x86_64 ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64 [root@vm-idm-026 ~]# Steps used for verification: 1. install ipa server 2. setup rbac rules like this: ipa user-add --first=user --last=one userA ipa group-add groupA ipa group-add-member groupA --users=userA ipa permission-add permA --right=write --targetgroup=groupA --attr=description ipa privilege-add privA --desc=privA ipa privilege-add-permission privA --permission=permA ipa role-add roleA --desc=roleA ipa role-add-privilege roleA --privileges=privA ipa role-add-member roleA --users=userA --all ipa permission-mod permA --attrs=description --attrs=member ipa --debug role-mod roleA --setattr='cn=roleAb' --all [root@vm-idm-026 ~]# ./test_bz_1690024.sh ------------------ Added user "usera" ------------------ User login: usera First name: user Last name: one Full name: user one Display name: user one Initials: uo Home directory: /home/usera GECOS: user one Login shell: /bin/sh Principal name: usera Principal alias: usera Email address: usera UID: 1255800001 GID: 1255800001 Password: False Member of groups: ipausers Kerberos keys available: False -------------------- Added group "groupa" -------------------- Group name: groupa GID: 1255800003 Group name: groupa GID: 1255800003 Member users: usera ------------------------- Number of members added 1 ------------------------- ------------------------ Added permission "permA" ------------------------ Permission name: permA Granted rights: write Effective attributes: description Bind rule type: permission Subtree: dc=testrelm,dc=test Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test Target group: groupa Permission flags: SYSTEM, V2 ----------------------- Added privilege "privA" ----------------------- Privilege name: privA Description: privA Privilege name: privA Description: privA Permissions: permA ----------------------------- Number of permissions added 1 ----------------------------- ------------------ Added role "roleA" ------------------ Role name: roleA Description: roleA Role name: roleA Description: roleA Privileges: privA ---------------------------- Number of privileges added 1 ---------------------------- dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test Role name: roleA Description: roleA Member users: usera Privileges: privA objectclass: groupofnames, nestedgroup, top ------------------------- Number of members added 1 ------------------------- --------------------------- Modified permission "permA" --------------------------- Permission name: permA Granted rights: write Effective attributes: description, member Bind rule type: permission Subtree: dc=testrelm,dc=test Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test Target group: groupa Permission flags: SYSTEM, V2 Granted to Privilege: privA Indirect Member of roles: roleA ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9af13900... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9af13900.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' ipa: DEBUG: trying https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_139709427301288 ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230') ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230') ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json' ipa: DEBUG: New HTTP connection (vm-idm-026.lab.eng.pnq.redhat.com) ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' for principal admin ipa: DEBUG: Destroyed connection context.rpcclient_139709427301288 --------------------- Modified role "roleA" --------------------- dn: cn=roleAb,cn=roles,cn=accounts,dc=testrelm,dc=test Role name: roleAb Description: roleA Member users: usera Privileges: privA objectclass: groupofnames, nestedgroup, top [root@vm-idm-026 ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins' ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9af13900... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9af13900.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' ipa: DEBUG: trying https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_139933000615360 ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230') ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230') ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json' ipa: DEBUG: New HTTP connection (vm-idm-026.lab.eng.pnq.redhat.com) ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' for principal admin ipa: DEBUG: Destroyed connection context.rpcclient_139933000615360 --------------------------------------- Modified privilege "HBAC Administrator" --------------------------------------- Privilege name: hbacadmins Description: HBAC Administrator Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System: Add HBAC Services, System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups, System: Manage HBAC Service Group Membership Granting privilege to roles: IT Security Specialist [root@vm-idm-026 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0965 |