Bug 1822678

Summary: [ansible-freeipa] sudocrule added while adding rule with hostcategory=all and a specific host at the same time.
Product: Red Hat Enterprise Linux 8 Reporter: Varun Mylaraiah <mvarun>
Component: ansible-freeipaAssignee: Rafael Jeffman <rjeffman>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: amore, ndehadra, rjeffman, twoerner
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-freeipa-0.1.11-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:46:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Varun Mylaraiah 2020-04-09 15:32:18 UTC 
Description of problem:
Sudo Module
sudocrule added while adding rule with hostcategory=all and a specific host at the same time.

Version-Release number of selected component (if applicable):
ansible-freeipa-0.1.8-3.el8.noarch

Steps to Reproduce:
##On Server##
Actual results:
[root@master ~]# ipa sudorule-show Newsudo_rule
ipa: ERROR: Newsudo_rule: sudo rule not found

##On Controller##
[root@ansible ~]# cat sudoruleadd.yaml
---
- name: Playbook
  hosts: ipaserver
  become: true
 
  tasks:
  - name: Get Domain from the server name
    set_fact:
      ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
 
  - ipasudorule:
      ipaadmin_password: Secret.123
      name: Newsudo_rule
      description: sudo rule
      host: "{{ 'mytesthbachost2.' + ipaserver_domain }}"
      hostcategory: "all"

root@ansible ~]# ansible-playbook -vv -i inventory/host.hosts sudoruleadd.yaml
ansible-playbook 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.6.8 (default, Dec  5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file

PLAYBOOK: sudoruleadd.yaml **************************************************************************************************
1 plays in sudoruleadd.yaml

PLAY [Playbook] *************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************
task path: /root/sudoruleadd.yaml:2
ok: [master.ipadomain.test]
META: ran handlers

TASK [Get Domain from server name] ******************************************************************************************
task path: /root/sudoruleadd.yaml:7
ok: [master.ipadomain.test] => {"ansible_facts": {"ipaserver_domain": "ipadomain.test"}, "changed": false}

TASK [ipasudorule] **********************************************************************************************************
task path: /root/sudoruleadd.yaml:11
fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "sudorule_add_host: Newsudo_rule: hosts cannot be added when host category='all'"}

PLAY RECAP ******************************************************************************************************************
master.ipadomain.test      : ok=2    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0 

##On Server##
[root@master ~]# ipa sudorule-del Newsudo_rule
--------------------------------
Deleted Sudo Rule "Newsudo_rule"
--------------------------------
[root@master ~]# ipa sudorule-show Newsudo_rule
  Rule name: Newsudo_rule
  Description: sudo rule
  Enabled: TRUE
  Host category: all

Actual results:
SUDO rule added after the playbook failed.

Expected results:
Sudo rule should not add if the following command is failing.


Additional info:
Noticed the same behavior with the below variables
 - usercategory: 'all'
 - servicecategory: 'all'
Comment 1 Rafael Jeffman 2020-05-29 18:32:32 UTC 
There is an upstream PR for this issue: https://github.com/freeipa/ansible-freeipa/pull/287
Comment 3 Thomas Woerner 2020-06-11 15:04:57 UTC 
The upstream PR has been merged.
Comment 6 anuja 2020-07-27 09:45:51 UTC 
Verified Using: 
Test from downstream ansible-freeipa-tests/ansible_freeipa_tests/sudo_module.py::Testsudorulecategoryall::()::test_add_sudorule_with_category_all
Using version: 
ansible-freeipa-0.1.12-5.el8.noarch
ipa-server-common-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch

2020-07-27T08:02:03+0000 ----------- generated xml file: /home/jenkins/tews/trigger/junit.xml -----------
2020-07-27T08:02:03+0000 ------ generated html file: file:///home/jenkins/tews/trigger/report.html ------
2020-07-27T08:02:03+0000 ========================= 36 passed in 757.14 seconds ==========================
2020-07-27T08:02:03+0000 RETURN CODE: 0
2020-07-27T08:02:03+0000 UPSTREAM TESTS STEP END: ansible_freeipa_tests/sudo_module.py

Based on this marking bz as verified.
Comment 10 errata-xmlrpc 2020-11-04 02:46:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4663