Bug 1967325
| Summary: | API returns the misleading error "Insufficient Access" if run as non-admin | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Maria <mescanfe> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.3 | CC: | amore, antorres, frenaud, ksiddiqu, pcech, rcritten, ssidhaye, tscherf |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 18:29:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The current code only does an existence check if the host value is not a fqdn, otherwise it effectively defers the check until later. Deleting a host is a complex task. It also needs to delete any services associated with the host, search for an revoke any certificates for the services, or itself, update the DNS records, and finally delete the host. It is one of these sub-tasks that is failing and raising the ACI error. In this case though the host simply isn't there so this can probably be short-circuited in the pre_callback. I don't think there would be any side-effects to doing so and could actually save in computing time even though in some cases the queried entry would be unused. Upstream ticket: https://pagure.io/freeipa/issue/8884 PR: https://github.com/freeipa/freeipa/pull/5838 Fixed upstream master: https://pagure.io/freeipa/c/3a4939fa390667e964248bbc3ec4a050910ae6c8 https://pagure.io/freeipa/c/3e77d3132fe44cc2ec579b0e41f92d9a7a558d4c Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/48370cb3e8fa928dcc51406a4a5e7dbe5bf8243f https://pagure.io/freeipa/c/27a65a1a352b50304fa6765a535443993b445044 Test
(A) test-result.txt.gz
(1) xmlrpc test (TestCRUD::test_update_shortname)
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-324.el8.x86_64-x86_64-with-redhat-8.5-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 2463 items / 12 deselected
test_xmlrpc/test_host_plugin.py::TestCRUD::test_update_shortname PASSED [ 45%]
(B) runner.log
2021-07-30T06:59:30+0000 TASK [List installed IPA packages version] *************************************
2021-07-30T06:59:30+0000 ok: [master.testrelm.test] => (item=ipa-server) =>
2021-07-30T06:59:30+0000 msg:
2021-07-30T06:59:30+0000 - arch: x86_64
2021-07-30T06:59:30+0000 epoch: null
2021-07-30T06:59:30+0000 name: ipa-server
2021-07-30T06:59:30+0000 release: 4.module+el8.5.0+11912+1b4496cf
2021-07-30T06:59:30+0000 source: rpm
2021-07-30T06:59:30+0000 version: 4.9.6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4230 |
Description of problem: Given: We have created a user in RedHat IDM "enrollment-user" We have granted that user the Role "IT Specialist" which has the Priviledge "Host Administrators" When: We authenticate as enrollment-user using RedHat IDM api with curl and send payload using the "host_del" api method to attempt to delete a host Then: We get an error "Insufficient access" Full response - {"result": null, "error": {"code": 2100, "message": "Insufficient access: ", "data": {"info": ""}, "name": "ACIError"}, "id": 0, "principal": "enrollment-user.COM", "version": "4.8.7"} Problem: If you try to host_del for a host that does not exist, the API returns the misleading error "Insufficient Access" if run as non-admin, but if you run as admin for a non-existing host, the correct response is returned indicating that host as "failed" to remove, example response: { "method": "host_del", "params": [ [ "system04.org.com" ], { "continue": true, "version": 2.235 } ], "id": 0 } {"result": {"result": {"failed": ["system04.org.com"]}, "value": [], "summary": "Deleted host \"\""}, "error": null, "id": 0, "principal": "admin.COM", "version": "4.8.7"} It seems like this is not an access problem, it's just an API response messaging problem. So, from my API usage perspective, I'm able to do what I need to do using non-admin user, but I am unable to distinguish between access problems and invalid host problems. I will work around that for now by assuming any Insufficient Access error could also mean the host was already cleaned up. Let me know if you want any more information, but at this point I'd say I would just suggest to the product team that the response messaging be improved in this case as a fix some time in the future.