Bug 672292

Summary: role-mod should not change membership
Product: [Retired] freeIPA Reporter: Yi Zhang <yzhang>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.0CC: benl, dpal, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-24 19:49:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Yi Zhang 2011-01-24 18:17:56 UTC 
Description of problem:
I haven't found any doc to regulate this, based on my experiment on privilege command set, role-mod should not allowed to do any membership related operation. 

As a comparison, we use "privilege-add-permission" and "privilege-remove-permission" to do membership modification. In the same token, we should use "role-add-member" and "role-remove-member" to do the similar work. 

Current build allows it. My test is below:
 
[step one] before test:

[yi@dhcp-137 ipa-delegation]$ ipa role-find --all --raw
---------------
7 roles matched
---------------
...

  dn: cn=testrole003,cn=roles,cn=accounts,dc=sjc,dc=redhat,dc=com
  cn: testrole003
  description: fromaddattr
  objectclass: groupofnames
  objectclass: nestedgroup
  objectclass: top

...

[step two] use addattr to add group under role (this should fail but success)
[yi@dhcp-137 ipa-delegation]$ ipa role-mod testrole003 --addattr=member=cn=group9724,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com
---------------------------
Modified role "testrole003"
---------------------------
  Role name: testrole003
  Description: fromaddattr
  Member groups: group9724
[yi@dhcp-137 ipa-delegation]$ ipa role-find testrole003
--------------
1 role matched
--------------
  Role name: testrole003
  Description: fromaddattr
  Member groups: group9724
----------------------------
Number of entries returned 1
----------------------------
[yi@dhcp-137 ipa-delegation]$ ipa role-find testrole003 --raw --all
--------------
1 role matched
--------------
  dn: cn=testrole003,cn=roles,cn=accounts,dc=sjc,dc=redhat,dc=com
  cn: testrole003
  description: fromaddattr
  member: cn=group9724,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com
  memberindirect: uid=testuser21066,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
  memberindirect: uid=testuser12077,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
  memberindirect: uid=testuser28632,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
  objectclass: groupofnames
  objectclass: nestedgroup
  objectclass: top
----------------------------
Number of entries returned 1
----------------------------

Version-Release number of selected component (if applicable):ipa-server-2.0-0.2011011115gitc778919.fc14.i686


How reproducible: always


Additional info:
Comment 1 Yi Zhang 2011-01-24 19:49:49 UTC 
Got reply from Dmitri
"See the doc I sent earlier today. I think this is intentional as it his
the internal relationships between objects.
Please close the bug.
"