Bug 723233

Summary: HBAC rule :: invalid error message now that deny rule is deprecated and help needs update
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.1CC: benl, dpal, grajaiya
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Trying to create a rule with an invalid type will return an error that only allow and deny are accepted as types. But deny rules are not allowed. Consequence: User may be confused that there is a type option but only one type allowed. Fix: The deny type was deprecated because the sssd determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information. Result: The option is still listed because of API backwards compatibility reasons. HBAC deny rules are deprecated.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:41:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2011-07-19 13:28:43 UTC 
Description of problem:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacrule-cli-002: Rule Type Required - unknown type
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [09:18:33] ::  Executing: ipa hbacrule-add --type=bad test
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [09:18:34] ::  "ipa hbacrule-add --type=bad test" failed as expected.
:: [09:18:35] ::  Error message as expected: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [   PASS   ] :: Verify expected error message for Unknown Rule Type


The error message still says that "deny" is valid.

help output:

# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]

Options:
  -h, --help            show this help message and exit
  --type=STRENUM        Rule type (allow or deny)  <============================
  --usercat=STRENUM     User category the rule applies to
  --hostcat=STRENUM     Host category the rule applies to
  --srchostcat=STRENUM  Source host category the rule applies to
  --servicecat=STRENUM  Service category the rule applies to
  --desc=STR            Description
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.


If there is only one type - do we need --type at all ????????



Version-Release number of selected component (if applicable):
ipa-server-2.0.99-3.20110715T0514zgit4bd85ce.el6.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Rob Crittenden 2011-07-19 14:02:38 UTC 
You are allowed to provide deny because of legacy reasons but it will be rejected by the server if submitted.

# ipa hbacrule-add --type=deny test
ipa: ERROR: invalid 'type': The deny type has been deprecated.

The documentation is automatically generated from the available enumerators so I can't remove it from that.
Comment 2 Rob Crittenden 2011-07-19 18:07:25 UTC 
https://fedorahosted.org/freeipa/ticket/1495
Comment 3 Rob Crittenden 2011-07-21 20:22:05 UTC 
Note: This removes the --type option altogether.

master: 506cbaa1fb24c9c5afd091582de0af1c44cc33ea

ipa-2-0: e5bbc02a933f304c4d6781430f1a9e4d3dad88c2
Comment 4 Jenny Severance 2011-07-27 14:56:11 UTC 
There is still a problem with --setattr --addattr for this attribute ...


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacrule-cli-014: Negative - setattr and addattr accessRuleType
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [10:54:49] ::  Executing: ipa hbacrule-mod --setattr accessruletype=bad test
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [10:54:51] ::  "ipa hbacrule-mod --setattr accessruletype=bad test" failed as expected.
:: [10:54:52] ::  ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')  EXP: ipa: ERROR: invalid 'type': must be one of (u'allow')
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [10:54:52] ::  Executing: ipa hbacrule-mod --addattr accessruletype=bad test
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [10:54:54] ::  "ipa hbacrule-mod --addattr accessruletype=bad test" failed as expected.
:: [10:54:56] ::  ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')  EXP: ipa: ERROR: invalid 'type': must be one of (u'allow')
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [10:54:56] ::  Executing: ipa hbacrule-mod --addattr accessruletype=allow test
ipa: ERROR: accessruletype: Only one value allowed.
:: [10:54:58] ::  "ipa hbacrule-mod --addattr accessruletype=allow test" failed as expected.
:: [10:54:59] ::  Error message as expected: ipa: ERROR: accessruletype: Only one value allowed.
:: [   PASS   ] :: Verify expected error message for --addattr.


Maybe, make the accessfuletype attribute not allowed to set or add?
Comment 5 Rob Crittenden 2011-07-27 15:10:07 UTC 
deny needs to remain as an allowed type so you can search on existing values.

Attempting to create a deny rule results in a reasonable error message.

Using setattr is an advanced option so deeper understanding of the allowed attributes and their values is expected.
Comment 6 Jenny Severance 2011-07-27 15:15:39 UTC 
okay, understood!
Comment 9 Rob Crittenden 2011-10-31 20:59:43 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Trying to create a rule with an invalid type will return an error that only allow and deny are accepted as types. But deny rules are not allowed.
Consequence: User may be confused that there is a type option but only one type allowed.
Fix: The deny type was deprecated because the sssd determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information.
Result: The option is still listed because of API backwards compatibility reasons. HBAC deny rules are deprecated.
Comment 10 Gowrishankar Rajaiyan 2011-11-03 10:34:07 UTC 
[root@qe-blade-12 ~]# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]

Options:
  -h, --help            show this help message and exit
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --srchostcat=['all']  Source host category the rule applies to
  --servicecat=['all']  Service category the rule applies to
  --desc=STR            Description
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.
[root@qe-blade-12 ~]# 

No more "--type" an option.

[root@qe-blade-12 ~]# ipa hbacrule-add --type=deny test
Usage: ipa [global-options] hbacrule-add NAME [options]

ipa: error: no such option: --type
----------------------------------

Verified in version:


Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Comment 11 errata-xmlrpc 2011-12-06 18:41:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html