Bug 723233
Summary: | HBAC rule :: invalid error message now that deny rule is deprecated and help needs update | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.1 | CC: | benl, dpal, grajaiya |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.0-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: Trying to create a rule with an invalid type will return an error that only allow and deny are accepted as types. But deny rules are not allowed.
Consequence: User may be confused that there is a type option but only one type allowed.
Fix: The deny type was deprecated because the sssd determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information.
Result: The option is still listed because of API backwards compatibility reasons. HBAC deny rules are deprecated.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 18:41:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jenny Severance
2011-07-19 13:28:43 UTC
You are allowed to provide deny because of legacy reasons but it will be rejected by the server if submitted. # ipa hbacrule-add --type=deny test ipa: ERROR: invalid 'type': The deny type has been deprecated. The documentation is automatically generated from the available enumerators so I can't remove it from that. Note: This removes the --type option altogether. master: 506cbaa1fb24c9c5afd091582de0af1c44cc33ea ipa-2-0: e5bbc02a933f304c4d6781430f1a9e4d3dad88c2 There is still a problem with --setattr --addattr for this attribute ... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacrule-cli-014: Negative - setattr and addattr accessRuleType :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [10:54:49] :: Executing: ipa hbacrule-mod --setattr accessruletype=bad test ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') :: [10:54:51] :: "ipa hbacrule-mod --setattr accessruletype=bad test" failed as expected. :: [10:54:52] :: ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') EXP: ipa: ERROR: invalid 'type': must be one of (u'allow') :: [ FAIL ] :: Verify expected error message for --setattr. (Expected 0, got 1) :: [10:54:52] :: Executing: ipa hbacrule-mod --addattr accessruletype=bad test ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') :: [10:54:54] :: "ipa hbacrule-mod --addattr accessruletype=bad test" failed as expected. :: [10:54:56] :: ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') EXP: ipa: ERROR: invalid 'type': must be one of (u'allow') :: [ FAIL ] :: Verify expected error message for --addattr. (Expected 0, got 1) :: [10:54:56] :: Executing: ipa hbacrule-mod --addattr accessruletype=allow test ipa: ERROR: accessruletype: Only one value allowed. :: [10:54:58] :: "ipa hbacrule-mod --addattr accessruletype=allow test" failed as expected. :: [10:54:59] :: Error message as expected: ipa: ERROR: accessruletype: Only one value allowed. :: [ PASS ] :: Verify expected error message for --addattr. Maybe, make the accessfuletype attribute not allowed to set or add? deny needs to remain as an allowed type so you can search on existing values. Attempting to create a deny rule results in a reasonable error message. Using setattr is an advanced option so deeper understanding of the allowed attributes and their values is expected. okay, understood! Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Trying to create a rule with an invalid type will return an error that only allow and deny are accepted as types. But deny rules are not allowed. Consequence: User may be confused that there is a type option but only one type allowed. Fix: The deny type was deprecated because the sssd determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information. Result: The option is still listed because of API backwards compatibility reasons. HBAC deny rules are deprecated. [root@qe-blade-12 ~]# ipa help hbacrule-add Purpose: Create a new HBAC rule. Usage: ipa [global-options] hbacrule-add NAME [options] Options: -h, --help show this help message and exit --usercat=['all'] User category the rule applies to --hostcat=['all'] Host category the rule applies to --srchostcat=['all'] Source host category the rule applies to --servicecat=['all'] Service category the rule applies to --desc=STR Description --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. [root@qe-blade-12 ~]# No more "--type" an option. [root@qe-blade-12 ~]# ipa hbacrule-add --type=deny test Usage: ipa [global-options] hbacrule-add NAME [options] ipa: error: no such option: --type ---------------------------------- Verified in version: Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST Install Date: Thu 03 Nov 2011 10:13:53 AM IST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |