Bug 734706

Summary: ipa hbactest does not evaluate users from groups in an hbacrule.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: benl, dpal, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.2-1.el6 Doc Type: Bug Fix
Doc Text:
Do not document
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:30:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2011-08-31 08:28:37 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64
ipa-admintools-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64
ipa-python-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user. 
2. Create an hbacrule with ipausers group.

[root@bumblebee ~]# ipa group-show ipausers
  Group name: ipausers
  Description: Default group for all users
  GID: 1798000001
  Member users: user1, user2

[root@bumblebee ~]# ipa hbacrule-show ssh --all
  dn: ipauniqueid=af2c57e6-cfed-11e0-8fa4-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: ssh
  Source host category: all
  Enabled: TRUE
  Groups: admins, ipausers
  Hosts: ironhide.lab.eng.pnq.redhat.com
  Services: sshd
  accessruletype: allow
  ipauniqueid: af2c57e6-cfed-11e0-8fa4-525400deab7b
  objectclass: ipaassociation, ipahbacrule
[root@bumblebee ~]# 

3. Execute the ipa hbactest to evaluate and check the access for user1 is true or false

4. [root@bumblebee ~]# ipa hbactest --user=user1 --srchost=all --host=ironhide.lab.eng.pnq.redhat.com --service=sshd

  
Actual results:

[root@bumblebee ~]# ipa hbactest --user=user1 --srchost=all --host=ironhide.lab.eng.pnq.redhat.com --service=sshd

Access granted: False
---------------------
  notmatched: rule1
  notmatched: ssh


Expected results:

Should be "True", since user1 belongs to ipausers.


Additional info:

Comment 1 Gowrishankar Rajaiyan 2011-08-31 08:31:50 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1740

Comment 3 Jenny Severance 2011-08-31 15:12:35 UTC
This is the biggest use case, users in a group are allowed access or not...

Comment 4 Rob Crittenden 2011-09-12 18:18:31 UTC
Fixed upstream:

master: 1bdb5d04fe14c92c57a4ef151be9c2eda7ca705f

ipa-2-1: 452863dcbaf1a82b0a879e3a2f3e58ffa1803c2f

Comment 7 Gowrishankar Rajaiyan 2011-10-08 13:26:06 UTC
[root@bumblebee ~]# ipa hbacrule-add-user rule2 
[member user]: 
[member group]: ipausers
  Rule name: rule2
  Enabled: TRUE
  User Groups: ipausers
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
-------------------------
Number of members added 1
-------------------------
[root@bumblebee ~]# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd 
--------------------
Access granted: True
--------------------
  matched: rule2

Verified.
# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.2                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Fri 07 Oct 2011 05:09:04 PM EDT
Install Date: Sat 08 Oct 2011 07:36:33 AM EDT      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.2-2.el6.src.rpm
Size        : 3363225                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 9 Martin Kosek 2011-11-01 13:26:03 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 10 errata-xmlrpc 2011-12-06 18:30:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html