Bug 746056

Summary: [ipa webui] Unable to add external user for RunAs User for Sudo rules
Product: Red Hat Enterprise Linux 6 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: jgalipea, mkosek, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.3-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: IPA Web UI does not allow adding an external user (i.e. user that is not managed by IPA) as sudo command RunAs user Consequence: external RunAs user can be added to the sudo command via CLI only Fix: As Whom section dialog box specifying used for adding RunAs users has been fixed and a text field for adding an external user has been added Result: sudo command RunAs user can now be added via both Web UI and CLI
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:42:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 748554    
Attachments:
Description Flags
As Whom in sudo Rule none

Description Namita Soman 2011-10-13 18:41:54 UTC 
Description of problem:
There is no way to add root or any external user as a RunAs User for a Sudo Rule.

Use case- Add a Sudo Command - to see httpd error logs. Then add a rule to run this command. Want to assign only root to be able to run the command and check the logs. But unable to add root as external RunAs user for this rule

Version-Release number of selected component (if applicable):
ipa-server-2.1.2-2.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a sudo command - cat /var/log/httpd/error_log
2. Add a sudo rule, allow the command added above
3. Add root in As whom section - for RunAs.
  
Actual results:
There is no way to add an external user

Expected results:
It should be possible to set up root or an external user to run this command

Additional info:
Comment 2 Rob Crittenden 2011-10-14 04:34:05 UTC 
I don't understand why you are looking at the error_log. Is the command failing? If so can you attach the log?
Comment 3 Namita Soman 2011-10-14 12:23:01 UTC 
No...that is just an example sudo command...could be any other command.
Comment 4 Namita Soman 2011-10-14 13:39:53 UTC 
# ipa sudocmd-add "/bin/mkdir"
-------------------------------
Added Sudo Command "/bin/mkdir"
-------------------------------
  Sudo Command: /bin/mkdir


# ipa sudorule-add mkdir_root 
----------------------------
Added Sudo Rule "mkdir_root"
----------------------------
  Rule name: mkdir_root
  Enabled: TRUE



# ipa sudorule-add-allow-command mkdir_root
[member sudo command]: /bin/mkdir
[member sudo command group]: 
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
-------------------------
Number of members added 1


Note: User 'one' is an IPA user
# ipa sudorule-add-runasuser mkdir_root --users=one
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
  RunAs Users: one
-------------------------
Number of members added 1
-------------------------







Note: User 'root' is an external user
# ipa sudorule-add-runasuser mkdir_root --users=root
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
  RunAs Users: one
  RunAs External User: root
-------------------------
Number of members added 1
-------------------------




I can do all the above commands in UI, except the last. And after adding root as a RunAs External user, I cannot view this in UI. I see User one listed, but not User root in UI
Comment 5 Rob Crittenden 2011-10-14 17:26:07 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1987
Comment 6 Rob Crittenden 2011-10-17 17:20:43 UTC 
Fixed upstream

master: 1e5391422143c17a94008a0703099c5f877e46fd

ipa-2-1: f3a5d4883666c7e04e23cb454e28ccc83c54f04a
Comment 8 Jenny Severance 2011-10-26 16:33:48 UTC 
Created attachment 530331 [details]
As Whom in sudo Rule
Comment 9 Jenny Severance 2011-10-26 16:34:55 UTC 
Verified:
Can add external user in the As Whom section of a sudo rule now from the web UI.  See attached screen shot.

version:
ipa-server-2.1.3-3.el6.x86_64
Comment 10 Martin Kosek 2011-10-31 18:57:19 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA Web UI does not allow adding an external user (i.e. user that is not managed by IPA) as sudo command RunAs user
Consequence: external RunAs user can be added to the sudo command via CLI only
Fix: As Whom section dialog box specifying used for adding RunAs users has been fixed and a text field for adding an external user has been added
Result: sudo command RunAs user can now be added via both Web UI and CLI
Comment 11 errata-xmlrpc 2011-12-06 18:42:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html