Bug 747693
| Summary: | ipa selfservice-find --raw returns "internal error" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Yi Zhang <yzhang> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dpal, jgalipea, mkosek, nsoman, spoore, syeghiay |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: IPA plugins for LDAP ACI management (permission, selfservice and delegation plugins) do not process their options in a robust way and have a relaxed validation of passed values.
Consequence: ACI management plugins may return Internal errors when empty options or --raw option is passed. The Internal error is also returned when an invalid attribute is passed to the ACI attribute list option.
Fix: Option processing is now more robust and also more strict in validation.
Result: User experience with plugins should increase as it now returns proper error when an invalid or empty option value is passed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:15:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 756082 | ||
To verify this bug, just run : ipa selfservice-find "User Self service" --raw "User Self service" is the default selfservice permission Upstream ticket: https://fedorahosted.org/freeipa/ticket/2010 *** Bug 772106 has been marked as a duplicate of this bug. *** *** Bug 785259 has been marked as a duplicate of this bug. *** Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/cf12f3106a7f55fbdb03d64588e8201f14470fe8 ipa-2-2: https://fedorahosted.org/freeipa/changeset/68d78d37876ade5122f663ec9614283b6921aa23 Verified. Version :: ipa-server-2.2.0-4.el6.x86_64 Automated Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: selfservice_bz_747693 ipa selfservice-find --raw returns internal error :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: BZ Test Running: ipa selfservice-find selfservice_bz_747693 --raw > /tmp/tmp.V5BS5xp3mS/selfservice_bz_747693.11766.out 2>&1 :: [ PASS ] :: BZ 747693 not found :: [ LOG ] :: Duration: 9s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: selfservice_bz_747693 ipa selfservice-find --raw returns internal error Manual Test Results :: [root@hp-xw6600-01 ipa-selfservice]# ipa selfservice-add bz747693 --attrs=l ---------------------------- Added selfservice "bz747693" ---------------------------- Self-service name: bz747693 Permissions: write Attributes: l [root@hp-xw6600-01 ipa-selfservice]# ipa selfservice-find bz747693 --raw --------------------- 1 selfservice matched --------------------- aci: (targetattr = "l")(version 3.0;acl "selfservice:bz747693";allow (write) userdn = "ldap:///self";) ---------------------------- Number of entries returned 1 ----------------------------
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: IPA plugins for LDAP ACI management (permission, selfservice and delegation plugins) do not process their options in a robust way and have a relaxed validation of passed values.
Consequence: ACI management plugins may return Internal errors when empty options or --raw option is passed. The Internal error is also returned when an invalid attribute is passed to the ACI attribute list option.
Fix: Option processing is now more robust and also more strict in validation.
Result: User experience with plugins should increase as it now returns proper error when an invalid or empty option value is passed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |
Description of problem: [yi@i386a(101) ~] ipa selfservice-find "User Self service" --raw ipa: ERROR: an internal error has occurred the permission "User Self service" does exist [yi@i386a(101) ~] ipa selfservice-find "User Self service" --------------------- 1 selfservice matched --------------------- Self-service name: User Self service Permissions: write Attributes: givenname, sn, cn, displayname, title, initials, loginshell, gecos, homephone, mobile, pager, facsimiletelephonenumber, telephonenumber, street, roomnumber, l, st, postalcode, manager, secretary, description, carlicense, labeleduri, inetuserhttpurl, seealso, employeetype, businesscategory, ou ---------------------------- Number of entries returned 1 ---------------------------- Version-Release number of selected component (if applicable): ipa-server-2.1.3-2.el6.i686 [yi@i386a(101) ~] rpm -qi ipa-server Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 2.el6 Build Date: Tue 18 Oct 2011 11:12:34 AM PDT Install Date: Thu 20 Oct 2011 10:39:05 AM PDT Build Host: x86-002.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-2.el6.src.rpm Size : 3355311 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server How reproducible: always Steps to Reproduce: 1. install ipa-server 2. kinit as admin 3. run command : ipa selfservice-find "User Self service" --raw Actual results: internal error returned Expected results: list raw data of permission Additional info: /var/log/http/error_log: [Thu Oct 20 12:30:34 2011] [error] ipa: ERROR: non-public: KeyError: 'aciprefix' [Thu Oct 20 12:30:34 2011] [error] Traceback (most recent call last): [Thu Oct 20 12:30:34 2011] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 223, in wsgi_execute [Thu Oct 20 12:30:34 2011] [error] result = self.Command[name](*args, **options) [Thu Oct 20 12:30:34 2011] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 432, in __call__ [Thu Oct 20 12:30:34 2011] [error] ret = self.run(*args, **options) [Thu Oct 20 12:30:34 2011] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 738, in run [Thu Oct 20 12:30:34 2011] [error] return self.execute(*args, **options) [Thu Oct 20 12:30:34 2011] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py", line 189, in execute [Thu Oct 20 12:30:34 2011] [error] del aci['aciprefix'] # do not include prefix in result [Thu Oct 20 12:30:34 2011] [error] KeyError: 'aciprefix' [Thu Oct 20 12:30:34 2011] [error] ipa: INFO: admin.COM: selfservice_find(u'User Self service', all=False, raw=True, version=u'2.13'): KeyError klist shows [yi@i386a(101) ~] klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: admin.COM Valid starting Expires Service principal 10/20/11 12:25:15 10/21/11 12:25:15 krbtgt/YZHANG.REDHAT.COM.COM 10/20/11 12:25:49 10/21/11 12:25:15 HTTP/i386a.yzhang.redhat.com.COM