| Summary: | ipa permission-find --subtree brings back all permissions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.2 | CC: | jgalipea, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:09:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2321 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/26ab9a504f504f59cfd3af929dbeac2ddc201ed3 Note that we don't do validation on search terms so we aren't going to report whether a subtree is valid or not, just which entries match. The match is case-insensitive. Verified using ipa-server-3.0.0-8.el6.x86_64 Verified in automated test. Results: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-permission-cli-1049 - find permission - --subtree (bug 785254) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [11:04:48] :: Executing: ipa permission-find --subtree=cn=computers,cn=accounts,dc=testrelm,dc=com --all :: [11:04:49] :: WARNING: permission-find command failed. :: [ PASS ] :: No permissions matched - as expected. --------------------- 7 permissions matched --------------------- dn: cn=Add Hosts,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Add Hosts Permissions: add Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Add krbPrincipalName to a host Permissions: write Attributes: krbprincipalname Type: host Filter: (!(krbprincipalname=*)) Granted to Privilege: Host Administrators, Host Enrollment memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com, cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com, uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Enroll a host,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Enroll a host Permissions: write Attributes: objectclass Type: host Granted to Privilege: Host Administrators, Host Enrollment memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com, cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com, uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Manage host keytab,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com, cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com, uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Manage Host SSH Public Keys Permissions: write Attributes: ipasshpubkey Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Modify Hosts,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Modify Hosts Permissions: write Attributes: description, l, nshostlocation, nshardwareplatform, nsosversion Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Remove Hosts,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Remove Hosts Permissions: delete Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission ---------------------------- Number of entries returned 7 ---------------------------- :: [ PASS ] :: Verify permissions are found for --subtree=ldap:///fqdn=*,cn=computers,cn=accounts,dc=testrelm,dc=com --------------------- 7 permissions matched --------------------- Permission name: Add Hosts Permissions: add Type: host Granted to Privilege: Host Administrators Permission name: Add krbPrincipalName to a host Permissions: write Attributes: krbprincipalname Type: host Filter: (!(krbprincipalname=*)) Granted to Privilege: Host Administrators, Host Enrollment Permission name: Enroll a host Permissions: write Attributes: objectclass Type: host Granted to Privilege: Host Administrators, Host Enrollment Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment Permission name: Manage Host SSH Public Keys Permissions: write Attributes: ipasshpubkey Type: host Granted to Privilege: Host Administrators Permission name: Modify Hosts Permissions: write Attributes: description, l, nshostlocation, nshardwareplatform, nsosversion Type: host Granted to Privilege: Host Administrators Permission name: Remove Hosts Permissions: delete Type: host Granted to Privilege: Host Administrators ---------------------------- Number of entries returned 7 ---------------------------- :: [ PASS ] :: Running 'ipa permission-find --subtree=ldap:///fqdn=*,cn=computers,cn=accounts,dc=testrelm,dc=com' '1ad531be-a03f-49bb-b317-548624f31a67' ipa-permission-cli-1049-find-permission-subtree-bug-785254- result: PASS metric: 0 Log: /tmp/beakerlib-9394024/journal.txt Info: Searching AVC errors produced since 1353945888.11 (Mon Nov 26 11:04:48 2012) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.DC6dRL : AvcLog: /mnt/testarea/tmp.DC6dRL Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |
Description of problem: 1> using an invalid subtree filter does not throw any error 2> using a valid subtree filter brings back all permissions Find one of the existing permissions: Permission name: Write IPA Configuration Permissions: write Attributes: ipausersearchfields, ipagroupsearchfields, ipasearchtimelimit, ipasearchrecordslimit, ipacustomfields, ipahomesrootdir, ipadefaultloginshell, ipadefaultprimarygroup, ipamaxusernamelength, ipapwdexpadvnotify, ipauserobjectclasses, ipagroupobjectclasses, ipadefaultemaildomain, ipamigrationenabled, ipacertificatesubjectbase, ipaconfigstring Subtree: ldap:///cn=ipaconfig,cn=etc,dc=testrelm,dc=com Granted to Privilege: Write IPA Configuration Tried: ipa permission-find --subtree="ldap:///cn=ipaconfig,cn=etc,dc=testrelm,dc=com" ipa permission-find --subtree="ldap:\/\/\/cn=ipaconfig,cn=etc,dc=testrelm,dc=com" ipa permission-find --subtree="cn=ipaconfig,cn=etc,dc=testrelm,dc=com" All 3 above attempts brought back all permissions Version-Release number of selected component (if applicable): ipa-server-2.2.0-101.20120123T0157zgit64cf8a4.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Find a permission using subtree as mentioned above Actual results: All permissions are brought back Expected results: Only the matching permission to be listed. If subtree filter is incorrect, error should be displayed. If the subtree filter doesn't match any permission, then bring back 0 permissions with message that 0 permissions matched. Additional info: