Bug 800545
| Summary: | [RFE] Support SUDO command rename | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Pavel Picka <ppicka> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | enewland, ipa-qe, jgalipea, j.vitek, kcleveng, ksiddiqu, ldelouw, mkosek, nsoman, perobins, pvoborni, pvomacka, slaznick, xdong |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.0-3.el7 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 09:37:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 837356 | ||
| Bug Blocks: | 1298243 | ||
|
Description
Dmitri Pal
2012-03-06 17:21:39 UTC
imagine these steps: 1.) create sudo rule like: /usr/bin/setfacl -m g:apache:rwx /home/www/* after some time you will need to enhance that with -R param to work recursive 2.) you have to delete this record 3.) create new record 4.) update command assignement in sudo command group, but only if you are lucky and you are using command groups(45 in my scenario). If not, you have to update all sudo rules manualy(hundred in my scenario). Please consider if you can include it with rhel6.x (6.4) It makes my work on sudo and others entries incredible long. And yes i know that i can make update from cli. But cli is not everytime accesible. And also sorry for my english. Thanks Thanks Jiri for this note, we will reconsider including this ticket to RHEL 6.4. Please keep in mind that this change depends on Bug 837356. We need to ensure referential integrity for objects like sudo otherwise sudo rule rename operation would cause more harm than good by leaving dangling references for example sudo command groups. Unfortunately we do not have capacity to include it into the 6.4 release at this stage. But it will be in our next major release. Major release, so you mean that is still planed up to 7.0 release? It will be in 7.x but I can't say whether it will make 7.0 or will be deferred to 7.1 or even later. Please keep an eye on the upstream ticket. This request is not too general. I do not think we would invest the resources to support rename with *all* FreeIPA objects, it is too costly without being bound to real world request (like this one). I talked to Petr Vobornik, we will rather narrow down the request to the reported problem around SUDO commands - this will increase a chance it would be really done. Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/28db6cd40100c6301121e3f82c074624fe53729c https://pagure.io/freeipa/c/85f2a19f88eef94ff080a42246658f572b5275f4 https://pagure.io/freeipa/c/7d3229bfb88f0fdc559245c8741563faba716106 master: https://pagure.io/freeipa/c/8e4408e6784f929b4c3d861f0dd509335238e951 https://pagure.io/freeipa/c/55424c8677ba7de464c820afd31260aa4a7678d0 https://pagure.io/freeipa/c/8c1409155e9a9a978d3d763045a84d1eac585dfd changing needinfo Run "ipatests/test_xmlrpc/test_sudorule_plugin.py" suite which contains the reproducer in the "test_l_1_sudorule_rename()" test. Thanks Stanislav. Verified on ipa-server-4.5.0-9.el7: # ipa sudorule-add test ---------------------- Added Sudo Rule "test" ---------------------- Rule name: test Enabled: TRUE # ipa sudorule-mod --help|grep rename --rename=STR Rename the sudo rule object # ipa sudorule-mod test --rename=test_renamed ------------------------- Modified Sudo Rule "test" ------------------------ # ipa sudorule-show test ipa: ERROR: test: sudo rule not found # ipa sudorule-show test_renamed Rule name: test_renamed Enabled: TRUE # ipa sudorule-mod test_renamed --rename=test --------------------------------- Modified Sudo Rule "test_renamed" --------------------------------- Rule name: test Enabled: TRUE # ipa sudorule-show test Rule name: test Enabled: TRUE # ipa sudorule-show test_renamed ipa: ERROR: test_renamed: sudo rule not found Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |