Bug 807755

Summary: [ipa webui] When adding permissions for a type, attributes that are not allowed are listed
Product: Red Hat Enterprise Linux 6 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jgalipea, mkosek, pvoborni
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-9.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:26:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Namita Soman 2012-03-28 15:41:01 UTC 
Description of problem:
Add a permission, choose it to be of type - say User. Select all attributes, but when adding, it throws error - 
"attribute(s) "member,memberuid,owner" not allowed"

If these attributes cannot be chosen, then they should not be available in the list.

Same situation for Type - Host, Service  where objectclass is not allowed.

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-5.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. In IPA Server - Role Based Access Control - Permissions, click Add to add a new permission
2. Enter permission name, permissions, select Target to be Type, select Type to be User, either selct all attributes, or for User - select member, memberuid, and owner

  
Actual results:
throws error - 
"attribute(s) "member,memberuid,owner" not allowed"

Expected results:
If these attributes are not allowed, should not be on list to choose from

Additional info:
Comment 2 Namita Soman 2012-03-28 16:10:25 UTC 
Also - the attribute list is not the same always...or so it seems...
Now when I try to add Permission of Type User, member is not listed...good, but
another set on unavailable attributes are listed, and so got error:
attribute(s) "ipasshpubkey,krbmaxrenewableage,krbmaxticketlife,krbticketflags"
not allowed

Not sure  of the series of steps I took to get this attribute list.
Comment 3 Martin Kosek 2012-03-29 08:54:52 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2590
Comment 4 Namita Soman 2012-03-30 14:47:55 UTC 
Also.....
Add a permission as Type - User Group, and choose "description" as an attribute.
Edit this permission, and change Type to be - Service. Scroll to bottomw of attributes, and description is listed and checked. But description is not a valid attribute for Service. So when 'Update' is clicked - throws error - attribute(s) "description" not allowed.

Expected:
When Type is changed, attribute list should be refreshed and if still applicable should be chosen. And if Type is reverted back, previously chosen attributes should be back as chosen.
Comment 5 Petr Vobornik 2012-04-10 12:03:22 UTC 
Original issue fixed upstream.

master: 31f156241959df107e361c2a8a81adc1cf6eb881

ipa-2-2: d5ae74e613ad61ea7898ce45f300c86bc38fcc86

For second one (Comment 4) can you please open new BZ so we can triage it.
Comment 6 Namita Soman 2012-04-10 12:32:03 UTC 
Opened new bug 811207 for comment 4
Comment 9 Petr Vobornik 2012-04-26 13:40:00 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 10 Namita Soman 2012-05-03 13:57:49 UTC 
verified using ipa-server-2.2.0-12.el6.x86_64

attributes are listed correctly for each type
Comment 12 errata-xmlrpc 2012-06-20 13:26:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html