Bug 815828

Summary: Rename DNS permissions to use mixed-case
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: mkosek, nsoman, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:08:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 976382, 1153292    
Bug Blocks:    

Description Dmitri Pal 2012-04-24 15:40:00 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2659

There are three DNS permissions all named with lower-case which is inconsistent with other permission names:
{{{
  Permission name: add dns entries
  Permission name: remove dns entries
  Permission name: update dns entries
}}}
Comment 2 Martin Kosek 2014-06-26 10:20:32 UTC 
Fixed as part of the RFE in Bug 976382:

# ipa permission-find dns
---------------------
6 permissions matched
---------------------
  Permission name: System: Add DNS Entries
  Granted rights: add
  Bind rule type: permission
  Subtree: dc=mkosek-fedora20,dc=test
  ACI target DN: idnsname=*,cn=dns,dc=mkosek-fedora20,dc=test
  Granted to Privilege: DNS Servers, DNS Administrators

  Permission name: System: Read DNS Configuration
  Granted rights: read
  Effective attributes: idnsallowsyncptr, idnsforwarders, idnsforwardpolicy, idnspersistentsearch,
                        idnszonerefresh, objectclass
  Default attributes: idnsforwardpolicy, objectclass, idnsallowsyncptr, idnsforwarders,
                      idnspersistentsearch, idnszonerefresh
  Bind rule type: permission
  Subtree: dc=mkosek-fedora20,dc=test
  Extra target filter: (objectclass=idnsConfigObject)
  ACI target DN: cn=dns,dc=mkosek-fedora20,dc=test
  Granted to Privilege: DNS Servers, DNS Administrators

  Permission name: System: Read DNS Entries
  Granted rights: read, compare, search
  Effective attributes: a6record, aaaarecord, afsdbrecord, arecord, certrecord, cn, cnamerecord,
                        dlvrecord, dnamerecord, dnsclass, dnsttl, dsrecord, hinforecord,
                        idnsallowdynupdate, idnsallowquery, idnsallowsyncptr, idnsallowtransfer,
                        idnsforwarders, idnsforwardpolicy, idnsname, idnssoaexpire, idnssoaminimum,
                        idnssoamname, idnssoarefresh, idnssoaretry, idnssoarname, idnssoaserial,
                        idnsupdatepolicy, idnszoneactive, keyrecord, kxrecord, locrecord, managedby,
                        mdrecord, minforecord, mxrecord, naptrrecord, nsec3paramrecord, nsecrecord,
                        nsrecord, nxtrecord, objectclass, ptrrecord, rrsigrecord, sigrecord, srvrecord,
                        sshfprecord, txtrecord
  Default attributes: sshfprecord, cn, idnsforwardpolicy, nxtrecord, idnsallowtransfer, idnssoaretry,
                      mxrecord, idnsallowdynupdate, mdrecord, arecord, dlvrecord, kxrecord, managedby,
                      ptrrecord, idnsforwarders, nsec3paramrecord, idnsupdatepolicy, idnsallowquery,
                      idnssoarefresh, idnsname, afsdbrecord, naptrrecord, idnszoneactive, nsrecord,
                      locrecord, dnsttl, sigrecord, idnssoaminimum, aaaarecord, rrsigrecord,
                      idnssoamname, hinforecord, idnssoaexpire, dnsclass, cnamerecord, dnamerecord,
                      idnssoaserial, idnsallowsyncptr, certrecord, srvrecord, objectclass, dsrecord,
                      txtrecord, nsecrecord, a6record, keyrecord, idnssoarname, minforecord
  Bind rule type: permission
  Subtree: dc=mkosek-fedora20,dc=test
  ACI target DN: idnsname=*,cn=dns,dc=mkosek-fedora20,dc=test
  Granted to Privilege: DNS Servers, DNS Administrators

  Permission name: System: Remove DNS Entries
  Granted rights: delete
  Bind rule type: permission
  Subtree: dc=mkosek-fedora20,dc=test
  ACI target DN: idnsname=*,cn=dns,dc=mkosek-fedora20,dc=test
  Granted to Privilege: DNS Servers, DNS Administrators

  Permission name: System: Update DNS Entries
  Granted rights: write
  Effective attributes: a6record, aaaarecord, afsdbrecord, arecord, certrecord, cn, cnamerecord,
                        dlvrecord, dnamerecord, dnsclass, dnsttl, dsrecord, hinforecord,
                        idnsallowdynupdate, idnsallowquery, idnsallowsyncptr, idnsallowtransfer,
                        idnsforwarders, idnsforwardpolicy, idnsname, idnssoaexpire, idnssoaminimum,
                        idnssoamname, idnssoarefresh, idnssoaretry, idnssoarname, idnssoaserial,
                        idnsupdatepolicy, idnszoneactive, keyrecord, kxrecord, locrecord, managedby,
                        mdrecord, minforecord, mxrecord, naptrrecord, nsec3paramrecord, nsecrecord,
                        nsrecord, nxtrecord, ptrrecord, rrsigrecord, sigrecord, srvrecord, sshfprecord,
                        txtrecord
  Default attributes: sshfprecord, cn, idnsforwardpolicy, nxtrecord, idnsallowtransfer, idnssoaretry,
                      mxrecord, idnsallowdynupdate, mdrecord, arecord, dlvrecord, kxrecord, managedby,
                      ptrrecord, idnsforwarders, nsec3paramrecord, idnsupdatepolicy, idnsallowquery,
                      idnssoarefresh, idnsname, afsdbrecord, dnsttl, idnszoneactive, nsrecord,
                      locrecord, sigrecord, idnssoaminimum, aaaarecord, rrsigrecord, idnssoamname,
                      hinforecord, idnssoaexpire, dnsclass, cnamerecord, dnamerecord, idnssoaserial,
                      idnsallowsyncptr, certrecord, srvrecord, naptrrecord, dsrecord, txtrecord,
                      nsecrecord, a6record, keyrecord, idnssoarname, minforecord
  Bind rule type: permission
  Subtree: dc=mkosek-fedora20,dc=test
  ACI target DN: idnsname=*,cn=dns,dc=mkosek-fedora20,dc=test
  Granted to Privilege: DNS Servers, DNS Administrators

  Permission name: System: Write DNS Configuration
  Granted rights: write
  Effective attributes: idnsallowsyncptr, idnsforwarders, idnsforwardpolicy, idnspersistentsearch,
                        idnszonerefresh
  Default attributes: idnsallowsyncptr, idnsforwardpolicy, idnspersistentsearch, idnszonerefresh,
                      idnsforwarders
  Bind rule type: permission
  Subtree: dc=mkosek-fedora20,dc=test
  Extra target filter: (objectclass=idnsConfigObject)
  ACI target DN: cn=dns,dc=mkosek-fedora20,dc=test
  Granted to Privilege: DNS Servers, DNS Administrators
----------------------------
Number of entries returned 6
----------------------------
Comment 4 Xiyang Dong 2015-01-13 19:56:17 UTC 
Verified on ipa-server-4.1.0-13.el7.x86_64:

[root@hp-dl380pgen8-01 ~]# ipa permission-find dns | grep "Permission name:"
  Permission name: System: Add DNS Entries
  Permission name: System: Manage DNSSEC keys
  Permission name: System: Manage DNSSEC metadata
  Permission name: System: Modify Realm Domains
  Permission name: System: Read DNS Configuration
  Permission name: System: Read DNS Entries
  Permission name: System: Read DNSSEC metadata
  Permission name: System: Remove DNS Entries
  Permission name: System: Update DNS Entries
  Permission name: System: Write DNS Configuration
Comment 6 errata-xmlrpc 2015-03-05 10:08:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html