Bug 817909

Summary: error indicates a different reason when ipa permission-mod fails to modify attrs
Product: Red Hat Enterprise Linux 7 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:08:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 976382, 1153292    
Bug Blocks:    

Description Namita Soman 2012-05-01 18:40:34 UTC 
Description of problem:
From https://bugzilla.redhat.com/show_bug.cgi?id=783502#c11:
The test was to modify a permission to change the attributes, using allowed attributes:
ipa permission-mod "Change a user password"
--attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory

the error now is:
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive

What is it referring to?

Same error if I choose to use a non-savvy attr like "abc"
ipa permission-mod "Change a user password" --attrs=abc

or decide to provide the correct type, but still try to modify attr (with meaningful or non meaningful attrs)
# ipa permission-mod "Change a user password" --attrs=abc --type=user
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-12.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Modify attributes of a permission
2.
3.
  
Actual results:
unable to modify, and get unrelated error

Expected results:
be able to modify - if all parameters are provided in command line (to workaround bug 782847)

Additional info:
Comment 2 Rob Crittenden 2012-05-01 22:00:34 UTC 
Does this happen on all permissions or only this specific permission?
Comment 3 Namita Soman 2012-05-03 12:24:03 UTC 
Possibly related Permission when using Filter.
 
# ipa permission-show "Add krbPrincipalName to a host"
  Permission name: Add krbPrincipalName to a host
  Permissions: write
  Attributes: krbprincipalname
  Type: host
  Filter: (!(krbprincipalname=*))
  Granted to Privilege: Host Administrators, Host Enrollment


# ipa permission-mod "Add krbPrincipalName to a host" --attrs=krbprincipalkey
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive





But works for other permissions as below:
# ipa permission-show "Modify Group Password Policy"
  Permission name: Modify Group Password Policy
  Permissions: write
  Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength,
              krbpwdmindiffchars, krbpwdminlength, krbpwdmaxfailure,
              krbpwdfailurecountinterval, krbpwdlockoutduration
  Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator

# ipa permission-mod "Modify Group Password Policy" --attrs=krbmaxpwdlife,krbminpwdlife,krbpwdhistorylength,krbpwdmaxfailure,krbpwdfailurecountinterval
--------------------------------------------------
Modified permission "Modify Group Password Policy"
--------------------------------------------------
  Permission name: Modify Group Password Policy
  Permissions: write
  Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength,
              krbpwdmaxfailure, krbpwdfailurecountinterval
  Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator

# ipa permission-show "Enroll a host"
  Permission name: Enroll a host
  Permissions: write
  Attributes: objectclass
  Type: host
  Granted to Privilege: Host Administrators, Host Enrollment

# ipa permission-mod "Enroll a host" --attrs=description
-----------------------------------
Modified permission "Enroll a host"
-----------------------------------
  Permission name: Enroll a host
  Permissions: write
  Attributes: description
  Type: host
  Granted to Privilege: Host Administrators, Host Enrollment
Comment 4 Martin Kosek 2012-05-03 12:42:38 UTC 
Thanks Namita. Rob, I think that the mutually exclusive target type list should only include type, subtree and targetgroup. User may want to apply the permission only for a subset of these targets, i.e. he needs to combine it with a filter.

A good example is the permission "Add krbPrincipalName to a host" that Namita posted.

I will open an upstream ticket for that.
Comment 5 Martin Kosek 2012-05-03 12:46:09 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2718
Comment 9 Martin Kosek 2014-02-12 16:30:10 UTC 
Fixed upstream in scope of https://fedorahosted.org/freeipa/ticket/3566:

# ipa permission-show "Change a user password"
  Permission name: Change a user password
  Permissions: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword,
                        sambantpassword, userpassword
  Bind rule type: permission
  Subtree: dc=example,dc=com
  ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))
  ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
  Granted to Privilege: Modify Users and Reset passwords, User Administrators

# ipa permission-mod "Change a user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory}
--------------------------------------------
Modified permission "Change a user password"
--------------------------------------------
  Permission name: Change a user password
  Permissions: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword
  Bind rule type: permission
  Subtree: dc=example,dc=com
  ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))
  ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
  Granted to Privilege: Modify Users and Reset passwords, User Administrators
Comment 11 Namita Soman 2015-01-23 17:50:06 UTC 
Verified using ipa-server-4.1.0-15.el7.x86_64

# ipa permission-mod "System: Change user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory}
--------------------------------------------------
Modified permission "System: Change user password"
--------------------------------------------------
  Permission name: System: Change User password
  Granted rights: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword
  Excluded attributes: sambantpassword
  Default attributes: userpassword, krbprincipalkey, sambantpassword, passwordhistory, sambalmpassword
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,dc=testrelm,dc=test
  Extra target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=test))
  Type: user
  Granted to Privilege: User Administrators, Modify Users and Reset passwords
  Indirect Member of roles: User Administrator, helpdesk
Comment 13 errata-xmlrpc 2015-03-05 10:08:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html