Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 870446

Summary: multi operations with attribute manipulation not returning error
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: dpal, mkosek
Target Milestone: rc   
Target Release: 6.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-7.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:29:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2012-10-26 14:15:39 UTC 
Description of problem:
When doing a multioperation --addattr and --delattr on an attribute that is single valued and required, no error message is returned.  This is a regression from previously releases.


# ipa group-del test
--------------------
Deleted group "test"
--------------------
[root@qe-blade-11 ipa-group-cli]# ipa group-add --desc=test test
------------------
Added group "test"
------------------
  Group name: test
  Description: test
  GID: 523800179

CORRECT BEHAVIOR
# ipa group-mod --addattr gidnumber=12345678 test
ipa: ERROR: gidnumber: Only one value allowed.

# ipa group-mod --delattr gidnumber=12345678 test
ipa: ERROR: gidnumber does not contain '12345678'

# ipa group-mod --delattr gidnumber=523800179 test
ipa: ERROR: 'gid' is required

INCORRECT BEHAVIOR
# ipa group-mod --addattr gidnumber=12345678 --delattr gidnumber=12345678 test
---------------------
Modified group "test"
---------------------
  Group name: test
  Description: test
  GID: 523800179

# echo $?
0


Version-Release number of selected component (if applicable):
# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 3.0.0                             Vendor: (none)
Release     : 105.20121022T2338zgit3488770.el6   Build Date: Mon 22 Oct 2012 09:13:40 PM EDT
Install Date: Thu 25 Oct 2012 03:17:00 PM EDT      Build Host: goofy-vm16.dsdev.sjc.redhat.com
Group       : System Environment/Base       Source RPM: ipa-3.0.0-105.20121022T2338zgit3488770.el6.src.rpm
Size        : 4357546                          License: GPLv3+
Signature   : (none)
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Description :
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). If you are installing an IPA server you need
to install this package (in other words, most people should NOT install
this package).


How reproducible:
always

Steps to Reproduce:
1. see description
2.
3.
  
Actual results:
No error, appears successful but isn't and return code 0

Expected results:

according to help ..

  --addattr=STR  Add an attribute/value pair. Format is attr=value. The
                 attribute must be part of the schema.
  --delattr=STR  Delete an attribute/value pair. The option will be evaluated
                 last, after all sets and adds.

delattr should be evaluated last and would have at least expected

# ipa group-mod --delattr gidnumber=523800179 test
ipa: ERROR: 'gid' is required

and return code of 1

Additional info:
Comment 1 Jenny Severance 2012-10-26 14:17:29 UTC 
Test failure ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-group-multiop-005 group-mod --delattr + --addattr null op for gidnumber
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Testing a multi-value manipulation for gidnumber (Expected 1, got 0)
:: [   PASS   ] :: Making sure gidnumber still exists as 1537800028 in gmodtest
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 1 good, 1 bad
:: [   FAIL   ] :: RESULT: ipa-group-multiop-005 group-mod --delattr + --addattr null op for gidnumber
Comment 4 Rob Crittenden 2012-10-26 14:50:21 UTC 
You don't include what error you are expecting. I assume it is No modifications to perform?
Comment 5 Jenny Severance 2012-10-26 15:02:41 UTC 
<snip>

Expected results:

according to help ..

  --addattr=STR  Add an attribute/value pair. Format is attr=value. The
                 attribute must be part of the schema.
  --delattr=STR  Delete an attribute/value pair. The option will be evaluated
                 last, after all sets and adds.

delattr should be evaluated last and would have at least expected

# ipa group-mod --delattr gidnumber=523800179 test
ipa: ERROR: 'gid' is required

and return code of 1

</snip>
Comment 6 Rob Crittenden 2012-10-26 15:27:09 UTC 
(In reply to comment #5)

This one is reported under CORRECT BEHAVIOR above.

The expected results don't match the reported failure. The reported failure is the one where addattr and delattr operate on the same value in the same request.
Comment 7 Jenny Severance 2012-10-26 16:59:41 UTC 
It is under incorrect behavior 

INCORRECT BEHAVIOR
# ipa group-mod --addattr gidnumber=12345678 --delattr gidnumber=12345678 test
---------------------
Modified group "test"
---------------------
  Group name: test
  Description: test
  GID: 523800179

# echo $?
0


This used to have return code of 1 which is what I expected.
Comment 8 Rob Crittenden 2012-10-26 17:12:35 UTC 
Back to my original question: what error message are you expecting?
Comment 9 Martin Kosek 2012-10-29 08:50:14 UTC 
I check the behavior, for the reported command. Setting both "--addattr gidnumber=12345678 --delattr gidnumber=12345678" is actually allowed even for a single valued attribute, as this operation practically translates to NOOP.

But in that case, we should return "no modifications to be performed" error if no other attribute was modified. This *is* a regression:

# ipa group-add foogroup
Description: foo
----------------------
Added group "foogroup"
----------------------
  Group name: foogroup
  Description: foo
  GID: 371800003


OK:

# ipa group-mod foogroup --delattr=gidnumber=371800000
ipa: ERROR: gidnumber does not contain '371800000'

OK:

# ipa group-mod foogroup --delattr=gidnumber=371800003
ipa: ERROR: 'gid' is required

OK:

# ipa group-mod foogroup --addattr=gidnumber=371800000
ipa: ERROR: gidnumber: Only one value allowed.

ERROR:

# ipa group-mod foogroup --addattr=gidnumber=371800000 --delattr=gidnumber=371800000
-------------------------
Modified group "foogroup"
-------------------------
  Group name: foogroup
  Description: foo
  GID: 371800003

"no modifications to be performed" should have been risen. I will open an upstream ticket.
Comment 10 Martin Kosek 2012-10-29 08:52:54 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3220
Comment 11 Martin Kosek 2012-11-01 14:12:01 UTC 
After discussion with Rob, moving back to RHEL-6. The severeness of this bug may have been underestimated. It affects all updates of integer type, like GID. "no modifications to be performed" will never be shown there. It affects both --*attr family of commands and standard options:

# ipa group-mod labusers --gid 94800186
-------------------------
Modified group "labusers"
-------------------------
  Group name: labusers
  Description: Lab Users
  GID: 94800186
  Member users: jdoe
# ipa group-mod labusers --gid 94800186
-------------------------
Modified group "labusers"
-------------------------
  Group name: labusers
  Description: Lab Users
  GID: 94800186
  Member users: jdoe
Comment 12 Martin Kosek 2012-11-01 14:34:40 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/d180d3c10145d4f2ad2d4dfd5243f9f1eb1083b3
ipa-3-0: https://fedorahosted.org/freeipa/changeset/1f1918f97147a9c63b4e8110aa404acc6f7d0324
Comment 15 Jenny Severance 2013-01-15 18:45:26 UTC 
verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-group-multiop-005 group-mod --delattr + --addattr null op for gidnumber  - bug 870446
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

ipa: ERROR: no modifications to be performed
:: [   PASS   ] :: Testing a multi-value manipulation for gidnumber
  gidnumber: 771400028
:: [   PASS   ] :: Making sure gidnumber still exists as 771400028 in gmodtest
'20a67c4c-2eb7-42e9-8bf5-2da0b87538db'
ipa-group-multiop-005-group-mod-delattr-addattr-null-op-for-gidnumber-bug-870446 result: PASS
   metric: 0
   Log: /tmp/beakerlib-9818447/journal.txt
    Info: Searching AVC errors produced since 1355931165.14 (Wed Dec 19 10:32:45 2012)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.wW779Q
:
   AvcLog: /mnt/testarea/tmp.wW779Q

version ::

ipa-server-3.0.0-12.el6
Comment 17 errata-xmlrpc 2013-02-21 09:29:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html