Bug 996695

Summary: IPA CLI : ipa sudo : ipa sudocmdgroup-add-member & sudocmdgroup-remove-member: "," does not recognized
Product: Red Hat Enterprise Linux 7 Reporter: Yi Zhang <yzhang>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: jgalipea, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-13 18:43:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yi Zhang 2013-08-13 18:01:09 UTC 
Description of problem:
For command:  ipa sudocmdgroup-add-member & ipa sudocmdgroup-remove-membe
When use "," in option in option "sudocmds", the commands are not recognized. The operation failed. 

Version-Release number of selected component (if applicable): ipa-server-3.3.0-4.el7.x86_64

[root@rh7a (RH7.0-x86_64) ipa-sudo] rpm -qi ipa-server
Name        : ipa-server
Version     : 3.3.0
Release     : 4.el7
Architecture: x86_64
Install Date: Mon 12 Aug 2013 11:09:04 AM PDT
Group       : System Environment/Base
Size        : 4259738
License     : GPLv3+
Signature   : (none)
Source RPM  : ipa-3.3.0-4.el7.src.rpm
Build Date  : Mon 12 Aug 2013 04:03:37 AM PDT
Build Host  : x86-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server


How reproducible: always


Steps to Reproduce:
1. create sudo commands: /usr/bin/ls & /usr/bin/df
2. create sudo command group:  testcmdgrp1
3. try add both sudo commands to group
--- should success but failed
4. add sudo command to group one by one 
5. remove both sudo command from the group
-- should success but failed.

The details will be post soon


Additional info: please follow comments
Comment 1 Yi Zhang 2013-08-13 18:06:48 UTC 
== step 1 : prepare sudo command and group ==
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmd-add /usr/bin/ls
--------------------------------
Added Sudo Command "/usr/bin/ls"
--------------------------------
  Sudo Command: /usr/bin/ls
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmd-add /usr/bin/df
--------------------------------
Added Sudo Command "/usr/bin/df"
--------------------------------
  Sudo Command: /usr/bin/df

[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmdgroup-add testcmdgrp1
Description: test sudo command 1
--------------------------------------
Added Sudo Command Group "testcmdgrp1"
--------------------------------------
  Sudo Command Group: testcmdgrp1
  Description: test sudo command 1

== Test 1: add both command to group, use ',' (it failed) ==
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmdgroup-add-member testcmdgrp1 --sudocmds=/usr/bin/ls,/usr/bin/df
  Sudo Command Group: testcmdgrp1
  Description: test sudo command 1
  Failed members: 
    member sudo command: /usr/bin/ls,/usr/bin/df: no such entry
-------------------------
Number of members added 0
-------------------------

== Test 2: add command to group one by one, it success ==
[root@rh7a (RH7.0-x86_64) ipa-sudo] tail -f /var/log/httpd/errors_log &
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmdgroup-add-member testcmdgrp1 --sudocmds=/usr/bin/ls
[Tue Aug 13 10:37:40.554790 2013] [:error] [pid 30136] ipa: INFO: admin.COM: sudocmdgroup_add_member(u'testcmdgrp1', all=False, raw=False, version=u'2.64', no_members=False, sudocmd=(u'/usr/bin/ls',)): SUCCESS
  Sudo Command Group: testcmdgrp1
  Description: test sudo command 1
  Member Sudo commands: /usr/bin/ls
-------------------------
Number of members added 1
-------------------------

[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmdgroup-add-member testcmdgrp1 --sudocmds=/usr/bin/df
[Tue Aug 13 10:47:13.869734 2013] [:error] [pid 30136] ipa: INFO: admin.COM: sudocmdgroup_add_member(u'testcmdgrp1', all=False, raw=False, version=u'2.64', no_members=False, sudocmd=(u'/usr/bin/df',)): SUCCESS
  Sudo Command Group: testcmdgrp1
  Description: test sudo command 1
  Member Sudo commands: /usr/bin/ls, /usr/bin/df
-------------------------
Number of members added 1
-------------------------

== Test 3: remove both commands from group, use ',', it failed ==
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmdgroup-remove-member testcmdgrp1 --sudocmds=/usr/bin/ls,/usr/bin/df
[Tue Aug 13 10:47:56.735963 2013] [:error] [pid 30136] ipa: INFO: admin.COM: sudocmdgroup_remove_member(u'testcmdgrp1', all=False, raw=False, version=u'2.64', no_members=False, sudocmd=(u'/usr/bin/ls,/usr/bin/df',)): SUCCESS
  Sudo Command Group: testcmdgrp1
  Description: test sudo command 1
  Member Sudo commands: /usr/bin/ls, /usr/bin/df
  Failed members: 
    member sudo command: /usr/bin/ls,/usr/bin/df: This entry is not a member
---------------------------
Number of members removed 0
---------------------------


== Test 4: remove command from group, one by one, it success ==
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmdgroup-remove-member testcmdgrp1 --sudocmds=/usr/bin/df
[Tue Aug 13 10:48:31.697769 2013] [:error] [pid 30136] ipa: INFO: admin.COM: sudocmdgroup_remove_member(u'testcmdgrp1', all=False, raw=False, version=u'2.64', no_members=False, sudocmd=(u'/usr/bin/df',)): SUCCESS
  Sudo Command Group: testcmdgrp1
  Description: test sudo command 1
---------------------------
Number of members removed 1
---------------------------

[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudocmdgroup-remove-member testcmdgrp1 --sudocmds=/usr/bin/ls
[Tue Aug 13 10:48:22.298672 2013] [:error] [pid 30153] ipa: INFO: admin.COM: sudocmdgroup_remove_member(u'testcmdgrp1', all=False, raw=False, version=u'2.64', no_members=False, sudocmd=(u'/usr/bin/ls',)): SUCCESS
  Sudo Command Group: testcmdgrp1
  Description: test sudo command 1
  Member Sudo commands: /usr/bin/df
---------------------------
Number of members removed 1
---------------------------
Comment 3 Yi Zhang 2013-08-13 18:24:06 UTC 
Follow up:

I have seen same behave on other sudo commands. 
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudorule-add rule1
-----------------------
Added Sudo Rule "rule1"
-----------------------
  Rule name: rule1
  Enabled: TRUE
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudorule-add-user rule1 --users=userA,userB
ipa: ERROR: invalid 'user': may only include letters, numbers, _, -, . and $

########### httpd error log for above error ########
[Tue Aug 13 11:14:51.236551 2013] [:error] [pid 30153] ipa: INFO: admin.COM: sudorule_add_user(u'rule1', all=False, raw=False, version=u'2.64', no_members=False, user=(u'userA,userB',)): ValidationError


============= I tried help command, here are what I have: ============
On RHEL 6.4 (ipa-server-3.0)
[root@apple (RH6.4-i386) ~] ipa help sudorule-add-user
  --users=STR   comma-separated list of users to add
  --groups=STR  comma-separated list of groups to add


On RHEL 7.0 (ipa-server 3.3)
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa help sudorule-add-user
  --users=STR   users to add
  --groups=STR  groups to add

My questions are:
1. do we even support use "," as separator in RHEL7.0?
2. if we still support multiple users & groups add/remove operation, what separator to use?

Yi
Comment 4 Jenny Severance 2013-08-13 18:43:41 UTC 
Closing as not a bug ...

https://bugzilla.redhat.com/show_bug.cgi?id=902943  [RFE] Drop support for CSV