RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1257163 - renaming certificatte profile with --rename option leads to integrity issues
Summary: renaming certificatte profile with --rename option leads to integrity issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-26 11:57 UTC by Petr Vobornik
Modified: 2015-11-19 12:06 UTC (History)
6 users (show)

Fixed In Version: ipa-4.2.0-9.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 12:06:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Petr Vobornik 2015-08-26 11:57:32 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5247

Similar to the problem #5074 with --setattr, when used as
`ipa cert profile-mod caIPAserviceCert --rename bogus`, the profile gets renamed which leads to integrity issues.

This even works on the default profile which has checks preventing its deletion.
Comment 1 Petr Vobornik 2015-08-26 11:58:10 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5c7d6a6a31daca8bf92d85d8c1895279be84c888
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/d943bf09799e6faf2dd83f630bcfd6f99575c5c8
Comment 3 Scott Poore 2015-08-28 20:52:47 UTC 
Why would we keep the --rename option just to return an error?

[root@master ~]# ipa certprofile-mod test1 --rename=bogus1
ipa: ERROR: certprofile test1 cannot be deleted/modified: Certificate profiles cannot be renamed

Shouldn't the option instead be dropped?
Comment 4 Petr Vobornik 2015-08-31 07:41:35 UTC 
discussion which also mentions a removal of the --rename option as a possible fix: http://www.redhat.com/archives/freeipa-devel/2015-August/msg00527.html
Comment 5 Scott Poore 2015-08-31 12:49:18 UTC 
Are you saying you can't remove the --rename option just for the certprofile-mod command without breaking the API?  Is that breaking the API just for the certprofile commands or all mod commands?

IMHO this really should not be shown if it's not a supported command.  That's confusing to the users and may bring more questions than just from me.  How much work is it to change the obj-mod behavior when rename shouldn't be shown for this ticket?

https://fedorahosted.org/freeipa/ticket/5254

Thanks,
Scott
Comment 6 Petr Vobornik 2015-08-31 14:13:19 UTC 
I actually think that the API could be broken here because the result never worked. It's ~2-3 lines of code which could be isolated only in certprofile plugin. 

I'm not sure what's the exact scope of #5254 but definitely it's much more work compared to the isolated change.
Comment 7 Scott Poore 2015-08-31 14:29:12 UTC 
Oh, You're talking about the API being broken if you allow rename to work?

What about stopping the rename option from being offered for certprofile?   Would it be possible to do that in now some way that would work with #5254 when it is implemented?

Sorry to be a pain here, I'm just trying to avoid confusion from coming in later.

Thanks,
Scott
Comment 8 Petr Vobornik 2015-08-31 15:10:11 UTC 
I don't want to allow it to work. I wanted it to be removed.

By broken is meant a backwards incompatible change. Which a removal of option is - old clients still knows it. By looking more closely on #5254, it seems to me that it actually proposes to remove the option. So now I'm confused as well and don't know why it was not done at the first place(shorter, simpler patch than the validation).
Comment 9 Scott Poore 2015-08-31 16:49:38 UTC 
By "old clients still knows it" you mean the version of FreeIPA released for Fedora?  Wouldn't #5254 still break the API if used to remove the option from certprofile?

My understanding (which could be totally wrong) of #5254 was that it was supposed to address more than just certprofile.  And that would have been more complex?

So, can this be redone to remove the option entirely?  Or that would have to wait for 5254?

Thanks,
Scott
Comment 10 Scott Poore 2015-09-02 00:20:15 UTC 
Ok, I spoke to Fraser about this and removing the option from certprofile can be done now.

Moving to assigned to get that done.
Comment 11 Petr Vobornik 2015-09-02 11:51:24 UTC 
The option was removed upstream.

master:
https://fedorahosted.org/freeipa/changeset/86cd47af0245a216324900be39be1a145bf0741b
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/b7386dc98506d66c6cbb1083992ced7792f938bd
Comment 14 Scott Poore 2015-09-11 22:42:37 UTC 
Verified.

Version ::

ipa-server-4.2.0-9.el7.x86_64


Results ::

[root@master ~]# ipa certprofile-mod --help
Usage: ipa [global-options] certprofile-mod ID [options]

Modify Certificate Profile configuration.
Options:
  -h, --help     show this help message and exit
  --desc=STR     Brief description of this profile
  --store=BOOL   Whether to store certs issued using this profile
  --setattr=STR  Set an attribute to a name/value pair. Format is attr=value.
                 For multi-valued attributes, the command replaces the values
                 already present.
  --addattr=STR  Add an attribute/value pair. Format is attr=value. The
                 attribute must be part of the schema.
  --delattr=STR  Delete an attribute/value pair. The option will be evaluated
                 last, after all sets and adds.
  --rights       Display the access rights of this entry (requires --all). See
                 ipa man page for details.
  --file=FILE    File containing profile configuration
  --all          Retrieve and print all attributes from the server. Affects
                 command output.
  --raw          Print entries as stored on the server. Only affects output
                 format.
[root@master ~]# ipa certprofile-mod --rename
Usage: ipa [global-options] certprofile-mod ID [options]

ipa: error: no such option: --rename
Comment 15 errata-xmlrpc 2015-11-19 12:06:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html
Note You need to log in before you can comment on or make changes to this bug.