Bug 1257163 - renaming certificatte profile with --rename option leads to integrity issues
renaming certificatte profile with --rename option leads to integrity issues
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
Depends On:
  Show dependency treegraph
Reported: 2015-08-26 07:57 EDT by Petr Vobornik
Modified: 2015-11-19 07:06 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.2.0-9.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-19 07:06:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Vobornik 2015-08-26 07:57:32 EDT
This bug is created as a clone of upstream ticket:

Similar to the problem #5074 with --setattr, when used as
`ipa cert profile-mod caIPAserviceCert --rename bogus`, the profile gets renamed which leads to integrity issues.

This even works on the default profile which has checks preventing its deletion.
Comment 3 Scott Poore 2015-08-28 16:52:47 EDT
Why would we keep the --rename option just to return an error?

[root@master ~]# ipa certprofile-mod test1 --rename=bogus1
ipa: ERROR: certprofile test1 cannot be deleted/modified: Certificate profiles cannot be renamed

Shouldn't the option instead be dropped?
Comment 4 Petr Vobornik 2015-08-31 03:41:35 EDT
discussion which also mentions a removal of the --rename option as a possible fix: http://www.redhat.com/archives/freeipa-devel/2015-August/msg00527.html
Comment 5 Scott Poore 2015-08-31 08:49:18 EDT
Are you saying you can't remove the --rename option just for the certprofile-mod command without breaking the API?  Is that breaking the API just for the certprofile commands or all mod commands?

IMHO this really should not be shown if it's not a supported command.  That's confusing to the users and may bring more questions than just from me.  How much work is it to change the obj-mod behavior when rename shouldn't be shown for this ticket?


Comment 6 Petr Vobornik 2015-08-31 10:13:19 EDT
I actually think that the API could be broken here because the result never worked. It's ~2-3 lines of code which could be isolated only in certprofile plugin. 

I'm not sure what's the exact scope of #5254 but definitely it's much more work compared to the isolated change.
Comment 7 Scott Poore 2015-08-31 10:29:12 EDT
Oh, You're talking about the API being broken if you allow rename to work?

What about stopping the rename option from being offered for certprofile?   Would it be possible to do that in now some way that would work with #5254 when it is implemented?

Sorry to be a pain here, I'm just trying to avoid confusion from coming in later.

Comment 8 Petr Vobornik 2015-08-31 11:10:11 EDT
I don't want to allow it to work. I wanted it to be removed.

By broken is meant a backwards incompatible change. Which a removal of option is - old clients still knows it. By looking more closely on #5254, it seems to me that it actually proposes to remove the option. So now I'm confused as well and don't know why it was not done at the first place(shorter, simpler patch than the validation).
Comment 9 Scott Poore 2015-08-31 12:49:38 EDT
By "old clients still knows it" you mean the version of FreeIPA released for Fedora?  Wouldn't #5254 still break the API if used to remove the option from certprofile?

My understanding (which could be totally wrong) of #5254 was that it was supposed to address more than just certprofile.  And that would have been more complex?

So, can this be redone to remove the option entirely?  Or that would have to wait for 5254?

Comment 10 Scott Poore 2015-09-01 20:20:15 EDT
Ok, I spoke to Fraser about this and removing the option from certprofile can be done now.

Moving to assigned to get that done.
Comment 14 Scott Poore 2015-09-11 18:42:37 EDT

Version ::


Results ::

[root@master ~]# ipa certprofile-mod --help
Usage: ipa [global-options] certprofile-mod ID [options]

Modify Certificate Profile configuration.
  -h, --help     show this help message and exit
  --desc=STR     Brief description of this profile
  --store=BOOL   Whether to store certs issued using this profile
  --setattr=STR  Set an attribute to a name/value pair. Format is attr=value.
                 For multi-valued attributes, the command replaces the values
                 already present.
  --addattr=STR  Add an attribute/value pair. Format is attr=value. The
                 attribute must be part of the schema.
  --delattr=STR  Delete an attribute/value pair. The option will be evaluated
                 last, after all sets and adds.
  --rights       Display the access rights of this entry (requires --all). See
                 ipa man page for details.
  --file=FILE    File containing profile configuration
  --all          Retrieve and print all attributes from the server. Affects
                 command output.
  --raw          Print entries as stored on the server. Only affects output
[root@master ~]# ipa certprofile-mod --rename
Usage: ipa [global-options] certprofile-mod ID [options]

ipa: error: no such option: --rename
Comment 15 errata-xmlrpc 2015-11-19 07:06:04 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.