This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/5247 Similar to the problem #5074 with --setattr, when used as `ipa cert profile-mod caIPAserviceCert --rename bogus`, the profile gets renamed which leads to integrity issues. This even works on the default profile which has checks preventing its deletion.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5c7d6a6a31daca8bf92d85d8c1895279be84c888 ipa-4-2: https://fedorahosted.org/freeipa/changeset/d943bf09799e6faf2dd83f630bcfd6f99575c5c8
Why would we keep the --rename option just to return an error? [root@master ~]# ipa certprofile-mod test1 --rename=bogus1 ipa: ERROR: certprofile test1 cannot be deleted/modified: Certificate profiles cannot be renamed Shouldn't the option instead be dropped?
discussion which also mentions a removal of the --rename option as a possible fix: http://www.redhat.com/archives/freeipa-devel/2015-August/msg00527.html
Are you saying you can't remove the --rename option just for the certprofile-mod command without breaking the API? Is that breaking the API just for the certprofile commands or all mod commands? IMHO this really should not be shown if it's not a supported command. That's confusing to the users and may bring more questions than just from me. How much work is it to change the obj-mod behavior when rename shouldn't be shown for this ticket? https://fedorahosted.org/freeipa/ticket/5254 Thanks, Scott
I actually think that the API could be broken here because the result never worked. It's ~2-3 lines of code which could be isolated only in certprofile plugin. I'm not sure what's the exact scope of #5254 but definitely it's much more work compared to the isolated change.
Oh, You're talking about the API being broken if you allow rename to work? What about stopping the rename option from being offered for certprofile? Would it be possible to do that in now some way that would work with #5254 when it is implemented? Sorry to be a pain here, I'm just trying to avoid confusion from coming in later. Thanks, Scott
I don't want to allow it to work. I wanted it to be removed. By broken is meant a backwards incompatible change. Which a removal of option is - old clients still knows it. By looking more closely on #5254, it seems to me that it actually proposes to remove the option. So now I'm confused as well and don't know why it was not done at the first place(shorter, simpler patch than the validation).
By "old clients still knows it" you mean the version of FreeIPA released for Fedora? Wouldn't #5254 still break the API if used to remove the option from certprofile? My understanding (which could be totally wrong) of #5254 was that it was supposed to address more than just certprofile. And that would have been more complex? So, can this be redone to remove the option entirely? Or that would have to wait for 5254? Thanks, Scott
Ok, I spoke to Fraser about this and removing the option from certprofile can be done now. Moving to assigned to get that done.
The option was removed upstream. master: https://fedorahosted.org/freeipa/changeset/86cd47af0245a216324900be39be1a145bf0741b ipa-4-2: https://fedorahosted.org/freeipa/changeset/b7386dc98506d66c6cbb1083992ced7792f938bd
Verified. Version :: ipa-server-4.2.0-9.el7.x86_64 Results :: [root@master ~]# ipa certprofile-mod --help Usage: ipa [global-options] certprofile-mod ID [options] Modify Certificate Profile configuration. Options: -h, --help show this help message and exit --desc=STR Brief description of this profile --store=BOOL Whether to store certs issued using this profile --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --file=FILE File containing profile configuration --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. [root@master ~]# ipa certprofile-mod --rename Usage: ipa [global-options] certprofile-mod ID [options] ipa: error: no such option: --rename
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html