1690024 – ipa role-mod DatabaseError changing cn[ZStream Clone]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1690024 - ipa role-mod DatabaseError changing cn[ZStream Clone]

Summary: ipa role-mod DatabaseError changing cn[ZStream Clone]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	mreynolds
QA Contact:	RHDS QE
Docs Contact:
URL:
Whiteboard:
Depends On:	1678517 1683259
Blocks:
TreeView+	depends on / blocked

Reported:	2019-03-18 15:33 UTC by Oneata Mircea Teodor
Modified:	2020-11-14 10:00 UTC (History)
CC List:	19 users (show)
Fixed In Version:	389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1678517
Environment:
Last Closed:	2019-05-07 04:17:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0965	0	None	None	None	2019-05-07 04:17:54 UTC

Comment 5 Sumedh Sidhaye 2019-04-10 08:06:39 UTC

Builds used for verification:

[root@ipaqavmd ~]# rpm -qa 389-ds-base
389-ds-base-1.4.0.20-8.module+el8.0.0+2945+edba0d70.x86_64
[root@ipaqavmd ~]# rpm -qa ipa-server
ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64
[root@ipaqavmd ~]# 

Verification procedure as 

[root@ipaqavmd ~]# ipa user-add --first=user --last=one userA
------------------
Added user "usera"
------------------
  User login: usera
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/usera
  GECOS: user one
  Login shell: /bin/sh
  Principal name: usera
  Principal alias: usera
  Email address: usera
  UID: 934000001
  GID: 934000001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ipaqavmd ~]# ipa group-add groupA
--------------------
Added group "groupa"
--------------------
  Group name: groupa
  GID: 934000003
[root@ipaqavmd ~]# ipa group-add-member groupA --users=userA
  Group name: groupa
  GID: 934000003
  Member users: usera
-------------------------
Number of members added 1
-------------------------
[root@ipaqavmd ~]# ipa permission-add permA --right=write --targetgroup=groupA --attr=description
------------------------
Added permission "permA"
------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
[root@ipaqavmd ~]# ipa privilege-add privA --desc=privA
-----------------------
Added privilege "privA"
-----------------------
  Privilege name: privA
  Description: privA
[root@ipaqavmd ~]# ipa privilege-add-permission privA --permission=permA
  Privilege name: privA
  Description: privA
  Permissions: permA
-----------------------------
Number of permissions added 1
-----------------------------
[root@ipaqavmd ~]# ipa role-add roleA --desc=roleA
------------------
Added role "roleA"
------------------
  Role name: roleA
  Description: roleA
[root@ipaqavmd ~]# ipa role-add-privilege roleA --privileges=privA
  Role name: roleA
  Description: roleA
  Privileges: privA
----------------------------
Number of privileges added 1
----------------------------
[root@ipaqavmd ~]# ipa role-add-member roleA --users=userA --all
  dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleA
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
-------------------------
Number of members added 1
-------------------------
[root@ipaqavmd ~]# ipa permission-mod permA --attrs=description --attrs=member
---------------------------
Modified permission "permA"
---------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description, member
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
  Granted to Privilege: privA
  Indirect Member of roles: roleA
[root@ipaqavmd ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH;'
ipa: DEBUG: trying https://master.testrelm.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139640742333352
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://master.testrelm.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (master.testrelm.test)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_139640742333352
ipa: ERROR: Operations error: 
[root@ipaqavmd ~]#

Comment 13 Sumedh Sidhaye 2019-04-11 10:16:20 UTC

Build used for verification:
[root@yttrium ~]# rpm -qa 389-ds-base
389-ds-base-1.4.0.20-9.module+el8.0.0+2995+a5112768.x86_64
[root@yttrium ~]# rpm -qa ipa-server
ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64


Steps used for verification:

1. install ipa server
2. setup rbac rules like this:

ipa user-add --first=user --last=one userA
ipa group-add groupA
ipa group-add-member groupA --users=userA
ipa permission-add permA --right=write --targetgroup=groupA --attr=description
ipa privilege-add privA --desc=privA
ipa privilege-add-permission privA --permission=permA
ipa role-add roleA --desc=roleA
ipa role-add-privilege roleA --privileges=privA
ipa role-add-member roleA --users=userA --all
ipa permission-mod permA --attrs=description --attrs=member
ipa --debug role-mod roleA --setattr='cn=roleAb' --all


[root@yttrium ~]# ipa user-add --first=user --last=one userA
------------------
Added user "usera"
------------------
  User login: usera
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/usera
  GECOS: user one
  Login shell: /bin/sh
  Principal name: usera
  Principal alias: usera
  Email address: usera
  UID: 925000001
  GID: 925000001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@yttrium ~]# ipa group-add groupA
--------------------
Added group "groupa"
--------------------
  Group name: groupa
  GID: 925000003
[root@yttrium ~]# ipa group-add-member groupA --users=userA
  Group name: groupa
  GID: 925000003
  Member users: usera
-------------------------
Number of members added 1
-------------------------
[root@yttrium ~]# ipa permission-add permA --right=write --targetgroup=groupA --attr=description
------------------------
Added permission "permA"
------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
[root@yttrium ~]# ipa privilege-add privA --desc=privA
-----------------------
Added privilege "privA"
-----------------------
  Privilege name: privA
  Description: privA
[root@yttrium ~]# ipa privilege-add-permission privA --permission=permA
  Privilege name: privA
  Description: privA
  Permissions: permA
-----------------------------
Number of permissions added 1
-----------------------------
[root@yttrium ~]# ipa role-add roleA --desc=roleA
------------------
Added role "roleA"
------------------
  Role name: roleA
  Description: roleA
[root@yttrium ~]# ipa role-add-privilege roleA --privileges=privA
  Role name: roleA
  Description: roleA
  Privileges: privA
----------------------------
Number of privileges added 1
----------------------------
[root@yttrium ~]# ipa role-add-member roleA --users=userA --all
  dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleA
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
-------------------------
Number of members added 1
-------------------------
[root@yttrium ~]# ipa permission-mod permA --attrs=description --attrs=member
---------------------------
Modified permission "permA"
---------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description, member
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
  Granted to Privilege: privA
  Indirect Member of roles: roleA
[root@yttrium ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;'
ipa: DEBUG: trying https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140006886972272
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (yttrium.idmqe.lab.eng.bos.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_140006886972272
---------------------
Modified role "roleA"
---------------------
  dn: cn=roleAb,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleAb
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
[root@yttrium ~]# 


Also tried the ipa privilege-mod 'HBAC Administrator' --rename 'hbacadmins' command


[root@yttrium ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;'
ipa: DEBUG: trying https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140400883836296
ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (yttrium.idmqe.lab.eng.bos.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_140400883836296
---------------------------------------
Modified privilege "HBAC Administrator"
---------------------------------------
  Privilege name: hbacadmins
  Description: HBAC Administrator
  Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System:
               Add HBAC Services, System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups,
               System: Manage HBAC Service Group Membership
  Granting privilege to roles: IT Security Specialist
[root@yttrium ~]# 


Note: Automated regression will be executed later

Comment 14 Sumedh Sidhaye 2019-04-25 08:54:22 UTC

Build used for verification:

[root@vm-idm-026 ~]# rpm -qa 389-ds-base; rpm -qa ipa-server
389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5.x86_64
ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64
[root@vm-idm-026 ~]# 


Steps used for verification:

1. install ipa server
2. setup rbac rules like this:

ipa user-add --first=user --last=one userA
ipa group-add groupA
ipa group-add-member groupA --users=userA
ipa permission-add permA --right=write --targetgroup=groupA --attr=description
ipa privilege-add privA --desc=privA
ipa privilege-add-permission privA --permission=permA
ipa role-add roleA --desc=roleA
ipa role-add-privilege roleA --privileges=privA
ipa role-add-member roleA --users=userA --all
ipa permission-mod permA --attrs=description --attrs=member
ipa --debug role-mod roleA --setattr='cn=roleAb' --all

[root@vm-idm-026 ~]# ./test_bz_1690024.sh 
------------------
Added user "usera"
------------------
  User login: usera
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/usera
  GECOS: user one
  Login shell: /bin/sh
  Principal name: usera
  Principal alias: usera
  Email address: usera
  UID: 1255800001
  GID: 1255800001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
--------------------
Added group "groupa"
--------------------
  Group name: groupa
  GID: 1255800003
  Group name: groupa
  GID: 1255800003
  Member users: usera
-------------------------
Number of members added 1
-------------------------
------------------------
Added permission "permA"
------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
-----------------------
Added privilege "privA"
-----------------------
  Privilege name: privA
  Description: privA
  Privilege name: privA
  Description: privA
  Permissions: permA
-----------------------------
Number of permissions added 1
-----------------------------
------------------
Added role "roleA"
------------------
  Role name: roleA
  Description: roleA
  Role name: roleA
  Description: roleA
  Privileges: privA
----------------------------
Number of privileges added 1
----------------------------
  dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleA
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
-------------------------
Number of members added 1
-------------------------
---------------------------
Modified permission "permA"
---------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description, member
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
  Granted to Privilege: privA
  Indirect Member of roles: roleA
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9af13900...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9af13900.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;'
ipa: DEBUG: trying https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139709427301288
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (vm-idm-026.lab.eng.pnq.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_139709427301288
---------------------
Modified role "roleA"
---------------------
  dn: cn=roleAb,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleAb
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
[root@vm-idm-026 ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9af13900...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9af13900.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;'
ipa: DEBUG: trying https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139933000615360
ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (vm-idm-026.lab.eng.pnq.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_139933000615360
---------------------------------------
Modified privilege "HBAC Administrator"
---------------------------------------
  Privilege name: hbacadmins
  Description: HBAC Administrator
  Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System:
               Add HBAC Services, System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups,
               System: Manage HBAC Service Group Membership
  Granting privilege to roles: IT Security Specialist
[root@vm-idm-026 ~]#

Comment 17 errata-xmlrpc 2019-05-07 04:17:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0965

Note You need to log in before you can comment on or make changes to this bug.