Bug 484275 - TPS Role definition needs to be clarified
Summary: TPS Role definition needs to be clarified
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: TPS
Version: unspecified
Hardware: All
OS: Linux
urgent
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2009-02-05 20:17 UTC by Ade Lee
Modified: 2015-01-04 23:36 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-22 23:32:12 UTC
Embargoed:

Attachments (Terms of Use)

Description Ade Lee 2009-02-05 20:17:22 UTC 
Description of problem:

The current implementation of TPS roles is as previously defined in the 7.3 product.  This definition needs to be revisited and redefined.

Once this is defined, alee can go back and code appropriate permissions for roles.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 9 Asha Akkiangady 2009-06-15 02:51:06 UTC 
When a user has just Admin role, unable to list/search or create a token., As per comment #4 admin user should be able to do these operations. 

STR:
1. Installed TPS and configured with an admin user who has operator, agent and admin roles.
2. Enrolled couple of tokens.

3. In adminstrator operations list/search tokens, tokens are listed.

4. In TPS adminstartor operations Created a user  with just admin role., say adminuser#2. (created a certificate for this user using the profile 'Manual user dual use certificate enrollment)   

5. Visit tps main page with adminuser#2's certificate.

Actual results:
List tokens and search tokens responds with token not found. 
Add new token Responds with Error: Authentication failure.
search/list activities does not show the token activities, just display user add/delete/modify activities.


Expected results:
List and Search tokens should list the tokens. 
Add token should add the token to the list.
search/list activities should show the token activities.

Additional info:
Comment 10 Ade Lee 2009-06-15 15:02:50 UTC 
Asha, 

When you create a new user, the user needs to have access to a profile.
Without this, he cannot see / do activities with tokens.

Please add "All Profiles" to the admin user #2, and see how this changes the behaviour.

Ade
Comment 11 Asha Akkiangady 2009-06-16 00:22:42 UTC 
Added "All Profiles" to the admin user#2, able to list/search tokens and list/search activities, but not able to add/delete tokens, getting error : Authorization failure.
Comment 12 Ade Lee 2009-06-16 05:34:30 UTC 
Asha, 

You've found a bug -- fixing ..

Index: dogtag/tps/pki-tps.spec
===================================================================
--- dogtag/tps/pki-tps.spec     (revision 612)
+++ dogtag/tps/pki-tps.spec     (working copy)
@@ -34,7 +34,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.1.0
-%define base_release      29
+%define base_release      30
 %define base_group        System Environment/Daemons
 %define base_vendor       Red Hat, Inc.
 %define base_license      LGPLv2 with exceptions
@@ -313,6 +313,8 @@
 ###############################################################################
 
 %changelog
+* Tue Jun 16 2009 Ade Lee <alee> 1.1.0-30
+- Bugzilla Bug #484275 - TPS Role Definition - fix typo on adding token
 * Fri Jun 12 2009 Ade Lee <alee> 1.1.0-29
 - Bugzilla Bug #489318 - TPS List Activites - does not list activities after 20 entries - fix pagination
 * Wed Jun 10 2009 Ade Lee <alee> 1.1.0-28
Index: base/tps/src/modules/tokendb/mod_tokendb.cpp
===================================================================
--- base/tps/src/modules/tokendb/mod_tokendb.cpp        (revision 612)
+++ base/tps/src/modules/tokendb/mod_tokendb.cpp        (working copy)
@@ -4892,7 +4892,7 @@
     } else if( PL_strstr( query, "op=add" ) ) {
         tokendbDebug( "authorization for op=add\n" );
         RA_Status token_type_status;
-        if( ! is_agent ) {
+        if( ! is_admin ) {
             error_out("Authorization Failure", "Failed to authorize request");
             do_free(buf);
             do_free(uri);
Comment 13 Ade Lee 2009-06-16 05:35:24 UTC 
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug #484275 - TPS Role Definition - fix typo on adding token" 
Sending        base/tps/src/modules/tokendb/mod_tokendb.cpp
Sending        dogtag/tps/pki-tps.spec
Transmitting file data ..
Committed revision 613.
Comment 14 Asha Akkiangady 2009-07-06 01:59:00 UTC 
Verified.

Admin, agent and operator roles works as defined in comment #4.
Newly created Admin user is able to List and Search tokens, Add/Delete tokens and search/list activities.
Comment 15 Asha Akkiangady 2009-07-06 20:42:17 UTC 
With the migrated instance which has 16140 tokens, with the newly created admin user credentials "list/search Tokens" lists only 4 tokens.
Comment 16 Ade Lee 2009-07-06 20:51:18 UTC 
asha, 

Comment #15 refers to a migration bug.  Please open a new bug - and close this one.

Some questions :
1. what profiles does the admin user have access to?
2. has the tps migration script been run?
3. where is the ldif output for the tps data to be migrated - both pre and post migration script ..

Ade
Comment 17 Asha Akkiangady 2009-07-06 21:53:56 UTC 
Tested with All profiles set for the admin role, able to list all the tokens. 

Deon, please make sure doc has details about admin user should contain 'All profiles' access in order to list/search tokens.
Comment 19 Deon Ballard 2009-08-14 16:51:17 UTC 
I forgot to add this comment at release, but I added a note to the section on setting TPS profiles for users, at http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/managing-user-and-groups-for_a_TPS.html#users-profiles, in response to comment #17.
Note You need to log in before you can comment on or make changes to this bug.