Description of problem: The current implementation of TPS roles is as previously defined in the 7.3 product. This definition needs to be revisited and redefined. Once this is defined, alee can go back and code appropriate permissions for roles. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
When a user has just Admin role, unable to list/search or create a token., As per comment #4 admin user should be able to do these operations. STR: 1. Installed TPS and configured with an admin user who has operator, agent and admin roles. 2. Enrolled couple of tokens. 3. In adminstrator operations list/search tokens, tokens are listed. 4. In TPS adminstartor operations Created a user with just admin role., say adminuser#2. (created a certificate for this user using the profile 'Manual user dual use certificate enrollment) 5. Visit tps main page with adminuser#2's certificate. Actual results: List tokens and search tokens responds with token not found. Add new token Responds with Error: Authentication failure. search/list activities does not show the token activities, just display user add/delete/modify activities. Expected results: List and Search tokens should list the tokens. Add token should add the token to the list. search/list activities should show the token activities. Additional info:
Asha, When you create a new user, the user needs to have access to a profile. Without this, he cannot see / do activities with tokens. Please add "All Profiles" to the admin user #2, and see how this changes the behaviour. Ade
Added "All Profiles" to the admin user#2, able to list/search tokens and list/search activities, but not able to add/delete tokens, getting error : Authorization failure.
Asha, You've found a bug -- fixing .. Index: dogtag/tps/pki-tps.spec =================================================================== --- dogtag/tps/pki-tps.spec (revision 612) +++ dogtag/tps/pki-tps.spec (working copy) @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 29 +%define base_release 30 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license LGPLv2 with exceptions @@ -313,6 +313,8 @@ ############################################################################### %changelog +* Tue Jun 16 2009 Ade Lee <alee> 1.1.0-30 +- Bugzilla Bug #484275 - TPS Role Definition - fix typo on adding token * Fri Jun 12 2009 Ade Lee <alee> 1.1.0-29 - Bugzilla Bug #489318 - TPS List Activites - does not list activities after 20 entries - fix pagination * Wed Jun 10 2009 Ade Lee <alee> 1.1.0-28 Index: base/tps/src/modules/tokendb/mod_tokendb.cpp =================================================================== --- base/tps/src/modules/tokendb/mod_tokendb.cpp (revision 612) +++ base/tps/src/modules/tokendb/mod_tokendb.cpp (working copy) @@ -4892,7 +4892,7 @@ } else if( PL_strstr( query, "op=add" ) ) { tokendbDebug( "authorization for op=add\n" ); RA_Status token_type_status; - if( ! is_agent ) { + if( ! is_admin ) { error_out("Authorization Failure", "Failed to authorize request"); do_free(buf); do_free(uri);
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug #484275 - TPS Role Definition - fix typo on adding token" Sending base/tps/src/modules/tokendb/mod_tokendb.cpp Sending dogtag/tps/pki-tps.spec Transmitting file data .. Committed revision 613.
Verified. Admin, agent and operator roles works as defined in comment #4. Newly created Admin user is able to List and Search tokens, Add/Delete tokens and search/list activities.
With the migrated instance which has 16140 tokens, with the newly created admin user credentials "list/search Tokens" lists only 4 tokens.
asha, Comment #15 refers to a migration bug. Please open a new bug - and close this one. Some questions : 1. what profiles does the admin user have access to? 2. has the tps migration script been run? 3. where is the ldif output for the tps data to be migrated - both pre and post migration script .. Ade
Tested with All profiles set for the admin role, able to list all the tokens. Deon, please make sure doc has details about admin user should contain 'All profiles' access in order to list/search tokens.
I forgot to add this comment at release, but I added a note to the section on setting TPS profiles for users, at http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/managing-user-and-groups-for_a_TPS.html#users-profiles, in response to comment #17.