Bug 484275 - TPS Role definition needs to be clarified
TPS Role definition needs to be clarified
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: TPS (Show other bugs)
unspecified
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-02-05 15:17 EST by Ade Lee
Modified: 2015-01-04 18:36 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:32:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ade Lee 2009-02-05 15:17:22 EST
Description of problem:

The current implementation of TPS roles is as previously defined in the 7.3 product.  This definition needs to be revisited and redefined.

Once this is defined, alee can go back and code appropriate permissions for roles.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 9 Asha Akkiangady 2009-06-14 22:51:06 EDT
When a user has just Admin role, unable to list/search or create a token., As per comment #4 admin user should be able to do these operations. 

STR:
1. Installed TPS and configured with an admin user who has operator, agent and admin roles.
2. Enrolled couple of tokens.

3. In adminstrator operations list/search tokens, tokens are listed.

4. In TPS adminstartor operations Created a user  with just admin role., say adminuser#2. (created a certificate for this user using the profile 'Manual user dual use certificate enrollment)   

5. Visit tps main page with adminuser#2's certificate.

Actual results:
List tokens and search tokens responds with token not found. 
Add new token Responds with Error: Authentication failure.
search/list activities does not show the token activities, just display user add/delete/modify activities.


Expected results:
List and Search tokens should list the tokens. 
Add token should add the token to the list.
search/list activities should show the token activities.

Additional info:
Comment 10 Ade Lee 2009-06-15 11:02:50 EDT
Asha, 

When you create a new user, the user needs to have access to a profile.
Without this, he cannot see / do activities with tokens.

Please add "All Profiles" to the admin user #2, and see how this changes the behaviour.

Ade
Comment 11 Asha Akkiangady 2009-06-15 20:22:42 EDT
Added "All Profiles" to the admin user#2, able to list/search tokens and list/search activities, but not able to add/delete tokens, getting error : Authorization failure.
Comment 12 Ade Lee 2009-06-16 01:34:30 EDT
Asha, 

You've found a bug -- fixing ..

Index: dogtag/tps/pki-tps.spec
===================================================================
--- dogtag/tps/pki-tps.spec     (revision 612)
+++ dogtag/tps/pki-tps.spec     (working copy)
@@ -34,7 +34,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.1.0
-%define base_release      29
+%define base_release      30
 %define base_group        System Environment/Daemons
 %define base_vendor       Red Hat, Inc.
 %define base_license      LGPLv2 with exceptions
@@ -313,6 +313,8 @@
 ###############################################################################
 
 %changelog
+* Tue Jun 16 2009 Ade Lee <alee@redhat.com> 1.1.0-30
+- Bugzilla Bug #484275 - TPS Role Definition - fix typo on adding token
 * Fri Jun 12 2009 Ade Lee <alee@redhat.com> 1.1.0-29
 - Bugzilla Bug #489318 - TPS List Activites - does not list activities after 20 entries - fix pagination
 * Wed Jun 10 2009 Ade Lee <alee@redhat.com> 1.1.0-28
Index: base/tps/src/modules/tokendb/mod_tokendb.cpp
===================================================================
--- base/tps/src/modules/tokendb/mod_tokendb.cpp        (revision 612)
+++ base/tps/src/modules/tokendb/mod_tokendb.cpp        (working copy)
@@ -4892,7 +4892,7 @@
     } else if( PL_strstr( query, "op=add" ) ) {
         tokendbDebug( "authorization for op=add\n" );
         RA_Status token_type_status;
-        if( ! is_agent ) {
+        if( ! is_admin ) {
             error_out("Authorization Failure", "Failed to authorize request");
             do_free(buf);
             do_free(uri);
Comment 13 Ade Lee 2009-06-16 01:35:24 EDT
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug #484275 - TPS Role Definition - fix typo on adding token" 
Sending        base/tps/src/modules/tokendb/mod_tokendb.cpp
Sending        dogtag/tps/pki-tps.spec
Transmitting file data ..
Committed revision 613.
Comment 14 Asha Akkiangady 2009-07-05 21:59:00 EDT
Verified.

Admin, agent and operator roles works as defined in comment #4.
Newly created Admin user is able to List and Search tokens, Add/Delete tokens and search/list activities.
Comment 15 Asha Akkiangady 2009-07-06 16:42:17 EDT
With the migrated instance which has 16140 tokens, with the newly created admin user credentials "list/search Tokens" lists only 4 tokens.
Comment 16 Ade Lee 2009-07-06 16:51:18 EDT
asha, 

Comment #15 refers to a migration bug.  Please open a new bug - and close this one.

Some questions :
1. what profiles does the admin user have access to?
2. has the tps migration script been run?
3. where is the ldif output for the tps data to be migrated - both pre and post migration script ..

Ade
Comment 17 Asha Akkiangady 2009-07-06 17:53:56 EDT
Tested with All profiles set for the admin role, able to list all the tokens. 

Deon, please make sure doc has details about admin user should contain 'All profiles' access in order to list/search tokens.
Comment 19 Deon Ballard 2009-08-14 12:51:17 EDT
I forgot to add this comment at release, but I added a note to the section on setting TPS profiles for users, at http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/managing-user-and-groups-for_a_TPS.html#users-profiles, in response to comment #17.

Note You need to log in before you can comment on or make changes to this bug.