Bug 672292 - role-mod should not change membership
Summary: role-mod should not change membership
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-server
Version: 2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-24 18:17 UTC by Yi Zhang
Modified: 2015-01-04 23:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-24 19:49:49 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Yi Zhang 2011-01-24 18:17:56 UTC 
Description of problem:
I haven't found any doc to regulate this, based on my experiment on privilege command set, role-mod should not allowed to do any membership related operation. 

As a comparison, we use "privilege-add-permission" and "privilege-remove-permission" to do membership modification. In the same token, we should use "role-add-member" and "role-remove-member" to do the similar work. 

Current build allows it. My test is below:
 
[step one] before test:

[yi@dhcp-137 ipa-delegation]$ ipa role-find --all --raw
---------------
7 roles matched
---------------
...

  dn: cn=testrole003,cn=roles,cn=accounts,dc=sjc,dc=redhat,dc=com
  cn: testrole003
  description: fromaddattr
  objectclass: groupofnames
  objectclass: nestedgroup
  objectclass: top

...

[step two] use addattr to add group under role (this should fail but success)
[yi@dhcp-137 ipa-delegation]$ ipa role-mod testrole003 --addattr=member=cn=group9724,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com
---------------------------
Modified role "testrole003"
---------------------------
  Role name: testrole003
  Description: fromaddattr
  Member groups: group9724
[yi@dhcp-137 ipa-delegation]$ ipa role-find testrole003
--------------
1 role matched
--------------
  Role name: testrole003
  Description: fromaddattr
  Member groups: group9724
----------------------------
Number of entries returned 1
----------------------------
[yi@dhcp-137 ipa-delegation]$ ipa role-find testrole003 --raw --all
--------------
1 role matched
--------------
  dn: cn=testrole003,cn=roles,cn=accounts,dc=sjc,dc=redhat,dc=com
  cn: testrole003
  description: fromaddattr
  member: cn=group9724,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com
  memberindirect: uid=testuser21066,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
  memberindirect: uid=testuser12077,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
  memberindirect: uid=testuser28632,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
  objectclass: groupofnames
  objectclass: nestedgroup
  objectclass: top
----------------------------
Number of entries returned 1
----------------------------

Version-Release number of selected component (if applicable):ipa-server-2.0-0.2011011115gitc778919.fc14.i686


How reproducible: always


Additional info:
Comment 1 Yi Zhang 2011-01-24 19:49:49 UTC 
Got reply from Dmitri
"See the doc I sent earlier today. I think this is intentional as it his
the internal relationships between objects.
Please close the bug.
"
Note You need to log in before you can comment on or make changes to this bug.