RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 713481 - Removed "RunAs External Group" is displayed in the output when "--all" switch is used.
Summary: Removed "RunAs External Group" is displayed in the output when "--all" switc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-15 14:18 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:49 UTC (History)
3 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: When removing a runAsGroup value from a sudorule the command appears successful but the group is included in the output as still a member. Consequence: The state of the entry is confusing. Fix: Stale data was being returned to the user. Result: The data is now refreshed before returning, showing the proper membership.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:33:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 0 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-06-15 14:18:38 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64
ipa-admintools-2.0.0-25.el6.x86_64

How reproducible:


Steps to Reproduce:
1. # ipa sudorule-remove-runasgroup rule1 --groups=tgroup2 --all
  dn: ipauniqueid=76efffae-974e-11e0-8551-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule1
  Enabled: TRUE
  Run As Group: sudogrp1, sudogrp2, sudogrp3, sudogrp4, sudogrp5, sudogrp6
  RunAs External Group: tgroup2, tgroup3, tgroup4, tgroup5, tgroup6
  ipauniqueid: 76efffae-974e-11e0-8551-525400deab7b
  objectclass: ipaassociation, ipasudorule
---------------------------
Number of members removed 1
---------------------------
  
Actual results:
Observe that the removed "RunAs External Group" is still displayed in the output. tgroup2 in this case.


Expected results:
Removing an "RunAs External Group" with --all switch should remove it from its output as
well. 


Additional info:
The core problem is likely the same as https://bugzilla.redhat.com/show_bug.cgi?id=709665
Comment 2 Rob Crittenden 2011-07-12 18:20:02 UTC 
https://fedorahosted.org/freeipa/ticket/1348
Comment 3 Rob Crittenden 2011-08-01 20:19:22 UTC 
master: 0359e2a0434c3c4e578a8d5fb3341084e82ada1c

ipa-2-0: 42bf96df457c8c4a698d80fa7d1e4a60bb2fb4b6
Comment 5 Gowrishankar Rajaiyan 2011-10-25 15:09:29 UTC 
[root@bumblebee ~]# ipa sudorule-show sudorule1 --all
  dn: ipauniqueid=7efc46e4-ff4f-11e0-a0a8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: sudorule1
  Enabled: TRUE
  RunAs External Group: sudogrp1, sudogrp2, sudogrp3, sudogrp4, sudogrp5
  RunAs Groups: grp1, grp2, grp3, grp4, grp5
  ipauniqueid: 7efc46e4-ff4f-11e0-a0a8-525400deab7b
  objectclass: ipaassociation, ipasudorule
[root@bumblebee ~]# 


[root@bumblebee ~]# ipa sudorule-remove-runasgroup sudorule1 --groups=sudogrp3 --all
  dn: ipauniqueid=7efc46e4-ff4f-11e0-a0a8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: sudorule1
  Enabled: TRUE
  RunAs External Group: sudogrp1, sudogrp2, sudogrp4, sudogrp5
  RunAs Groups: grp1, grp2, grp3, grp4, grp5
  ipauniqueid: 7efc46e4-ff4f-11e0-a0a8-525400deab7b
  objectclass: ipaassociation, ipasudorule
---------------------------
Number of members removed 1
---------------------------
[root@bumblebee ~]# 


Verified. Version: ipa-server-2.1.3-3.el6.x86_64
Comment 6 Rob Crittenden 2011-10-31 20:03:25 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When removing a runAsGroup value from a sudorule the command appears successful but the group is included in the output as still a member.
Consequence: The state of the entry is confusing.
Fix: Stale data was being returned to the user.
Result: The data is now refreshed before returning, showing the proper membership.
Comment 7 errata-xmlrpc 2011-12-06 18:33:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.