Red Hat Bugzilla – Bug 723233
HBAC rule :: invalid error message now that deny rule is deprecated and help needs update
Last modified: 2015-01-04 18:50:06 EST
Description of problem: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacrule-cli-002: Rule Type Required - unknown type :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [09:18:33] :: Executing: ipa hbacrule-add --type=bad test ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') :: [09:18:34] :: "ipa hbacrule-add --type=bad test" failed as expected. :: [09:18:35] :: Error message as expected: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') :: [ PASS ] :: Verify expected error message for Unknown Rule Type The error message still says that "deny" is valid. help output: # ipa help hbacrule-add Purpose: Create a new HBAC rule. Usage: ipa [global-options] hbacrule-add NAME [options] Options: -h, --help show this help message and exit --type=STRENUM Rule type (allow or deny) <============================ --usercat=STRENUM User category the rule applies to --hostcat=STRENUM Host category the rule applies to --srchostcat=STRENUM Source host category the rule applies to --servicecat=STRENUM Service category the rule applies to --desc=STR Description --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. If there is only one type - do we need --type at all ???????? Version-Release number of selected component (if applicable): ipa-server-2.0.99-3.20110715T0514zgit4bd85ce.el6.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
You are allowed to provide deny because of legacy reasons but it will be rejected by the server if submitted. # ipa hbacrule-add --type=deny test ipa: ERROR: invalid 'type': The deny type has been deprecated. The documentation is automatically generated from the available enumerators so I can't remove it from that.
https://fedorahosted.org/freeipa/ticket/1495
Note: This removes the --type option altogether. master: 506cbaa1fb24c9c5afd091582de0af1c44cc33ea ipa-2-0: e5bbc02a933f304c4d6781430f1a9e4d3dad88c2
There is still a problem with --setattr --addattr for this attribute ... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacrule-cli-014: Negative - setattr and addattr accessRuleType :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [10:54:49] :: Executing: ipa hbacrule-mod --setattr accessruletype=bad test ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') :: [10:54:51] :: "ipa hbacrule-mod --setattr accessruletype=bad test" failed as expected. :: [10:54:52] :: ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') EXP: ipa: ERROR: invalid 'type': must be one of (u'allow') :: [ FAIL ] :: Verify expected error message for --setattr. (Expected 0, got 1) :: [10:54:52] :: Executing: ipa hbacrule-mod --addattr accessruletype=bad test ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') :: [10:54:54] :: "ipa hbacrule-mod --addattr accessruletype=bad test" failed as expected. :: [10:54:56] :: ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny') EXP: ipa: ERROR: invalid 'type': must be one of (u'allow') :: [ FAIL ] :: Verify expected error message for --addattr. (Expected 0, got 1) :: [10:54:56] :: Executing: ipa hbacrule-mod --addattr accessruletype=allow test ipa: ERROR: accessruletype: Only one value allowed. :: [10:54:58] :: "ipa hbacrule-mod --addattr accessruletype=allow test" failed as expected. :: [10:54:59] :: Error message as expected: ipa: ERROR: accessruletype: Only one value allowed. :: [ PASS ] :: Verify expected error message for --addattr. Maybe, make the accessfuletype attribute not allowed to set or add?
deny needs to remain as an allowed type so you can search on existing values. Attempting to create a deny rule results in a reasonable error message. Using setattr is an advanced option so deeper understanding of the allowed attributes and their values is expected.
okay, understood!
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Trying to create a rule with an invalid type will return an error that only allow and deny are accepted as types. But deny rules are not allowed. Consequence: User may be confused that there is a type option but only one type allowed. Fix: The deny type was deprecated because the sssd determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information. Result: The option is still listed because of API backwards compatibility reasons. HBAC deny rules are deprecated.
[root@qe-blade-12 ~]# ipa help hbacrule-add Purpose: Create a new HBAC rule. Usage: ipa [global-options] hbacrule-add NAME [options] Options: -h, --help show this help message and exit --usercat=['all'] User category the rule applies to --hostcat=['all'] Host category the rule applies to --srchostcat=['all'] Source host category the rule applies to --servicecat=['all'] Service category the rule applies to --desc=STR Description --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. [root@qe-blade-12 ~]# No more "--type" an option. [root@qe-blade-12 ~]# ipa hbacrule-add --type=deny test Usage: ipa [global-options] hbacrule-add NAME [options] ipa: error: no such option: --type ---------------------------------- Verified in version: Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST Install Date: Thu 03 Nov 2011 10:13:53 AM IST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html