723233 – HBAC rule :: invalid error message now that deny rule is deprecated and help needs update

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 723233 - HBAC rule :: invalid error message now that deny rule is deprecated and help needs update

Summary: HBAC rule :: invalid error message now that deny rule is deprecated and help ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-19 13:28 UTC by Jenny Severance
Modified:	2015-01-04 23:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-2.1.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Trying to create a rule with an invalid type will return an error that only allow and deny are accepted as types. But deny rules are not allowed. Consequence: User may be confused that there is a type option but only one type allowed. Fix: The deny type was deprecated because the sssd determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information. Result: The option is still listed because of API backwards compatibility reasons. HBAC deny rules are deprecated.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:41:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-07-19 13:28:43 UTC

Description of problem:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacrule-cli-002: Rule Type Required - unknown type
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [09:18:33] ::  Executing: ipa hbacrule-add --type=bad test
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [09:18:34] ::  "ipa hbacrule-add --type=bad test" failed as expected.
:: [09:18:35] ::  Error message as expected: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [   PASS   ] :: Verify expected error message for Unknown Rule Type


The error message still says that "deny" is valid.

help output:

# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]

Options:
  -h, --help            show this help message and exit
  --type=STRENUM        Rule type (allow or deny)  <============================
  --usercat=STRENUM     User category the rule applies to
  --hostcat=STRENUM     Host category the rule applies to
  --srchostcat=STRENUM  Source host category the rule applies to
  --servicecat=STRENUM  Service category the rule applies to
  --desc=STR            Description
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.


If there is only one type - do we need --type at all ????????



Version-Release number of selected component (if applicable):
ipa-server-2.0.99-3.20110715T0514zgit4bd85ce.el6.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Rob Crittenden 2011-07-19 14:02:38 UTC

You are allowed to provide deny because of legacy reasons but it will be rejected by the server if submitted.

# ipa hbacrule-add --type=deny test
ipa: ERROR: invalid 'type': The deny type has been deprecated.

The documentation is automatically generated from the available enumerators so I can't remove it from that.

Comment 2 Rob Crittenden 2011-07-19 18:07:25 UTC

https://fedorahosted.org/freeipa/ticket/1495

Comment 3 Rob Crittenden 2011-07-21 20:22:05 UTC

Note: This removes the --type option altogether.

master: 506cbaa1fb24c9c5afd091582de0af1c44cc33ea

ipa-2-0: e5bbc02a933f304c4d6781430f1a9e4d3dad88c2

Comment 4 Jenny Severance 2011-07-27 14:56:11 UTC

There is still a problem with --setattr --addattr for this attribute ...


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacrule-cli-014: Negative - setattr and addattr accessRuleType
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [10:54:49] ::  Executing: ipa hbacrule-mod --setattr accessruletype=bad test
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [10:54:51] ::  "ipa hbacrule-mod --setattr accessruletype=bad test" failed as expected.
:: [10:54:52] ::  ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')  EXP: ipa: ERROR: invalid 'type': must be one of (u'allow')
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [10:54:52] ::  Executing: ipa hbacrule-mod --addattr accessruletype=bad test
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
:: [10:54:54] ::  "ipa hbacrule-mod --addattr accessruletype=bad test" failed as expected.
:: [10:54:56] ::  ERROR: Message not as expected. GOT: ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')  EXP: ipa: ERROR: invalid 'type': must be one of (u'allow')
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [10:54:56] ::  Executing: ipa hbacrule-mod --addattr accessruletype=allow test
ipa: ERROR: accessruletype: Only one value allowed.
:: [10:54:58] ::  "ipa hbacrule-mod --addattr accessruletype=allow test" failed as expected.
:: [10:54:59] ::  Error message as expected: ipa: ERROR: accessruletype: Only one value allowed.
:: [   PASS   ] :: Verify expected error message for --addattr.


Maybe, make the accessfuletype attribute not allowed to set or add?

Comment 5 Rob Crittenden 2011-07-27 15:10:07 UTC

deny needs to remain as an allowed type so you can search on existing values.

Attempting to create a deny rule results in a reasonable error message.

Using setattr is an advanced option so deeper understanding of the allowed attributes and their values is expected.

Comment 6 Jenny Severance 2011-07-27 15:15:39 UTC

okay, understood!

Comment 9 Rob Crittenden 2011-10-31 20:59:43 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Trying to create a rule with an invalid type will return an error that only allow and deny are accepted as types. But deny rules are not allowed.
Consequence: User may be confused that there is a type option but only one type allowed.
Fix: The deny type was deprecated because the sssd determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information.
Result: The option is still listed because of API backwards compatibility reasons. HBAC deny rules are deprecated.

Comment 10 Gowrishankar Rajaiyan 2011-11-03 10:34:07 UTC

[root@qe-blade-12 ~]# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]

Options:
  -h, --help            show this help message and exit
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --srchostcat=['all']  Source host category the rule applies to
  --servicecat=['all']  Service category the rule applies to
  --desc=STR            Description
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.
[root@qe-blade-12 ~]# 

No more "--type" an option.

[root@qe-blade-12 ~]# ipa hbacrule-add --type=deny test
Usage: ipa [global-options] hbacrule-add NAME [options]

ipa: error: no such option: --type
----------------------------------

Verified in version:


Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 11 errata-xmlrpc 2011-12-06 18:41:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.