735185 – MemberOf not listed for HBAC Rules (Source host/hostgroup) and Sudo Rules (RunAs user/usergroups)

Bug 735185 - MemberOf not listed for HBAC Rules (Source host/hostgroup) and Sudo Rules (RunAs user/usergroups)

Summary: MemberOf not listed for HBAC Rules (Source host/hostgroup) and Sudo Rules (Ru...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082
TreeView+	depends on / blocked

Reported:	2011-09-01 17:53 UTC by Namita Soman
Modified:	2015-01-04 23:50 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-2.2.0-1.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-05-03 11:51:17 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Namita Soman 2011-09-01 17:53:26 UTC

Description of problem:
For a HBAC Rule, add a host and hostgroup in 'From' section to include - Source host category the rule applies to. But this host and hostgroup are not listed as being members of the HBAC rule
Similarly, for a Sudo Rule, add a user and usergroup in 'As whom' section to include - RunAs User category the rule applies to. But this user and usergroup are not listed as being members of the Sudo rule


Version-Release number of selected component (if applicable):
ipa-server-2.1.0-105.20110901T0304zgit887f02a.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a HBAC Rule
2. Edit this rule, go to From Section
3. Add a host, and a hostgroup
4. Click on this host to go to Host page, click on HBAC Rules
4. Click on this hostgroup to go to Host Group page, click on HBAC Rules

Also:
1. Add a Sudo Rule
2. Edit this rule, go to As Whom Section
3. Add a user, and a usergroup
4. Click on this user to go to User page, click on Sudo Rules
4. Click on this usergroup to go to User Group page, click on Sudo Rules

  
Actual results:
Host is not member of the HBAC Rule
HostGroup is not member of the HBAC Rule
User is not member of the Sudo Rule
UserGroup is not member of the Sudo Rule

Expected results:
Host should be member of the HBAC Rule
HostGroup should be member of the HBAC Rule
User should be member of the Sudo Rule
UserGroup should be member of the Sudo Rule


Additional info:
ldapsearch on HBAC Rule:
>ldapsearch -D "cn=Directory Manager" -w Secret123 -b "ipauniqueid=8cae0058-d4bf-11e0-9d46-00215e2032c0,cn=hbac,dc=testrelm"

dn: ipaUniqueID=8cae0058-d4bf-11e0-9d46-00215e2032c0,cn=hbac,dc=testrelm
objectClass: ipaassociation
objectClass: ipahbacrule
accessRuleType: allow
ipaEnabledFlag: TRUE
cn: test
ipaUniqueID: 8cae0058-d4bf-11e0-9d46-00215e2032c0
memberUser: uid=hbacusr,cn=users,cn=accounts,dc=testrelm
memberUser: cn=hbacgrp,cn=groups,cn=accounts,dc=testrelm
memberHost: fqdn=hbachost.testrelm,cn=computers,cn=accounts,dc=testrelm
memberHost: cn=hbachostgroup,cn=hostgroups,cn=accounts,dc=testrelm
sourceHost: fqdn=fromhost.testrelm,cn=computers,cn=accounts,dc=testrelm
sourceHost: cn=from_hostgroup,cn=hostgroups,cn=accounts,dc=testrelm

ldapsearch on a sourceHost:
>ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=from_hostgroup,cn=hostgroups,cn=accounts,dc=testrelm"

dn: cn=from_hostgroup,cn=hostgroups,cn=accounts,dc=testrelm
objectClass: ipaobject
objectClass: ipahostgroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
objectClass: mepOriginEntry
cn: from_hostgroup
description: dasda
ipaUniqueID: d93af63a-d4bd-11e0-9d46-00215e2032c0
memberOf: cn=from_hostgroup,cn=ng,cn=alt,dc=testrelm
mepManagedEntry: cn=from_hostgroup,cn=ng,cn=alt,dc=testrelm

Comment 2 Rob Crittenden 2011-09-01 18:30:28 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1751

Comment 3 Rob Crittenden 2011-12-02 19:25:48 UTC

What is the use case for this?

Is it a common case where users will be looking for HBAC/sudo rules where the host is used as a source?

Comment 4 Namita Soman 2011-12-02 20:16:29 UTC

It comes across as being inconsistent. 
I can see hosts when they are added in 'Accessing' section, but not when they are added in 'From Section' 

Will hosts be commonly added as a source? If so, then maybe for the Hosts - member of section - HBAC rules/Sudo rules, can we have multiple sections to indicate from and to hosts?

Comment 5 Rob Crittenden 2011-12-02 20:39:01 UTC

Ok, but how will people *use* this information?

Comment 6 Dmitri Pal 2011-12-03 18:10:54 UTC

This ticket translates into two different issues and should be viewed separately:

1) Issue with "From hosts". Since "from hosts" are unreliable we want to discourage the use of those so no changes are need for "From hosts"

2) For SUDO users and run as - there might be a value so I would suggest creating a corresponding ticket but putting it into backlog for now. It is a very low priority unless someone really finds it valuable or needed.

Comment 7 Martin Kosek 2012-01-16 11:40:21 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f7753bf55cf713b93f1c12d0fc6dde7f804dd975
ipa-2-2: https://fedorahosted.org/freeipa/changeset/a351fbbda77d64faba9efe102ef93bcb88647db7

Comment 9 Martin Kosek 2012-04-18 20:05:06 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 10 Namita Soman 2012-05-03 11:51:17 UTC

No changes in UI or CLI. After discussing with Jenny and Rob, closing this as WontFix

Note You need to log in before you can comment on or make changes to this bug.