Red Hat Bugzilla – Bug 736455
[ipa webui] Sudo Rule includes indirect hosts and users members in its list to add
Last modified: 2015-01-04 18:50:54 EST
Description of problem: For a Sudo Rule, after a hostgroup or usergroup is added to its list, it still list members of the group when adding hosts or users Version-Release number of selected component (if applicable): ipa-server-2.1.1-1.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Add a host, hostgroup. Add the host as a member to this hostgroup 2. Add a Sudo rule, Edit it 3. Add the hostgroup to its list in Accessing section 4. Add a host in Accessing section Actual results: host which is member of the hostgroup is listed Expected results: host which is member of the hostgroup should not be listed, since the hostgroup is already added to the list Additional info: Same scenario - when adding users that already belong to a usergroup which is already added to Sudo Rule in Who section. the user is listed, but should not be. This host adder dialog in HBAC works as expected. The cli output is as expected as well: -- ADD HOSTGROUP TO SUDO RULE -- ipa sudorule-add-host --hostgroups=testhostgroup qesudorule Rule name: qesudorule Enabled: TRUE Host Groups: testhostgroup ------------------------- Number of members added 1 ------------------------- -- RUN HOST-FIND -- ipa host-find --not-in-sudorule=qesudorule --------------- 1 host matched --------------- Host name: qe-blade-05.testrelm Principal name: host/qe-blade-05.testrelm@TESTRELM Keytab: True Password: False Managed by: qe-blade-05.testrelm ---------------------------- Number of entries returned 1 ---------------------------- ipa host-find --in-sudorule=qesudorule -------------- 1 host matched -------------- Host name: qehost.testrelm Principal name: host/qehost.testrelm@TESTRELM Keytab: False Password: False Member of host-groups: testhostgroup Indirect Member of netgroup: testhostgroup Managed by: qehost.testrelm ---------------------------- Number of entries returned 1 ----------------------------
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1768
Fixed upstream: master: a95b44face7f3001a27e2ff42c07a5ae1edabc83 ipa-2-1: 68a468f4b0bff67fa3b4e93f1d4ac345c0ef68ab
Verified using ipa-server-2.1.2-2.el6.x86_64 Lists only hosts/users that are not already included by enrolled groups
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html