Bug 743253 - duplicate hostgroup and netgroup
Summary: duplicate hostgroup and netgroup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
urgent
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On: 743071
Blocks: 748554
TreeView+ depends on / blocked
 
Reported: 2011-10-04 11:38 UTC by Jenny Severance
Modified: 2011-12-06 18:41 UTC (History)
6 users (show)

Fixed In Version: ipa-2.1.3-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Due to compatibility with NIS when a hostgroup is added, a netgroup with the same name is added. However, when the hostgroup is created, it is not checked if there is not a netgroup with the same name already which may have been added separately (without a hostgroup). Consequence: Hostgroup is created but the netgroup cannot be added and user is not notified about this event. This can lead to unexpected and surprising behavior. Fix: When a hostgroup is added, IPA server checks first if the netgroup name is free and refuses to add hostgroup otherwise Result: New hostgroups cannot get into conflict with existing netgroups.
Clone Of: 743071
Environment:
Last Closed: 2011-12-06 18:41:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-10-04 11:38:05 UTC
+++ This bug was initially created as a clone of Bug #743071 +++

Description of problem:
When a host group is added having the same name as an existing netgroup, the host group is allowed to be created, thus creating an error and making the Host Group tab in the webui inaccessible with the following error:

Error: IPA Error 4027
The search criteria was not specific enough. Expected 1 and found 2.
Version-Release number of selected component (if applicable):



How reproducible:
Every time

Steps to Reproduce:
1. Create a netgroup with a certain name, ex: "all"
2. Create a hostgroup with a certain name, ex: "all"
3.
  
Actual results:
The host group tab in the webui is now inaccessible

Expected results:
Error message displayed about duplicate name OR the webui to handle the duplicate group name. Using the CLI to remove the duplicate host group resolves the issue.

Additional info:

--- Additional comment from rcritten@redhat.com on 2011-10-03 14:54:41 EDT ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1914

--- Additional comment from jgalipea@redhat.com on 2011-10-04 07:37:19 EDT ---

I was able to reproduce this with ipa-server-2.1.1-101.20111003T0058zgitaaa7c05.el6.x86_64

Comment 1 Jenny Severance 2011-10-04 11:42:32 UTC
additional information :

# ipa hostgroup-find
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

# ipa netgroup-del test
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

Comment 2 Martin Kosek 2011-10-07 07:20:05 UTC
Fixed upstream:
master: a85bb7fa9e5a03b391d684e2850bfe4663f94e21
ipa-2-1: 92dbd68677b3166ebb8897c5fac7d6a142226ac1

Comment 5 Jenny Severance 2011-10-14 18:11:47 UTC
This fix is causing a regression :

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hostgroup-cli-23: Add duplicate host group
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa hostgroup-add --desc=test hostgrp1
:: [   LOG    ] :: "ipa hostgroup-add --desc=test hostgrp1" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: netgroup with name hostgrp1 already exists  EXP: ipa: ERROR: host group with name hostgrp1 already exists
:: [   FAIL   ] :: Verify expected error message. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 6s
:: [   LOG    ] :: Assertions: 0 good, 1 bad
:: [   FAIL   ] :: RESULT: ipa-hostgroup-cli-23: Add duplicate host group


Should be checking to see if a duplicate hostgroup exists first and then check for a netgroup - only if Netgroup Plugin is enabled.

version tested :
ipa-server-2.1.2-100.20111014T0057zgit16fc9f8.el6.x86_64

Comment 6 Martin Kosek 2011-10-17 15:28:42 UTC
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/99d938152fbef41f2d48d4088e5ba39bc820e9de
ipa-2-1: https://fedorahosted.org/freeipa/changeset/5a3268fc7d731232844eb9391be722db2179f24c

Just a note: The netgroup/hostgroup collision checks are run in all cases, we don't test if netgroup plugin is enabled/disabled.

This is a precausion. If user enables the plugin again, he would get into trouble if he had colliding hostgroups/netgroups. We wanted to play on the safe side here.

Comment 7 Martin Kosek 2011-10-31 21:42:25 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Due to compatibility with NIS when a hostgroup is added, a netgroup with the same name is added. However, when the hostgroup is created, it is not checked if there is not a netgroup with the same name already which may have been added separately (without a hostgroup).
Consequence: Hostgroup is created but the netgroup cannot be added and user is not notified about this event. This can lead to unexpected and surprising behavior.
Fix: When a hostgroup is added, IPA server checks first if the netgroup name is free and refuses to add hostgroup otherwise
Result: New hostgroups cannot get into conflict with existing netgroups.

Comment 8 Gowrishankar Rajaiyan 2011-11-03 05:39:08 UTC
[root@decepticons ~]# ipa netgroup-add test
Description: test
---------------------
Added netgroup "test"
---------------------
  Netgroup name: test
  Description: test
  NIS domain name: lab.eng.pnq.redhat.com
  IPA unique ID: c6354608-05dc-11e1-90bc-525400f56e2e
[root@decepticons ~]# ipa hostgroup-add test
Description: test
ipa: ERROR: netgroup with name "test" already exists. Hostgroups and netgroups share a common namespace
[root@decepticons ~]# 



[root@decepticons ~]# ipa hostgroup-add test2
Description: test2
-----------------------
Added hostgroup "test2"
-----------------------
  Host-group: test2
  Description: test2
[root@decepticons ~]# ipa netgroup-add test2
Description: test2
ipa: ERROR: netgroup with name "test2" already exists
[root@decepticons ~]# 


WebUI works as expected and regression failure as in comment #5 not detected:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hostgroup-cli-23: Add duplicate host group
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [14:58:13] ::  Executing: ipa hostgroup-add --desc=test hostgrp1
ipa: ERROR: host group with name "hostgrp1" already exists
:: [14:58:14] ::  "ipa hostgroup-add --desc=test hostgrp1" failed as expected.
:: [14:58:16] ::  Error message as expected: ipa: ERROR: host group with name hostgrp1 already exists
:: [   PASS   ] :: Verify expected error message.
'a3e07589-5cac-469f-981d-797db909df4a'
ipa-hostgroup-cli-23 result: PASS
   metric: 0
   Log: /tmp/beakerlib-3401817/journal.txt
    Info: Searching AVC errors produced since 1319741893.51 (Thu Oct 27 14:58:13 2011)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.AQhtw9
:
   AvcLog: /mnt/testarea/tmp.AQhtw9


Verified in version: 
[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#

Comment 9 errata-xmlrpc 2011-12-06 18:41:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.