Bug 746056 - [ipa webui] Unable to add external user for RunAs User for Sudo rules
Summary: [ipa webui] Unable to add external user for RunAs User for Sudo rules
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 748554
TreeView+ depends on / blocked
 
Reported: 2011-10-13 18:41 UTC by Namita Soman
Modified: 2011-12-06 18:42 UTC (History)
3 users (show)

Fixed In Version: ipa-2.1.3-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: IPA Web UI does not allow adding an external user (i.e. user that is not managed by IPA) as sudo command RunAs user Consequence: external RunAs user can be added to the sudo command via CLI only Fix: As Whom section dialog box specifying used for adding RunAs users has been fixed and a text field for adding an external user has been added Result: sudo command RunAs user can now be added via both Web UI and CLI
Clone Of:
Environment:
Last Closed: 2011-12-06 18:42:57 UTC
Target Upstream Version:


Attachments (Terms of Use)
As Whom in sudo Rule (17.90 KB, image/png)
2011-10-26 16:33 UTC, Jenny Severance
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Namita Soman 2011-10-13 18:41:54 UTC
Description of problem:
There is no way to add root or any external user as a RunAs User for a Sudo Rule.

Use case- Add a Sudo Command - to see httpd error logs. Then add a rule to run this command. Want to assign only root to be able to run the command and check the logs. But unable to add root as external RunAs user for this rule

Version-Release number of selected component (if applicable):
ipa-server-2.1.2-2.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a sudo command - cat /var/log/httpd/error_log
2. Add a sudo rule, allow the command added above
3. Add root in As whom section - for RunAs.
  
Actual results:
There is no way to add an external user

Expected results:
It should be possible to set up root or an external user to run this command

Additional info:

Comment 2 Rob Crittenden 2011-10-14 04:34:05 UTC
I don't understand why you are looking at the error_log. Is the command failing? If so can you attach the log?

Comment 3 Namita Soman 2011-10-14 12:23:01 UTC
No...that is just an example sudo command...could be any other command.

Comment 4 Namita Soman 2011-10-14 13:39:53 UTC
# ipa sudocmd-add "/bin/mkdir"
-------------------------------
Added Sudo Command "/bin/mkdir"
-------------------------------
  Sudo Command: /bin/mkdir


# ipa sudorule-add mkdir_root 
----------------------------
Added Sudo Rule "mkdir_root"
----------------------------
  Rule name: mkdir_root
  Enabled: TRUE



# ipa sudorule-add-allow-command mkdir_root
[member sudo command]: /bin/mkdir
[member sudo command group]: 
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
-------------------------
Number of members added 1


Note: User 'one' is an IPA user
# ipa sudorule-add-runasuser mkdir_root --users=one
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
  RunAs Users: one
-------------------------
Number of members added 1
-------------------------







Note: User 'root' is an external user
# ipa sudorule-add-runasuser mkdir_root --users=root
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
  RunAs Users: one
  RunAs External User: root
-------------------------
Number of members added 1
-------------------------




I can do all the above commands in UI, except the last. And after adding root as a RunAs External user, I cannot view this in UI. I see User one listed, but not User root in UI

Comment 5 Rob Crittenden 2011-10-14 17:26:07 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1987

Comment 6 Rob Crittenden 2011-10-17 17:20:43 UTC
Fixed upstream

master: 1e5391422143c17a94008a0703099c5f877e46fd

ipa-2-1: f3a5d4883666c7e04e23cb454e28ccc83c54f04a

Comment 8 Jenny Severance 2011-10-26 16:33:48 UTC
Created attachment 530331 [details]
As Whom in sudo Rule

Comment 9 Jenny Severance 2011-10-26 16:34:55 UTC
Verified:
Can add external user in the As Whom section of a sudo rule now from the web UI.  See attached screen shot.

version:
ipa-server-2.1.3-3.el6.x86_64

Comment 10 Martin Kosek 2011-10-31 18:57:19 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA Web UI does not allow adding an external user (i.e. user that is not managed by IPA) as sudo command RunAs user
Consequence: external RunAs user can be added to the sudo command via CLI only
Fix: As Whom section dialog box specifying used for adding RunAs users has been fixed and a text field for adding an external user has been added
Result: sudo command RunAs user can now be added via both Web UI and CLI

Comment 11 errata-xmlrpc 2011-12-06 18:42:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.