Bug 747693 - ipa selfservice-find --raw returns "internal error"
Summary: ipa selfservice-find --raw returns "internal error"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
: 785259 (view as bug list)
Depends On:
Blocks: 756082
TreeView+ depends on / blocked
 
Reported: 2011-10-20 19:37 UTC by Yi Zhang
Modified: 2013-05-23 14:13 UTC (History)
6 users (show)

Fixed In Version: ipa-2.2.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: IPA plugins for LDAP ACI management (permission, selfservice and delegation plugins) do not process their options in a robust way and have a relaxed validation of passed values. Consequence: ACI management plugins may return Internal errors when empty options or --raw option is passed. The Internal error is also returned when an invalid attribute is passed to the ACI attribute list option. Fix: Option processing is now more robust and also more strict in validation. Result: User experience with plugins should increase as it now returns proper error when an invalid or empty option value is passed.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:15:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Yi Zhang 2011-10-20 19:37:02 UTC
Description of problem:
[yi@i386a(101) ~] ipa selfservice-find "User Self service"  --raw
ipa: ERROR: an internal error has occurred

the permission "User Self service" does exist
[yi@i386a(101) ~] ipa selfservice-find "User Self service"
---------------------
1 selfservice matched
---------------------
  Self-service name: User Self service
  Permissions: write
  Attributes: givenname, sn, cn, displayname, title, initials, loginshell, gecos, homephone, mobile, pager, facsimiletelephonenumber, telephonenumber, street,
              roomnumber, l, st, postalcode, manager, secretary, description, carlicense, labeleduri, inetuserhttpurl, seealso, employeetype, businesscategory,
              ou
----------------------------
Number of entries returned 1
----------------------------


Version-Release number of selected component (if applicable): ipa-server-2.1.3-2.el6.i686

[yi@i386a(101) ~] rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Tue 18 Oct 2011 11:12:34 AM PDT
Install Date: Thu 20 Oct 2011 10:39:05 AM PDT      Build Host: x86-002.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-2.el6.src.rpm
Size        : 3355311                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server


How reproducible: always


Steps to Reproduce:
1. install ipa-server
2. kinit as admin
3. run command :  ipa selfservice-find "User Self service"  --raw
  
Actual results:
internal error returned

Expected results: list raw data of permission


Additional info: /var/log/http/error_log:

[Thu Oct 20 12:30:34 2011] [error] ipa: ERROR: non-public: KeyError: 'aciprefix'
[Thu Oct 20 12:30:34 2011] [error] Traceback (most recent call last):
[Thu Oct 20 12:30:34 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 223, in wsgi_execute
[Thu Oct 20 12:30:34 2011] [error]     result = self.Command[name](*args, **options)
[Thu Oct 20 12:30:34 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 432, in __call__
[Thu Oct 20 12:30:34 2011] [error]     ret = self.run(*args, **options)
[Thu Oct 20 12:30:34 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 738, in run
[Thu Oct 20 12:30:34 2011] [error]     return self.execute(*args, **options)
[Thu Oct 20 12:30:34 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py", line 189, in execute
[Thu Oct 20 12:30:34 2011] [error]     del aci['aciprefix']     # do not include prefix in result
[Thu Oct 20 12:30:34 2011] [error] KeyError: 'aciprefix'
[Thu Oct 20 12:30:34 2011] [error] ipa: INFO: admin@YZHANG.REDHAT.COM: selfservice_find(u'User Self service', all=False, raw=True, version=u'2.13'): KeyError



klist shows 
[yi@i386a(101) ~] klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: admin@YZHANG.REDHAT.COM

Valid starting     Expires            Service principal
10/20/11 12:25:15  10/21/11 12:25:15  krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM
10/20/11 12:25:49  10/21/11 12:25:15  HTTP/i386a.yzhang.redhat.com@YZHANG.REDHAT.COM

Comment 1 Yi Zhang 2011-10-20 19:38:07 UTC
To verify this bug, just run :

 ipa selfservice-find "User Self service"  --raw

"User Self service" is the default selfservice permission

Comment 2 Martin Kosek 2011-10-20 19:42:59 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2010

Comment 4 Scott Poore 2012-01-06 01:20:27 UTC
*** Bug 772106 has been marked as a duplicate of this bug. ***

Comment 5 Martin Kosek 2012-02-03 16:15:03 UTC
*** Bug 785259 has been marked as a duplicate of this bug. ***

Comment 8 Scott Poore 2012-03-16 20:54:14 UTC
Verified.

Version :: ipa-server-2.2.0-4.el6.x86_64

Automated Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: selfservice_bz_747693 ipa selfservice-find --raw returns internal error
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: BZ Test Running: ipa selfservice-find selfservice_bz_747693 --raw > /tmp/tmp.V5BS5xp3mS/selfservice_bz_747693.11766.out 2>&1
:: [   PASS   ] :: BZ 747693 not found
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: selfservice_bz_747693 ipa selfservice-find --raw returns internal error

Manual Test Results ::

[root@hp-xw6600-01 ipa-selfservice]# ipa selfservice-add bz747693 --attrs=l
----------------------------
Added selfservice "bz747693"
----------------------------
  Self-service name: bz747693
  Permissions: write
  Attributes: l


[root@hp-xw6600-01 ipa-selfservice]# ipa selfservice-find bz747693 --raw
---------------------
1 selfservice matched
---------------------
  aci: (targetattr = "l")(version 3.0;acl "selfservice:bz747693";allow (write) userdn = "ldap:///self";)
----------------------------
Number of entries returned 1
----------------------------

Comment 9 Martin Kosek 2012-04-18 20:47:49 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA plugins for LDAP ACI management (permission, selfservice and delegation plugins) do not process their options in a robust way and have a relaxed validation of passed values. 
Consequence: ACI management plugins may return Internal errors when empty options or --raw option is passed. The Internal error is also returned when an invalid attribute is passed to the ACI attribute list option.
Fix: Option processing is now more robust and also more strict in validation.
Result: User experience with plugins should increase as it now returns proper error when an invalid or empty option value is passed.

Comment 11 errata-xmlrpc 2012-06-20 13:15:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.