Bug 751018 - Default HBAC Administration Role - Permissions missing
Summary: Default HBAC Administration Role - Permissions missing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 756082
TreeView+ depends on / blocked
 
Reported: 2011-11-03 09:18 UTC by Gowrishankar Rajaiyan
Modified: 2012-06-20 13:16 UTC (History)
4 users (show)

Fixed In Version: ipa-2.2.0-1.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:16:11 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Gowrishankar Rajaiyan 2011-11-03 09:18:56 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.3-8.el6.x86_64

How reproducible:


Steps to Reproduce:
1. [root@decepticons ~]# ipa privilege-find "User Administrators"
-------------------
1 privilege matched
-------------------
  Privilege name: User Administrators
  Description: User Administrators
  Permissions: add users, change a user password, add user to default group, unlock user accounts, remove users, modify users
  Granting privilege to roles: User Administrator
----------------------------
Number of entries returned 1
----------------------------
[root@decepticons ~]# 

2. [root@decepticons ~]# ipa privilege-find "HBAC Administrator"
-------------------
1 privilege matched
-------------------
  Privilege name: HBAC Administrator
  Description: HBAC Administrator
  Granting privilege to roles: IT Security Specialist
----------------------------
Number of entries returned 1
----------------------------
[root@decepticons ~]# 


Actual results:
HBAC Administrator Role exists with no permissions assigned
No HBAC permissions

Expected results:
Default HBAC permissions exist
HBAC Administrator Role has the expected permissions assigned


Additional info:

Comment 2 Martin Kosek 2011-11-03 12:18:13 UTC
This is the same root cause as in Bug 751029. I will target this for 6.3.0.


# ipa permission-find hbac --all
---------------------
9 permissions matched
---------------------
  dn: cn=add hbac rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Permission name: Add HBAC rule
  Permissions: add
  Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Granted to Privilege: HBAC Administrator   <<<<<<<
  objectclass: groupofnames, ipapermission, top

  dn: cn=add hbac service groups,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Permission name: Add HBAC service groups
  Permissions: add
  Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Granted to Privilege: HBAC Administrator   <<<<<<<
  objectclass: groupofnames, ipapermission, top
...

Comment 3 Martin Kosek 2011-11-03 12:24:05 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2061

Comment 6 Jenny Severance 2012-04-18 17:02:57 UTC
verified:

# ipa permission-find hbac --all
---------------------
9 permissions matched
---------------------
  dn: cn=add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Add HBAC rule
  Permissions: add
  Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=add hbac service groups,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Add HBAC service groups
  Permissions: add
  Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=add hbac services,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Add HBAC services
  Permissions: add
  Subtree: ldap:///cn=*,cn=hbacservices,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=delete hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Delete HBAC rule
  Permissions: delete
  Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=delete hbac service groups,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Delete HBAC service groups
  Permissions: delete
  Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=delete hbac services,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Delete HBAC services
  Permissions: delete
  Subtree: ldap:///cn=*,cn=hbacservices,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=manage hbac rule membership,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Manage HBAC rule membership
  Permissions: write
  Attributes: memberuser, externalhost, memberservice, memberhost
  Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=manage hbac service group membership,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Manage HBAC service group membership
  Permissions: write
  Attributes: member
  Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=modify hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Modify HBAC rule
  Permissions: write
  Attributes: servicecategory, sourcehostcategory, cn, description, ipaenabledflag, accesstime, usercategory, hostcategory, accessruletype, sourcehost
  Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com
  Granted to Privilege: HBAC Administrator
  memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top
----------------------------
Number of entries returned 9
----------------------------


version :
ipa-server-2.2.0-9.el6.x86_64

Comment 8 Martin Kosek 2012-04-19 11:37:01 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 10 errata-xmlrpc 2012-06-20 13:16:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.