Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/1440 When the Who category in HBAC/SUDO rules is set to Anyone, the list of users and groups should become empty. Currently that's not the case. Steps to reproduce: 1. Go to Policy -> HBAC -> HBAC Rules. 2. Open an existing HBAC rule. 3. Make sure there are users/groups under the Who category. 4. Set the category to Anyone. 5. Click Update, the category will revert back to 'Specified Users and Groups' and the users/groups are not deleted. Similar problem happens in Sudo rules, in step #5 the category is changed to Anyone but the users/groups are not deleted.
appears to be duplicate bugzilla of ... https://bugzilla.redhat.com/show_bug.cgi?id=741277
The upstream patch fixes it in sudo: master: 2c1f21a14bf9d47ab484d13f5947a059ccc1d041 ipa-2-2: 4c4888190b78b0a4e58471235550d1709ef7e329 It appears that the commits related to ticket 1873 (for bug 741277) are unrelated, so perhaps that explains the duplication.
HBAC tests: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'echo Secret123 | ipa user-add user1 --first=user1 --last=r --password' :: [ PASS ] :: Running 'ipa group-add group1 --desc=group1' :: [ PASS ] :: Running 'ipa hbacrule-add bug783286 --usercat=all > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'User category: all' :: [ PASS ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt' :: [ PASS ] :: Running 'ipa hbacrule-add-host bug783286 --hosts=primenova.lab.eng.pnq.redhat.com' :: [ PASS ] :: Running 'ipa hbacrule-add-user bug783286 --users=user1 > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all'' :: [ PASS ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt' :: [ PASS ] :: Running 'ipa hbacrule-add-user bug783286 --groups=group1 > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all'' :: [ PASS ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt' :: [ PASS ] :: Running 'ipa hbacrule-del bug783286' :: [ PASS ] :: Running 'ipa hbacrule-add bug783286' :: [ PASS ] :: Running 'ipa hbacrule-add-user bug783286 --users=user1' :: [ PASS ] :: Running 'ipa hbacrule-mod bug783286 --usercat=all > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are allowed users' :: [ PASS ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt' :: [ PASS ] :: Running 'ipa hbacrule-del bug783286' :: [ PASS ] :: Running 'ipa hbacrule-add bug783286' :: [ PASS ] :: Running 'ipa hbacrule-add-user bug783286 --groups=group1' :: [ PASS ] :: Running 'ipa hbacrule-mod bug783286 --usercat=all > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are allowed users' :: [ PASS ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt' :: [ PASS ] :: Running 'ipa group-del group1' :: [ PASS ] :: Running 'ipa hbacrule-del bug783286' :: [ PASS ] :: Running 'ipa user-del user1' :: [ LOG ] :: Duration: 1m 24s :: [ LOG ] :: Assertions: 27 good, 0 bad :: [ PASS ] :: RESULT: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups report saved as: /tmp/rhts.report.17417.txt ================ final pass/fail report ================= Sudo tests: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=783286 :: [ PASS ] :: Running 'echo Secret123 | ipa user-add shanks --first=shanks --last=r --password' :: [ PASS ] :: Running 'ipa group-add group1 --desc=group1' :: [ PASS ] :: Running 'ipa sudocmd-add /bin/ls' :: [ PASS ] :: Running 'ipa sudorule-add bug783286 --usercat=all > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'User category: all' :: [ PASS ] :: Running 'cat /tmp/tmp.ZUxTcGGJ0m/bug783286.txt' :: [ PASS ] :: Running 'ipa sudorule-add-host bug783286 --hosts=primenova.lab.eng.pnq.redhat.com' :: [ PASS ] :: Running 'ipa sudorule-add-user bug783286 --users=shanks > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all'' :: [ PASS ] :: Running 'cat /tmp/tmp.ZUxTcGGJ0m/bug783286.txt' :: [ PASS ] :: Running 'ipa sudorule-add-user bug783286 --groups=group1 > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all'' :: [ PASS ] :: Running 'cat /tmp/tmp.ZUxTcGGJ0m/bug783286.txt' :: [ PASS ] :: Running 'ipa sudorule-del bug783286' :: [ PASS ] :: Running 'ipa sudorule-add bug783286' :: [ PASS ] :: Running 'ipa sudorule-add-user bug783286 --users=shanks' :: [ PASS ] :: Running 'ipa sudorule-mod bug783286 --usercat=all > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are users' :: [ PASS ] :: Running 'ipa sudorule-del bug783286' :: [ PASS ] :: Running 'ipa sudorule-add bug783286' :: [ PASS ] :: Running 'ipa sudorule-add-user bug783286 --groups=group1' :: [ PASS ] :: Running 'ipa sudorule-mod bug783286 --usercat=all > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1' :: [ PASS ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are users' :: [ PASS ] :: Running 'ipa group-del group1' :: [ PASS ] :: Running 'ipa user-del shanks' :: [ PASS ] :: Running 'ipa sudocmd-del /bin/ls' :: [ PASS ] :: Running 'ipa sudorule-del bug783286' :: [ LOG ] :: Duration: 1m 43s :: [ LOG ] :: Assertions: 27 good, 0 bad :: [ PASS ] :: RESULT: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups report saved as: /tmp/rhts.report.3804.txt ================ final pass/fail report ================= Verified: ipa-server-2.2.0-8.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html