783536 – [ipa webui] permission with filter or subtree does not allow attr to be specified

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 783536 - [ipa webui] permission with filter or subtree does not allow attr to be specified

Summary: [ipa webui] permission with filter or subtree does not allow attr to be speci...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	786629 819997
TreeView+	depends on / blocked

Reported:	2012-01-20 18:44 UTC by Namita Soman
Modified:	2012-06-20 13:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-2.2.0-9.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Clones:	786629 (view as bug list)
Environment:
Last Closed:	2012-06-20 13:31:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Namita Soman 2012-01-20 18:44:20 UTC

Description of problem:
A permission that specifies a filter, is disregarded, when a user is assigned that permission.


1> Add a permission:
ipa permission-add "ManageGroup" --filter='(&(!(objectclass=posixgroup))(objectclass=ipausergroup))'--permissions=write
2> Add privilege with just this one permission.
3> Add role with just the above privilege
4> Add user and assigned the role above
5> Add a group and uncheck "Is this a POSIX group"
6> kinit as this user
7> Update the group's description, and an error is thrown about having insufficient access

Expected this user to be able to update the above added group's description, or add other users as members of this group.
Doc says:
--filter uses an LDAP filter to identify which entries the permission applies to. All attributes within the matching entries can be modified.


tried another filter -
ipa permission-add "ManageGroup" --filter='(givenname=xyz)' --permissions=write

and expected the kinit'd user with this permission to be able to change attributes for user with givenname=xyz, but this user is displayed (in UI) as readonly, and no attributes can be modified.

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-101.20120117T0229zgit5febffb.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. as indicated above

  
Actual results:
an error is thrown about having insufficient access

Expected results:
Expected this user to be able to update the above added group's description, or add other users as members of this group.

Additional info:

Comment 2 Dmitri Pal 2012-01-20 23:18:55 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2294

Comment 3 Namita Soman 2012-01-24 14:32:01 UTC

Same behaviour seen when using subtree.

Added a permission:
ipa permission-add ManageHost --permissions="write" --subtree=cn=computers,cn=accounts,dc=testrelm,dc=com 

login as a user whose role includes this perm, and can only edit desc, kerberos key, otp, and host cert (cannot update successfully) but still these are the only fields available. Locality, location, platform and OS are not allowed to be edited by this user. Should be able to edit "all" attributes

Comment 4 Namita Soman 2012-01-25 14:48:44 UTC

Based on Rich's explanation in bug 784315, "in an aci, if you do not specify a targetattr clause, the default is no access to any attribute"

And so I was seeing the behaviour above.

I can specify attr in CLI when using filter, but UI doesn't allow attr to be specified, when using filter or subtree.

Comment 5 Petr Vobornik 2012-02-29 13:10:51 UTC

Fixed in upstream: https://fedorahosted.org/freeipa/ticket/2372

Master:

    885ffe5a3e2ef4d370c4fffa458ef44fd61c5250
    37cdbae23424b0dd8c6296d0303efdfa3bfffcfd 

ipa2-2:

    c34b1a31a476efc468a0332a0576e96a6acffcb8
    0ec8b421ec8f2dfa4572f3d3253a0888c58c6fb0

Comment 6 Martin Kosek 2012-02-29 14:36:01 UTC

Just a small clarification - Ticket 2294 was closed upstream as well as a duplicate of Ticket 2372.

Comment 8 Namita Soman 2012-04-04 15:25:24 UTC

Using ipa-server-2.2.0-7.el6.x86_64

In UI, can add Permission with Target chosen to be Filter, and this allows to "Add" attributes. 

But with Target chosen to be Subtree, still cannot "Add" attribute. 

CLI allows this:
# ipa permission-add ManageHost1 --permissions="write" --subtree=cn=computers,cn=accounts,dc=testrelm,dc=com --attr=nshostlocation --memberof=groupone
------------------------------
Added permission "ManageHost1"
------------------------------
  Permission name: ManageHost1
  Permissions: write
  Attributes: nshostlocation
  Member of group: groupone
  Subtree: ldap:///cn=computers,cn=accounts,dc=testrelm,dc=com

Added new permission ManageHost1 successfully

Comment 9 Martin Kosek 2012-04-05 07:03:48 UTC

Thanks for testing Namita, I will reopen upstream ticket.

Comment 10 Martin Kosek 2012-04-05 07:13:43 UTC

There is already a special upstream ticket dealing with the issue you found, I will link the Bugzilla there:

https://fedorahosted.org/freeipa/ticket/2592

Comment 11 Petr Vobornik 2012-04-10 11:57:34 UTC

Now it should be finally fixed in upstream.

master: dedc7889dc0e8987cc7cc6f70a67ae571c80a10b

ipa-2-2: 49ed21dee4d3c2524f633592f935ba39c5faba6a

adds attrs for target=subtree. So all target types should have attrs field.

Comment 13 Namita Soman 2012-04-16 13:16:10 UTC

Verified using ipa-server-2.2.0-9.el6.x86_64

Comment 15 Martin Kosek 2012-04-20 12:08:51 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 18 errata-xmlrpc 2012-06-20 13:31:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.