Hide Forgot
Description of problem: The help for ipa delegation appears to be incorrect. The EXAMPLES section says: <snip> Add a delegation rule to allow managers to edit employee's addresses: ipa delegation-add --attrs=street --membergroup=managers --group=employees "managers edit employees' street" </snip> This appears to contradict what is described in the Identity Management Guide (which appears to reflect actual behaviour): <snip> --group, the group who is being granted permissions to the entries of users in the user group. --membergroup, the group whose entries can be edited by members of the delegation group. </snip> Tests reflect the latter behaviour. Version-Release number of selected component (if applicable): 389-ds-base-1.2.9.14-1.el6.x86_64 389-ds-base-libs-1.2.9.14-1.el6.x86_64 ipa-admintools-2.2.0-101.20120123T0157zgit64cf8a4.el6.x86_64 ipa-server-2.2.0-101.20120123T0157zgit64cf8a4.el6.x86_64 How reproducible: always Steps to Reproduce: 1. <setup ipa server> 2. ipa help delegation Actual results: "ipa help delegation" shows incorrect example with group and membergroup reversed. <snip> Add a delegation rule to allow managers to edit employee's addresses: ipa delegation-add --attrs=street --membergroup=managers --group=employees "managers edit employees' street" </snip> Expected results: I'd expect the EXAMPLE to read: Add a delegation rule to allow managers to edit employee's addresses: ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street" Or similar. Additional info: Test to reproduce behaviour: 1. <setup ipa server> 2. kinit admin 3. create users employee and manager 4. ipa group-add --desc=managers managers 5. ipa group-add --desc=employees employees 6. ipa group-add-member managers --users=manager 7. ipa group-add-member employees --users=employee 8. ipa delegation-add test --membergroup=managers --group=employees --attrs=street 9. ipa user-mod employee --street=Elm <fails/> 10. kinit employee 11. ipa user-mod manager --street=Pine <works/>
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2317
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/01929015e04688be073e129e47d789bb91186bac ipa-2-2: https://fedorahosted.org/freeipa/changeset/079952f107ba415f43541e5be85bb54caeb9c1f2
Verified. Version :: ipa-server-2.2.0-4.el6.x86_64 Automated Test Results :: There was a bug in the testing. The function to test for this was not executed from the main function for bug testing. Fixing that in the test automation code. This is a manual run of that code. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: delegation_bz_784468: ipa help delegation example has group and membergroup backwards? :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'ipa help delegation > /delegation_bz_784468.14405.out 2>&1' :: [ PASS ] :: BZ 784468 not found Manual Test Results :: [root@hp-xw6600-01 ipa-delegation-cli]# ipa help delegation Group to Group Delegation A permission enables fine-grained delegation of permissions. Access Control Rules, or instructions (ACIs), grant permission to permissions to perform given tasks such as adding a user, modifying a group, etc. Group to Group Delegations grants the members of one group to update a set of attributes of members of another group. EXAMPLES: Add a delegation rule to allow managers to edit employee's addresses: ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street" When managing the list of attributes you need to include all attributes in the list, including existing ones. Add postalCode to the list: ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street" Display our updated rule: ipa delegation-show "managers edit employees' street" Delete a rule: ipa delegation-del "managers edit employees' street" Topic commands: delegation-add Add a new delegation. delegation-del Delete a delegation. delegation-find Search for delegations. delegation-mod Modify a delegation. delegation-show Display information about a delegation. Expected result found right after EXAMPLES: above.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html