Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 784468

Summary: ipa help delegation example has group and membergroup backwards?
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:31:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2012-01-25 02:47:21 UTC 
Description of problem:

The help for ipa delegation appears to be incorrect.  The EXAMPLES section says:
<snip>
 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --membergroup=managers --group=employees "managers edit employees' street"
</snip>

This appears to contradict what is described in the Identity Management Guide (which appears to reflect actual behaviour):

<snip>
--group, the group who is being granted permissions to the entries of users in the user group.

--membergroup, the group whose entries can be edited by members of the delegation group. 
</snip>

Tests reflect the latter behaviour.

Version-Release number of selected component (if applicable):

389-ds-base-1.2.9.14-1.el6.x86_64
389-ds-base-libs-1.2.9.14-1.el6.x86_64
ipa-admintools-2.2.0-101.20120123T0157zgit64cf8a4.el6.x86_64
ipa-server-2.2.0-101.20120123T0157zgit64cf8a4.el6.x86_64

How reproducible:

always

Steps to Reproduce:
1. <setup ipa server>
2. ipa help delegation

Actual results:

"ipa help delegation" shows incorrect example with group and membergroup reversed.

<snip>
 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --membergroup=managers --group=employees "managers edit employees' street"
</snip>

Expected results:

I'd expect the EXAMPLE to read:
 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"


Or similar.

Additional info:

Test to reproduce behaviour:
1. <setup ipa server>
2. kinit admin
3. create users employee and manager
4. ipa group-add --desc=managers managers
5. ipa group-add --desc=employees employees
6. ipa group-add-member managers --users=manager
7. ipa group-add-member employees --users=employee
8. ipa delegation-add test --membergroup=managers --group=employees --attrs=street
9. ipa user-mod employee --street=Elm
<fails/>
10. kinit employee
11. ipa user-mod manager --street=Pine
<works/>
Comment 2 Martin Kosek 2012-01-27 09:12:17 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2317
Comment 3 Martin Kosek 2012-02-06 13:15:54 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/01929015e04688be073e129e47d789bb91186bac
ipa-2-2: https://fedorahosted.org/freeipa/changeset/079952f107ba415f43541e5be85bb54caeb9c1f2
Comment 5 Scott Poore 2012-03-16 21:27:35 UTC 
Verified.

Version :: ipa-server-2.2.0-4.el6.x86_64

Automated Test Results ::

There was a bug in the testing.  The function to test for this was not executed from the main function for bug testing.  Fixing that in the test automation code.  This is a manual run of that code.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: delegation_bz_784468: ipa help delegation example has group and membergroup backwards?
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'ipa help delegation > /delegation_bz_784468.14405.out 2>&1'
:: [   PASS   ] :: BZ 784468 not found


Manual Test Results ::

[root@hp-xw6600-01 ipa-delegation-cli]# ipa help delegation
Group to Group Delegation

A permission enables fine-grained delegation of permissions. Access Control
Rules, or instructions (ACIs), grant permission to permissions to perform
given tasks such as adding a user, modifying a group, etc.

Group to Group Delegations grants the members of one group to update a set
of attributes of members of another group.

EXAMPLES:

 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"

 When managing the list of attributes you need to include all attributes
 in the list, including existing ones. Add postalCode to the list:
   ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street"

 Display our updated rule:
   ipa delegation-show "managers edit employees' street"

 Delete a rule:
   ipa delegation-del "managers edit employees' street"

Topic commands:
  delegation-add   Add a new delegation.
  delegation-del   Delete a delegation.
  delegation-find  Search for delegations.
  delegation-mod   Modify a delegation.
  delegation-show  Display information about a delegation.


Expected result found right after EXAMPLES: above.
Comment 7 Martin Kosek 2012-04-20 12:18:33 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 9 errata-xmlrpc 2012-06-20 13:31:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html