Red Hat Bugzilla – Bug 785254
ipa permission-find --subtree brings back all permissions
Last modified: 2013-08-19 10:16:50 EDT
Description of problem: 1> using an invalid subtree filter does not throw any error 2> using a valid subtree filter brings back all permissions Find one of the existing permissions: Permission name: Write IPA Configuration Permissions: write Attributes: ipausersearchfields, ipagroupsearchfields, ipasearchtimelimit, ipasearchrecordslimit, ipacustomfields, ipahomesrootdir, ipadefaultloginshell, ipadefaultprimarygroup, ipamaxusernamelength, ipapwdexpadvnotify, ipauserobjectclasses, ipagroupobjectclasses, ipadefaultemaildomain, ipamigrationenabled, ipacertificatesubjectbase, ipaconfigstring Subtree: ldap:///cn=ipaconfig,cn=etc,dc=testrelm,dc=com Granted to Privilege: Write IPA Configuration Tried: ipa permission-find --subtree="ldap:///cn=ipaconfig,cn=etc,dc=testrelm,dc=com" ipa permission-find --subtree="ldap:\/\/\/cn=ipaconfig,cn=etc,dc=testrelm,dc=com" ipa permission-find --subtree="cn=ipaconfig,cn=etc,dc=testrelm,dc=com" All 3 above attempts brought back all permissions Version-Release number of selected component (if applicable): ipa-server-2.2.0-101.20120123T0157zgit64cf8a4.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Find a permission using subtree as mentioned above Actual results: All permissions are brought back Expected results: Only the matching permission to be listed. If subtree filter is incorrect, error should be displayed. If the subtree filter doesn't match any permission, then bring back 0 permissions with message that 0 permissions matched. Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2321
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/26ab9a504f504f59cfd3af929dbeac2ddc201ed3 Note that we don't do validation on search terms so we aren't going to report whether a subtree is valid or not, just which entries match. The match is case-insensitive.
Verified using ipa-server-3.0.0-8.el6.x86_64 Verified in automated test. Results: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-permission-cli-1049 - find permission - --subtree (bug 785254) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [11:04:48] :: Executing: ipa permission-find --subtree=cn=computers,cn=accounts,dc=testrelm,dc=com --all :: [11:04:49] :: WARNING: permission-find command failed. :: [ PASS ] :: No permissions matched - as expected. --------------------- 7 permissions matched --------------------- dn: cn=Add Hosts,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Add Hosts Permissions: add Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Add krbPrincipalName to a host Permissions: write Attributes: krbprincipalname Type: host Filter: (!(krbprincipalname=*)) Granted to Privilege: Host Administrators, Host Enrollment memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com, cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com, uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Enroll a host,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Enroll a host Permissions: write Attributes: objectclass Type: host Granted to Privilege: Host Administrators, Host Enrollment memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com, cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com, uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Manage host keytab,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com, cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com, uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Manage Host SSH Public Keys Permissions: write Attributes: ipasshpubkey Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Modify Hosts,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Modify Hosts Permissions: write Attributes: description, l, nshostlocation, nshardwareplatform, nsosversion Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission dn: cn=Remove Hosts,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Remove Hosts Permissions: delete Type: host Granted to Privilege: Host Administrators memberindirect: cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: top, groupofnames, ipapermission ---------------------------- Number of entries returned 7 ---------------------------- :: [ PASS ] :: Verify permissions are found for --subtree=ldap:///fqdn=*,cn=computers,cn=accounts,dc=testrelm,dc=com --------------------- 7 permissions matched --------------------- Permission name: Add Hosts Permissions: add Type: host Granted to Privilege: Host Administrators Permission name: Add krbPrincipalName to a host Permissions: write Attributes: krbprincipalname Type: host Filter: (!(krbprincipalname=*)) Granted to Privilege: Host Administrators, Host Enrollment Permission name: Enroll a host Permissions: write Attributes: objectclass Type: host Granted to Privilege: Host Administrators, Host Enrollment Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment Permission name: Manage Host SSH Public Keys Permissions: write Attributes: ipasshpubkey Type: host Granted to Privilege: Host Administrators Permission name: Modify Hosts Permissions: write Attributes: description, l, nshostlocation, nshardwareplatform, nsosversion Type: host Granted to Privilege: Host Administrators Permission name: Remove Hosts Permissions: delete Type: host Granted to Privilege: Host Administrators ---------------------------- Number of entries returned 7 ---------------------------- :: [ PASS ] :: Running 'ipa permission-find --subtree=ldap:///fqdn=*,cn=computers,cn=accounts,dc=testrelm,dc=com' '1ad531be-a03f-49bb-b317-548624f31a67' ipa-permission-cli-1049-find-permission-subtree-bug-785254- result: PASS metric: 0 Log: /tmp/beakerlib-9394024/journal.txt Info: Searching AVC errors produced since 1353945888.11 (Mon Nov 26 11:04:48 2012) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.DC6dRL : AvcLog: /mnt/testarea/tmp.DC6dRL
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html