Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 788645 - [RFE] Allow filter and subtree to be added in same permission
[RFE] Allow filter and subtree to be added in same permission
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: FutureFeature
Depends On: 976382 1153292
Blocks: 893850 894378
  Show dependency treegraph
 
Reported: 2012-02-08 12:26 EST by Dmitri Pal
Modified: 2015-03-05 05:08 EST (History)
3 users (show)

See Also:
Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:08:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 09:50:39 EST

  None (edit)
Description Dmitri Pal 2012-02-08 12:26:58 EST 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2355

A number of different permission options are mutually exclusive in an attempt to limit the scope of what types of permissions can be made.

Right now it is not possible to specify one with a subtree (target) and a filter (targetfilter). This is not necessary and I think too limiting.

It isn't possible, for example, to create an aci that lets you modify the user password of users (target) except for members of the admins group (targetfilter).
Comment 2 Martin Kosek 2014-01-03 08:28:46 EST 
Fixed upstream as a part of permission plugin refactoring (https://fedorahosted.org/freeipa/ticket/4034):

423bb38965ce361c3a4d373ddc03008842f110ac Test adding noaci/system permissions to privileges
d38748d64f5c7fb098b839b3c00a1f812d510d3b Make sure SYSTEM permissions can be retreived with --all --raw
7fc35ced1d83d9901f4a1bf59482c3c4666d6079 permission plugin: Ensure ipapermlocation (subtree) always exists
53caa7aca21b097e1ca975c1c4b4e7038558bc9b Roll back ACI changes on failed permission updates
f47669a5b969a512756a39f451f04ed9c95ce3ab Verify ACIs are added correctly in tests
d7ee87cfa1e288fe18dc2dbeb2d691753048f4db Rewrite the Permission plugin
445634d6ac39669cc007871861e19e15ae22c12d Add new permission schema
8ddb5da1eab910d5dd6eb13696bb6092e979d5a1 Add tests for permission plugin with older clients
a1236b654200ba79ba0074ca88ff5972802fed56 Allow Declarative test classes to specify the API version
a8ba5e0ef9fa92fb465aab8c25947f5717f4b3cb Allow sets for initialization of frozenset-typed Param keywords
Comment 4 Namita Soman 2015-01-26 09:21:07 EST 
Verified using ipa-server-4.1.0-15.el7.x86_64

filter and subtree can now be added in same permission
 
# ipa permission-add read_roles --subtree cn=roles,cn=accounts,dc=testrelm,dc=test --filter "(cn=helpdesk)" --attrs={objectclass,cn,description} --bindtype=anonymous --right={read,search,compare}
-----------------------------
Added permission "read_roles"
-----------------------------
  Permission name: read_roles
  Granted rights: read, search, compare
  Effective attributes: cn, createtimestamp, description, entryusn, modifytimestamp, objectclass
  Bind rule type: anonymous
  Subtree: cn=roles,cn=accounts,dc=testrelm,dc=test
  Extra target filter: (cn=helpdesk)


# ipa permission-show read_roles --all
  dn: cn=read_roles,cn=permissions,cn=pbac,dc=testrelm,dc=test
  Permission name: read_roles
  Granted rights: read, search, compare
  Effective attributes: cn, createtimestamp, description, entryusn, modifytimestamp, objectclass
  Included attributes: objectclass, cn, description
  Bind rule type: anonymous
  Subtree: cn=roles,cn=accounts,dc=testrelm,dc=test
  Extra target filter: (cn=helpdesk)
  Raw target filter: (cn=helpdesk)
  ipapermissiontype: V2, SYSTEM
  objectclass: ipapermission, top, groupofnames, ipapermissionv2
Comment 6 errata-xmlrpc 2015-03-05 05:08:17 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.