RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 788645 - [RFE] Allow filter and subtree to be added in same permission
Summary: [RFE] Allow filter and subtree to be added in same permission
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On: 976382 1153292
Blocks: 893850 894378
TreeView+ depends on / blocked
 
Reported: 2012-02-08 17:26 UTC by Dmitri Pal
Modified: 2015-03-05 10:08 UTC (History)
3 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:08:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Dmitri Pal 2012-02-08 17:26:58 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2355

A number of different permission options are mutually exclusive in an attempt to limit the scope of what types of permissions can be made.

Right now it is not possible to specify one with a subtree (target) and a filter (targetfilter). This is not necessary and I think too limiting.

It isn't possible, for example, to create an aci that lets you modify the user password of users (target) except for members of the admins group (targetfilter).
Comment 2 Martin Kosek 2014-01-03 13:28:46 UTC 
Fixed upstream as a part of permission plugin refactoring (https://fedorahosted.org/freeipa/ticket/4034):

423bb38965ce361c3a4d373ddc03008842f110ac Test adding noaci/system permissions to privileges
d38748d64f5c7fb098b839b3c00a1f812d510d3b Make sure SYSTEM permissions can be retreived with --all --raw
7fc35ced1d83d9901f4a1bf59482c3c4666d6079 permission plugin: Ensure ipapermlocation (subtree) always exists
53caa7aca21b097e1ca975c1c4b4e7038558bc9b Roll back ACI changes on failed permission updates
f47669a5b969a512756a39f451f04ed9c95ce3ab Verify ACIs are added correctly in tests
d7ee87cfa1e288fe18dc2dbeb2d691753048f4db Rewrite the Permission plugin
445634d6ac39669cc007871861e19e15ae22c12d Add new permission schema
8ddb5da1eab910d5dd6eb13696bb6092e979d5a1 Add tests for permission plugin with older clients
a1236b654200ba79ba0074ca88ff5972802fed56 Allow Declarative test classes to specify the API version
a8ba5e0ef9fa92fb465aab8c25947f5717f4b3cb Allow sets for initialization of frozenset-typed Param keywords
Comment 4 Namita Soman 2015-01-26 14:21:07 UTC 
Verified using ipa-server-4.1.0-15.el7.x86_64

filter and subtree can now be added in same permission
 
# ipa permission-add read_roles --subtree cn=roles,cn=accounts,dc=testrelm,dc=test --filter "(cn=helpdesk)" --attrs={objectclass,cn,description} --bindtype=anonymous --right={read,search,compare}
-----------------------------
Added permission "read_roles"
-----------------------------
  Permission name: read_roles
  Granted rights: read, search, compare
  Effective attributes: cn, createtimestamp, description, entryusn, modifytimestamp, objectclass
  Bind rule type: anonymous
  Subtree: cn=roles,cn=accounts,dc=testrelm,dc=test
  Extra target filter: (cn=helpdesk)


# ipa permission-show read_roles --all
  dn: cn=read_roles,cn=permissions,cn=pbac,dc=testrelm,dc=test
  Permission name: read_roles
  Granted rights: read, search, compare
  Effective attributes: cn, createtimestamp, description, entryusn, modifytimestamp, objectclass
  Included attributes: objectclass, cn, description
  Bind rule type: anonymous
  Subtree: cn=roles,cn=accounts,dc=testrelm,dc=test
  Extra target filter: (cn=helpdesk)
  Raw target filter: (cn=helpdesk)
  ipapermissiontype: V2, SYSTEM
  objectclass: ipapermission, top, groupofnames, ipapermissionv2
Comment 6 errata-xmlrpc 2015-03-05 10:08:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.