Bug 817401 - ipa permission-add does not fail if using invalid attribute
ipa permission-add does not fail if using invalid attribute
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
IDM QE LIST
:
Depends On: 783502
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-29 15:53 EDT by Dmitri Pal
Modified: 2015-01-16 08:46 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 783502
Environment:
Last Closed: 2015-01-16 08:46:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 1 Martin Kosek 2012-05-03 02:56:45 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2714
Comment 4 Martin Kosek 2015-01-16 08:46:29 EST
permission-add should fail when permission is added on an *unknown* attribute, which it does, in IdM/FreeIPA 4.1 and later:

# ipa permission-add ManageUser --permissions=write --type=user --attr=foo
ipa: ERROR: targetattr "foo" does not exist in schema. Please add attributeTypes "foo" to schema if necessary. ACL Syntax Error(-5):(targetattr = \22foo\22)(targetfilter = \22(objectclass=posixaccount)\22)(version 3.0;acl \22permission:ManageUser\22;allow (write) groupdn = \22ldap:///cn=ManageUser,cn=permissions,cn=pbac,dc=mkosek-f21,dc=test\22;): Invalid syntax.

Additional checks on top of that would lower the flexibility of the command (default list of user objectclasses can be extended by plugins or other means).

Note You need to log in before you can comment on or make changes to this bug.