Red Hat Bugzilla – Bug 870446
multi operations with attribute manipulation not returning error
Last modified: 2013-02-21 04:29:31 EST
Description of problem: When doing a multioperation --addattr and --delattr on an attribute that is single valued and required, no error message is returned. This is a regression from previously releases. # ipa group-del test -------------------- Deleted group "test" -------------------- [root@qe-blade-11 ipa-group-cli]# ipa group-add --desc=test test ------------------ Added group "test" ------------------ Group name: test Description: test GID: 523800179 CORRECT BEHAVIOR # ipa group-mod --addattr gidnumber=12345678 test ipa: ERROR: gidnumber: Only one value allowed. # ipa group-mod --delattr gidnumber=12345678 test ipa: ERROR: gidnumber does not contain '12345678' # ipa group-mod --delattr gidnumber=523800179 test ipa: ERROR: 'gid' is required INCORRECT BEHAVIOR # ipa group-mod --addattr gidnumber=12345678 --delattr gidnumber=12345678 test --------------------- Modified group "test" --------------------- Group name: test Description: test GID: 523800179 # echo $? 0 Version-Release number of selected component (if applicable): # rpm -qi ipa-server Name : ipa-server Relocations: (not relocatable) Version : 3.0.0 Vendor: (none) Release : 105.20121022T2338zgit3488770.el6 Build Date: Mon 22 Oct 2012 09:13:40 PM EDT Install Date: Thu 25 Oct 2012 03:17:00 PM EDT Build Host: goofy-vm16.dsdev.sjc.redhat.com Group : System Environment/Base Source RPM: ipa-3.0.0-105.20121022T2338zgit3488770.el6.src.rpm Size : 4357546 License: GPLv3+ Signature : (none) URL : http://www.freeipa.org/ Summary : The IPA authentication server Description : IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). If you are installing an IPA server you need to install this package (in other words, most people should NOT install this package). How reproducible: always Steps to Reproduce: 1. see description 2. 3. Actual results: No error, appears successful but isn't and return code 0 Expected results: according to help .. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. delattr should be evaluated last and would have at least expected # ipa group-mod --delattr gidnumber=523800179 test ipa: ERROR: 'gid' is required and return code of 1 Additional info:
Test failure :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-group-multiop-005 group-mod --delattr + --addattr null op for gidnumber :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ FAIL ] :: Testing a multi-value manipulation for gidnumber (Expected 1, got 0) :: [ PASS ] :: Making sure gidnumber still exists as 1537800028 in gmodtest :: [ LOG ] :: Duration: 4s :: [ LOG ] :: Assertions: 1 good, 1 bad :: [ FAIL ] :: RESULT: ipa-group-multiop-005 group-mod --delattr + --addattr null op for gidnumber
You don't include what error you are expecting. I assume it is No modifications to perform?
<snip> Expected results: according to help .. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. delattr should be evaluated last and would have at least expected # ipa group-mod --delattr gidnumber=523800179 test ipa: ERROR: 'gid' is required and return code of 1 </snip>
(In reply to comment #5) This one is reported under CORRECT BEHAVIOR above. The expected results don't match the reported failure. The reported failure is the one where addattr and delattr operate on the same value in the same request.
It is under incorrect behavior INCORRECT BEHAVIOR # ipa group-mod --addattr gidnumber=12345678 --delattr gidnumber=12345678 test --------------------- Modified group "test" --------------------- Group name: test Description: test GID: 523800179 # echo $? 0 This used to have return code of 1 which is what I expected.
Back to my original question: what error message are you expecting?
I check the behavior, for the reported command. Setting both "--addattr gidnumber=12345678 --delattr gidnumber=12345678" is actually allowed even for a single valued attribute, as this operation practically translates to NOOP. But in that case, we should return "no modifications to be performed" error if no other attribute was modified. This *is* a regression: # ipa group-add foogroup Description: foo ---------------------- Added group "foogroup" ---------------------- Group name: foogroup Description: foo GID: 371800003 OK: # ipa group-mod foogroup --delattr=gidnumber=371800000 ipa: ERROR: gidnumber does not contain '371800000' OK: # ipa group-mod foogroup --delattr=gidnumber=371800003 ipa: ERROR: 'gid' is required OK: # ipa group-mod foogroup --addattr=gidnumber=371800000 ipa: ERROR: gidnumber: Only one value allowed. ERROR: # ipa group-mod foogroup --addattr=gidnumber=371800000 --delattr=gidnumber=371800000 ------------------------- Modified group "foogroup" ------------------------- Group name: foogroup Description: foo GID: 371800003 "no modifications to be performed" should have been risen. I will open an upstream ticket.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3220
After discussion with Rob, moving back to RHEL-6. The severeness of this bug may have been underestimated. It affects all updates of integer type, like GID. "no modifications to be performed" will never be shown there. It affects both --*attr family of commands and standard options: # ipa group-mod labusers --gid 94800186 ------------------------- Modified group "labusers" ------------------------- Group name: labusers Description: Lab Users GID: 94800186 Member users: jdoe # ipa group-mod labusers --gid 94800186 ------------------------- Modified group "labusers" ------------------------- Group name: labusers Description: Lab Users GID: 94800186 Member users: jdoe
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/d180d3c10145d4f2ad2d4dfd5243f9f1eb1083b3 ipa-3-0: https://fedorahosted.org/freeipa/changeset/1f1918f97147a9c63b4e8110aa404acc6f7d0324
verified :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-group-multiop-005 group-mod --delattr + --addattr null op for gidnumber - bug 870446 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ipa: ERROR: no modifications to be performed :: [ PASS ] :: Testing a multi-value manipulation for gidnumber gidnumber: 771400028 :: [ PASS ] :: Making sure gidnumber still exists as 771400028 in gmodtest '20a67c4c-2eb7-42e9-8bf5-2da0b87538db' ipa-group-multiop-005-group-mod-delattr-addattr-null-op-for-gidnumber-bug-870446 result: PASS metric: 0 Log: /tmp/beakerlib-9818447/journal.txt Info: Searching AVC errors produced since 1355931165.14 (Wed Dec 19 10:32:45 2012) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.wW779Q : AvcLog: /mnt/testarea/tmp.wW779Q version :: ipa-server-3.0.0-12.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html