RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 893850 - Unable to update permissions for "Add Automount Keys"
Summary: Unable to update permissions for "Add Automount Keys"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
: 894378 (view as bug list)
Depends On: 788645 976382 1153292
Blocks: 894378
TreeView+ depends on / blocked
 
Reported: 2013-01-10 02:57 UTC by Namita Soman
Modified: 2015-03-05 10:08 UTC (History)
3 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 894378 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:08:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Namita Soman 2013-01-10 02:57:58 UTC 
Description of problem:
In 6.3:
# ipa permission-mod "Add Automount Keys" --permissions=add,write --attrs=
----------------------------------------
Modified permission "Add Automount Keys"
----------------------------------------
  Permission name: Add Automount keys
  Permissions: add, write
  Subtree: ldap:///automountkey=*,automountmapname=*,cn=automount,dc=testrelm,dc=com
  Granted to Privilege: Automount Administrators


In 6.4:
# ipa permission-mod "Add Automount Keys" --permissions=add,write --attrs=
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-19.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. ipa permission-mod "Add Automount Keys" --permissions=add,write --attrs=

  
Actual results:
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive

Expected results:
be able to modify permissions successfully

Additional info:
Comment 2 Martin Kosek 2013-01-10 11:32:15 UTC 
I do not think this is a regression. The problem here is that this permission in RHEL 6.4 is different and now has both `subtree' and `filter' parts:

RHEL 6.3:
# ipa permission-show "Add Automount Keys"
  Permission name: Add Automount keys
  Permissions: add
>>Subtree: ldap:///automountkey=*,automountmapname=*,cn=automount,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Granted to Privilege: Automount Administrators

RHEL 6.4:
# ipa permission-show "Add Automount Keys"
  Permission name: Add Automount keys
  Permissions: add
>>Filter: (objectclass=automount)
>>Subtree: ldap:///automountmapname=*,cn=automount,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Granted to Privilege: Automount Administrators
  Indirect Member of roles: IT Specialist

These 2 fields are colliding and prevents modification of the entry. If RHEL 6.3 permission have filter too, it would also raise this error:

# ipa permission-mod "Add Automount Keys" --filter '(objectclass=automount)'
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive

There is a logged RFE to fix this behavior (Bug 788645).
Comment 3 Dmitri Pal 2013-01-10 23:21:16 UTC 
So is this a not a bug? Does it require some kind of release note?
Comment 4 Martin Kosek 2013-01-11 08:59:16 UTC 
It is a bug, but it has always been there (though not reproducing for this particular permission (Add Automount Keys)). I would personally simply just move this bug to RHEL-7 as the RFE that would fix it is also scheduled for RHEL-7.

I am linking this Bugzilla to the upstream ticket:
https://fedorahosted.org/freeipa/ticket/2355
Comment 5 Martin Kosek 2013-03-01 14:50:08 UTC 
*** Bug 894378 has been marked as a duplicate of this bug. ***
Comment 6 Martin Kosek 2014-01-03 13:27:34 UTC 
Fixed upstream as a part of permission plugin refactoring (https://fedorahosted.org/freeipa/ticket/4034):

423bb38965ce361c3a4d373ddc03008842f110ac Test adding noaci/system permissions to privileges
d38748d64f5c7fb098b839b3c00a1f812d510d3b Make sure SYSTEM permissions can be retreived with --all --raw
7fc35ced1d83d9901f4a1bf59482c3c4666d6079 permission plugin: Ensure ipapermlocation (subtree) always exists
53caa7aca21b097e1ca975c1c4b4e7038558bc9b Roll back ACI changes on failed permission updates
f47669a5b969a512756a39f451f04ed9c95ce3ab Verify ACIs are added correctly in tests
d7ee87cfa1e288fe18dc2dbeb2d691753048f4db Rewrite the Permission plugin
445634d6ac39669cc007871861e19e15ae22c12d Add new permission schema
8ddb5da1eab910d5dd6eb13696bb6092e979d5a1 Add tests for permission plugin with older clients
a1236b654200ba79ba0074ca88ff5972802fed56 Allow Declarative test classes to specify the API version
a8ba5e0ef9fa92fb465aab8c25947f5717f4b3cb Allow sets for initialization of frozenset-typed Param keywords
Comment 8 Namita Soman 2015-01-23 17:40:17 UTC 
In 7.1, "Add Automount Keys" is now a Managed Permission, and is named "System: Add Automount Keys"

From http://www.freeipa.org/page/V4/Managed_Read_permissions , these Managed permissions cannot be modified.


# ipa permission-mod "System: Add Automount Keys" --permissions=add --permissions=write --attrs=
ipa: ERROR: invalid 'ipapermright': not modifiable on managed permissions
Comment 10 errata-xmlrpc 2015-03-05 10:08:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.