Issue #47569: ACIs do not allow attribute subtypes in targetattr keyword - 389-ds-base

389-ds-base

#47569 ACIs do not allow attribute subtypes in targetattr keyword

Closed: wontfix None Opened 10 years ago by nkinder.

The attribute defined in the targetattr keyword of an ACI is checked against the schema to make sure it is a defined attribute when you are adding a new ACI. If you want to use an attribute subtype, the ACI is rejected since the attribute with subtype is not defined in the schema. We should strip off the subtype when we validate the targetattr keyword against the schema.

Here is an example ACI that is currently being rejected, but should be allowed:

(targetattr=protectedOperation;getKeytab)
(version 3.0;
 acl "allowed retrieval of keytabs";
 allow (read)
 userattr = "allowedToPerform;getKeytab#GROUPDN";)

This example assumes that the "protectedOperation" attribute is defined in the schema.

This issue is related to FreeIPA ticket #3859.

nkinder commented 10 years ago

attachment
0001-Ticket-47569-ACIs-do-not-allow-attribute-subtypes-in.patch

nkinder commented 10 years ago

Thanks to Rich for his review! Pushed to the following branches:

master - cb73cf2
389-ds-base-1.3.2 - 2b7cbb8

nkinder commented 10 years ago

attachment
0001-Ticket-47569-Fix-build-warnings.patch

nkinder commented 10 years ago

Pushed build warnings fix to the following branches:

master - 01df89d
389-ds-base-1.3.2 - b5676ab

nkinder commented 10 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1044169

spichugi commented 8 years ago

attachment
0001-Ticket-47569-Added-a-testcase-to-ACL-testsuite.patch

mreynolds commented 8 years ago

You could argue that this patch should go into the dirsrvtests/tickets/ directory and not the dirsrvtests/suites directory, but it's fine and we should really start getting more tests into the "suites" anyway.

Ack.

mreynolds commented 8 years ago

01fea1f..0c4eafb master -> master
commit 0c4eafb
Author: Simon Pichugin spichugi@redhat.com
Date: Tue Aug 11 16:11:48 2015 +0200

7a4b0a7..48e506d 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 48e506d

dc22924..895dc4f 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 895dc4f

Metadata Update from @nkinder:
- Issue assigned to nkinder
- Issue set to the milestone: 1.3.2.3

7 years ago

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/906

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Metadata

Assignee

nkinder

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

1.3.2.3

reviewstatus

ack

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1044169

origin

IPA

389-ds-base

Source Code

#47569 ACIs do not allow attribute subtypes in targetattr keyword Closed: wontfix None Opened 10 years ago by nkinder.

Metadata

#47569 ACIs do not allow attribute subtypes in targetattr keyword

Closed: wontfix None Opened 10 years ago by nkinder.