https://bugzilla.redhat.com/show_bug.cgi?id=783502 (Red Hat Enterprise Linux 6)
Description of problem: When adding a permission, where attribute is not an allowed attr for the type being used, there is no error. And permission is added successfully # ipa permission-add ManageUser --permissions=write --type=user --attr=ipaclientversion ----------------------------- Added permission "ManageUser" ----------------------------- Permission name: ManageUser Permissions: write Attributes: ipaclientversion Type: user Doc says: The attributes (--attrs) must exist and be allowed attributes for the given object type, or the permission operation fails with schema syntax errors. Version-Release number of selected component (if applicable): freeipa-server-2.1.4-4.fc16.x86_64 How reproducible: always Steps to Reproduce: 1. add a permission as indicated above Actual results: permission is added successfully Expected results: the command to fail with error - ipa: ERROR: attribute "ipaClientVersion" not allowed Additional info:
ldap2.py has a method, get_allowed_attributes(). You can use this if you can get the list of objectclasses for the object type. The trick is that some of these are determined dynamically from cn=ipaconfig (user and group).
rcritten: thanks for hints
patch is on the list
master: 1356988
ipa-2-2: a331f35
BZ re-opened, see that for details on regression.
problem is in the get_allowed_attributes function (in ipaserver/plugins/ldap2.py). It searches only the specified objectclasses, but the attributes, that Namita wanted to use, are defined in one of the superior objectclasses.
master: a58cbb9[[BR]] ipa-2-2: f000640
QE found another case where this isn't working as expected:
# ipa permission-mod "Change a user password" --attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory ipa: ERROR: attribute(s) "sambalmpassword,passwordhistory" not allowed
I would remove this check as is (I sent an email with reasoning to freeipa-devel list):
1) This check fails when the target type does not have all its possible objectclasses defined in the LDAPObject, like when users or hosts miss kerberos or samba auxiliary classes as they are just classes that the object may potentially have: # ipa permission-mod "Change a user password" --attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory ipa: ERROR: attribute(s) "sambalmpassword,passwordhistory" not allowed To fix this point, we would need to add all possible object classes to our user, host, ... objectclasses. 2) It severely limits permission flexibility for custom user objectclasses. They would need to extend our plugins to make them work. Observe this inconsistency: Setting custom OC+attribute works (replace "sudocmd" with some meaningful object class"): # ipa user-mod fbar --addattr=objectclass=ipasudocmd --setattr=sudocmd=fbar -------------------- Modified user "fbar" -------------------- User login: fbar First name: Foo Last name: Bar Home directory: /home/fbar Login shell: /bin/sh UID: 61400016 GID: 61400016 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # ipa user-show --all fbar dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar First name: Foo Last name: Bar ... mepmanagedentry: cn=fbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipasudocmd sudocmd: fbar But adding a custom permission to control this attribute fails: # ipa permission-add "Can manage user sudocmd" --type=user --permissions=write --attrs=sudocmd ipa: ERROR: attribute(s) "sudocmd" not allowed Bottom line is that I would remove this check at all and just check that the attribute is right - as we already do for permission without "--type" specified: # ipa permission-add "Can write barbar" --filter="(objectclass=posixuser)" --permissions=write --attrs=barbar ipa: ERROR: targetattr "barbar" does not exist in schema. Please add attributeTypes "barbar" to schema if necessary. ACL Syntax Error(-5):(targetattr = \22barbar\22)(targetfilter = \22(objectclass=posixuser)\22)(version 3.0;acl \22permission:foo \22;allow (write) groupdn = \22ldap:///cn=foo,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com\22;): Invalid syntax.
For IPA 2.2 we are going to revert the check. For 3.0 we will re-add the check and make it non-fatal and instead return a warning to the user that some attributes may not apply to this object.
Reverted patches.
master:[[br]] 1a26406[[br]] 4416c18[[br]]
ipa-2-2:[[br]] ee8ff3a[[br]] fab98c7[[br]]
Metadata Update from @dpal: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.