After the IDN work, created permissions are fully qualified:
# ipa dnszone-add-permission example.com ------------------------------------------------------ Added system permission "Manage DNS zone example.com." ------------------------------------------------------ Manage DNS zone example.com. # ipa permission-show 'Manage DNS zone example.com.' Permission name: Manage DNS zone example.com.
Permission name is, however, inconsistent with old permissions as they were created without the trailing dot (unless the DNS zone also had a trailing dot).
We should either follow that rule also in next version (preferred), or update the dnszone-permission-add dnszone-remove-permission to be resilient to different permission names (still not upgrade friendly though).
Otherwise we get error like this:
# ipa dnszone-remove-permission example.com ipa: ERROR: Manage DNS zone example.com.: permission not found # ipa permission-find example.com -------------------- 1 permission matched -------------------- Permission name: Manage DNS zone example.com Granted to Privilege: test2 Indirect Member of roles: test2 ---------------------------- Number of entries returned 1 ----------------------------
To test without older version, you can simply create a DNS zone and then rename it to version without trailing dot (current master always normalizes new zones).
Starting review
master:
Additional fix pushed to master:
Metadata Update from @mkosek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.0 - 2014/06
Login to comment on this ticket.