#1763 ipa hbactest fails if sourcehost is external.
Closed: Fixed None Opened 8 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=736276

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.0-105.20110905T0552zgit5d9756d.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create an hbacrule as:
# ipa hbacrule-show rule2 --all
  dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  accessruletype: allow
  ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b
  objectclass: ipaassociation, ipahbacrule

2. Add external host as source host.
ipa hbacrule-add-sourcehost rule2 --hosts=external.lab.eng.pnq.redhat.com

3. # ipa hbacrule-show rule2 --all
  dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
  accessruletype: allow
  ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b
  objectclass: ipaassociation, ipahbacrule

4. ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2

Actual results:
# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
---------------------
Access granted: False
---------------------
  notmatched: rule2


Expected results:
# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
---------------------
Access granted: True
---------------------
  matched: rule2

Additional info:

Depends on https://fedorahosted.org/sssd/ticket/990 (committed to SSSD master already, not released). Once SSSD with the fix is released, hbactest should start working automagically as all decision-making is done at SSSD side.

Patch posted for review

We missed a pylint false positive. Pushed as one-liner:

master: a40d4d4[[BR]]
ipa-2-1: 7c50d17

Metadata Update from @mkosek:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 2.1.2 (bug fixing)

2 years ago

Login to comment on this ticket.

Metadata