Currently it is possible to change the primary key of an object using the --rename option only on objects whose primary key attribute and RDN attribute are the same. Allow renaming any object by providing the --rename option for all objects.
2016-02-24: the scope of the request was narrowed down just to the real world problem - SUDO commands.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=800545
There was a customer/user request for this feature. Moving to NEEDS_TRIAGE to have a discussion about it.
We may want to limit the scope of where rename is enabled, I don't think we want to introduce --rename on hosts as it would not work well with Kerberos principals, keytabs etc. But I would at least enable it on sudo, hbac and similar objects.
rename
Note: this ticket depends on #2866 so that we don't break referential integrity with the rename operation.
Replying to [comment:5 mkosek]:
Can you please add a pointer to the mail thread or add a snippet of the IRC conversation about this?
Replying to [comment:7 dpal]:
Replying to [comment:5 mkosek]: There was a customer/user request for this feature. Moving to NEEDS_TRIAGE to have a discussion about it. Can you please add a pointer to the mail thread or add a snippet of the IRC conversation about this?
There request came in the Bugzilla linked to this ticket: Bug 800545.
The main use case is changing sudo commands.
Changing 3.2 priority
Another real-world use case is rename of dns reverse zone on network address change.
This cannot be reasonably supported on DNS zones:
Why cannot we present this to OpenDNSSEC as deletion of the old zone and creation of a new zone, with the same records?
This request is too general. I do not think this request would be done any time soon, it is too costly without being bound to real world problems (like in the attached RHEL bugzilla). I talked to pvoborni, we should rather narrow down the request to the reported problem around SUDO commands - this will increase a chance it would be really done.
Metadata Update from @jcholast: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 4.5 backlog
the requests talk about renaming sudo rules and not sudo commands. The command was meant as IPA command related to sudo.
Metadata Update from @pvoborni: - Issue assigned to stlaz (was: rcritten) - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5 (was: FreeIPA 4.5 backlog)
This can hardly be done in a non-general manner.
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @stlaz: - Custom field changelog adjusted to The attribute "rdn_is_primary_key" of the LDAPObject class was renamed to "allow_rename" because the name of the former did not reflect the purpose of the attribute. Thanks to this objects whose primary key is not in RDN can be now renamed. As a result of this, sudorule objects can now be renamed.
Metadata Update from @stlaz: - Custom field changelog adjusted to The attribute "rdn_is_primary_key" of the LDAPObject class was renamed to "allow_rename" because the name of the former did not reflect the purpose of the attribute. Thanks to this objects whose primary key is not in RDN can be now renamed. As a result of this, sudo rules can now be renamed. (was: The attribute "rdn_is_primary_key" of the LDAPObject class was renamed to "allow_rename" because the name of the former did not reflect the purpose of the attribute. Thanks to this objects whose primary key is not in RDN can be now renamed. As a result of this, sudorule objects can now be renamed.)
ipa-4-5:
7d3229b Allow renaming of the sudorule objects master:
8e4408e Reworked the renaming mechanism
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.