Issue #4212: Internal Error related to incorrect attributelevelrights of a managed permission - freeipa

freeipa

#4212 Internal Error related to incorrect attributelevelrights of a managed permission

Closed: Fixed None Opened 9 years ago by pvoborni.

UI gets write right for attrs attribute for a managed permission - wrong - user can modified it even though he shouldn't.

When this is modified, it ends with Internal Error and completely damaged attribute level rights.

tried with:

{"method":"permission_mod","params":[["Manage host keytab"],{"all":true,"rights":true,"attrs":["krblastpwdchangeggg","krbprincipalkey"]}]}

Damaged rights:

"attributelevelrights": {
                "aci": "rscwo",
                "attrs": "rscwo",
                "businesscategory": "rscwo",
                "cn": "rscwo",
                "description": "rscwo",
                "ipapermbindruletype": "rscwo",
                "ipapermdefaultattr": "rscwo",
                "ipapermexcludedattr": "rscwo",
                "ipapermincludedattr": "rscwo",
                "ipapermissiontype": "rscwo",
                "ipapermlocation": "rscwo",
                "ipapermright": "rscwo",
                "ipapermtarget": "rscwo",
                "ipapermtargetfilter": "rscwo",
                "member": "rscwo",
                "memberof": "rscwo",
                "nsaccountlock": "rscwo",
                "o": "rscwo",
                "objectclass": "rscwo",
                "ou": "rscwo",
                "owner": "rscwo",
                "seealso": "rscwo",
                "targetgroup": "rscwo",
                "type": "rscwo"
            },

Traceback:

ipa: ERROR: Error updating ACI: Traceback (most recent call last):
[Mon Mar 03 13:21:16.710279 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py", line 993, in post_callback
[Mon Mar 03 13:21:16.710284 2014] [:error] [pid 12944]     self.obj.update_aci(entry, old_entry.single_value['cn'])
[Mon Mar 03 13:21:16.710288 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py", line 494, in update_aci
[Mon Mar 03 13:21:16.710293 2014] [:error] [pid 12944]     return self._replace_aci(permission_entry, old_name, new_acistring)
[Mon Mar 03 13:21:16.710297 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py", line 519, in _replace_aci
[Mon Mar 03 13:21:16.710301 2014] [:error] [pid 12944]     ldap.update_entry(acientry)
[Mon Mar 03 13:21:16.710305 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1609, in update_entry
[Mon Mar 03 13:21:16.710309 2014] [:error] [pid 12944]     self.conn.modify_s(entry.dn, modlist)
[Mon Mar 03 13:21:16.710313 2014] [:error] [pid 12944]   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
[Mon Mar 03 13:21:16.710317 2014] [:error] [pid 12944]     self.gen.throw(type, value, traceback)
[Mon Mar 03 13:21:16.710321 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1179, in error_handler
[Mon Mar 03 13:21:16.710326 2014] [:error] [pid 12944]     raise errors.InvalidSyntax(attr=info)
[Mon Mar 03 13:21:16.710330 2014] [:error] [pid 12944] InvalidSyntax: targetattr "krblastpwdchangeggg" does not exist in schema. Please add attributeTypes "krblastpwdchangeggg" to schema if necessary. ACL Syntax Error(-5):(targetattr = \\22krblastpwdchangeggg || krbprincipalkey\\22)(target = \\22ldap:///fqdn=\\2a,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\\22)(version 3.0;acl \\22permission:Manage host keytab\\22;allow (write) groupdn = \\22ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\\22;): Invalid syntax.
[Mon Mar 03 13:21:16.710352 2014] [:error] [pid 12944]
[Mon Mar 03 13:21:16.710472 2014] [:error] [pid 12944] ipa: WARNING: Reverting entry
[Mon Mar 03 13:21:16.716564 2014] [:error] [pid 12944] ipa: ERROR: non-public: TypeError: unhashable type: 'dict'
[Mon Mar 03 13:21:16.716583 2014] [:error] [pid 12944] Traceback (most recent call last):
[Mon Mar 03 13:21:16.716588 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 343, in wsgi_execute
[Mon Mar 03 13:21:16.716592 2014] [:error] [pid 12944]     result = self.Command[name](*args, **options)
[Mon Mar 03 13:21:16.716596 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
[Mon Mar 03 13:21:16.716600 2014] [:error] [pid 12944]     ret = self.run(*args, **options)
[Mon Mar 03 13:21:16.716604 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run
[Mon Mar 03 13:21:16.716608 2014] [:error] [pid 12944]     result = self.execute(*args, **options)
[Mon Mar 03 13:21:16.716612 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py", line 872, in execute
[Mon Mar 03 13:21:16.716617 2014] [:error] [pid 12944]     return super(permission_mod, self).execute(*keys, **options)
[Mon Mar 03 13:21:16.716621 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1359, in execute
[Mon Mar 03 13:21:16.716625 2014] [:error] [pid 12944]     self, ldap, entry_attrs.dn, entry_attrs, *keys, **options)
[Mon Mar 03 13:21:16.716629 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py", line 997, in post_callback
[Mon Mar 03 13:21:16.716633 2014] [:error] [pid 12944]     old_entry.reset_modlist(entry)
[Mon Mar 03 13:21:16.716636 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 976, in reset_modlist
[Mon Mar 03 13:21:16.716641 2014] [:error] [pid 12944]     self._orig = deepcopy(dict(other.raw))
[Mon Mar 03 13:21:16.716644 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1087, in __getitem__
[Mon Mar 03 13:21:16.716648 2014] [:error] [pid 12944]     return self._entry._get_raw(name)
[Mon Mar 03 13:21:16.716652 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 923, in _get_raw
[Mon Mar 03 13:21:16.716656 2014] [:error] [pid 12944]     self._sync_attr(name)
[Mon Mar 03 13:21:16.716660 2014] [:error] [pid 12944]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 765, in _sync_attr
[Mon Mar 03 13:21:16.716664 2014] [:error] [pid 12944]     nice_adds = set(nice) - set(nice_sync)
[Mon Mar 03 13:21:16.716668 2014] [:error] [pid 12944] TypeError: unhashable type: 'dict'
[Mon Mar 03 13:21:16.716939 2014] [:error] [pid 12944] ipa: INFO: [jsonserver_session] admin@IDM.LAB.ENG.BRQ.REDHAT.COM: permission_mod(u'Manage host keytab', attrs=(u'krblastpwdchangeggg', u'krbprincipalkey'), rights=True, all=True): TypeError

mkosek commented 9 years ago

master:

02e6196 permission-mod: Remove attributelevelrights before reverting entry

Metadata Update from @pvoborni:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 - 2014/03

6 years ago

Metadata

Assignee

pviktori

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.0 - 2014/03

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

mkosek

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#4212 Internal Error related to incorrect attributelevelrights of a managed permission Closed: Fixed None Opened 9 years ago by pvoborni.

Metadata

#4212 Internal Error related to incorrect attributelevelrights of a managed permission

Closed: Fixed None Opened 9 years ago by pvoborni.