#4383 dnszone-permission-add creates incompatible permissions
Closed: Fixed None Opened 7 years ago by mkosek.

After the IDN work, created permissions are fully qualified:

# ipa dnszone-add-permission example.com
Added system permission "Manage DNS zone example.com."
  Manage DNS zone example.com.

# ipa permission-show 'Manage DNS zone example.com.'
  Permission name: Manage DNS zone example.com.

Permission name is, however, inconsistent with old permissions as they were created without the trailing dot (unless the DNS zone also had a trailing dot).

We should either follow that rule also in next version (preferred), or update the dnszone-permission-add dnszone-remove-permission to be resilient to different permission names (still not upgrade friendly though).

Otherwise we get error like this:

# ipa dnszone-remove-permission example.com
ipa: ERROR: Manage DNS zone example.com.: permission not found

# ipa permission-find example.com
1 permission matched
  Permission name: Manage DNS zone example.com
  Granted to Privilege: test2
  Indirect Member of roles: test2
Number of entries returned 1

To test without older version, you can simply create a DNS zone and then rename it to version without trailing dot (current master always normalizes new zones).


  • 816007b Fix incompatible DNS permission

Additional fix pushed to master:

  • 21c829f Fix incompatible permission name *zone-del

Metadata Update from @mkosek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

5 years ago

Login to comment on this ticket.