Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1253458
Description of problem: [root@master ~]# ipa vault-add vname --user=user_dne ------------------- Added vault "vname" ------------------- Vault name: vname Type: standard Owner users: admin [root@master ~]# ipa vault-show vname --user=user_dne Vault name: vname Type: standard Owner users: admin Version-Release number of selected component (if applicable): ipa-server-4.2.0-4.el7.x86_64 How reproducible: always Steps to Reproduce: 1. ipa-server-install 2. ipa-kra-install 3. kinit admin 4. ipa vault-add vname --user=user_dne Actual results: adds vault Expected results: should not add vault if user doesn't exist Additional info:
It seems that the vault secrets / vault itself is not influenced by new potential user with the same name.
[root@freeipa-box ~]# ipa vault-show bah --user=bah ipa: ERROR: bah: vault not found [root@freeipa-box ~]# ipa vault-add bah --user=bah ----------------- Added vault "bah" ----------------- Vault name: bah Type: standard Owner users: admin Vault user: bah [root@freeipa-box ~]# ipa vault-show bah ipa: ERROR: bah: vault not found [root@freeipa-box ~]# ipa vault-show bah --user=bah Vault name: bah Type: standard Owner users: admin Vault user: bah [root@freeipa-box ~]# ipa vault-archive bah --data=$(echo "some secret" | base64) --user=bah ------------------------------ Archived data into vault "bah" ------------------------------ [root@freeipa-box ~]# ipa vault-retrieve bah --user=bah ------------------------------- Retrieved data from vault "bah" ------------------------------- Data: c29tZSBzZWNyZXQK [root@freeipa-box ~]# ipa user-add --first=bah --last=test --password bah Password: Enter Password again to verify: ---------------- Added user "bah" ---------------- User login: bah First name: bah Last name: test Full name: bah test Display name: bah test Initials: bt Home directory: /home/bah GECOS: bah test Login shell: /bin/sh Kerberos principal: bah@ABC.EXAMPLE.COM Email address: bah@abc.example.com UID: 1025000044 GID: 1025000044 Password: True Member of groups: ipausers Kerberos keys available: True bah@freeipa-box$ whoami bah bah@freeipa-box$ ipa vault-find ---------------- 0 vaults matched ---------------- ---------------------------- Number of entries returned 0 ---------------------------- bah@freeipa-box$ ipa vault-find --user=bah ---------------- 0 vaults matched ---------------- ---------------------------- Number of entries returned 0 ---------------------------- bah@freeipa-box$ ipa vault-show bah ipa: ERROR: bah: vault not found bah@freeipa-box$ ipa vault-show bah --user=bah ipa: ERROR: bah: vault not found bah@freeipa-box$ ipa vault-retrieve bah ipa: ERROR: bah: vault not found bah@freeipa-box$ ipa vault-retrieve bah --user=bah ipa: ERROR: bah: vault not found [root@freeipa-box ~]# ipa vault-add-member bah --users=bah ipa: ERROR: bah: vault not found [root@freeipa-box ~]# ipa vault-add-member bah --users=bah --user=bah Vault name: bah Type: standard Owner users: admin Vault user: bah Member users: bah ------------------------- Number of members added 1 ------------------------- bah@freeipa-box$ ipa vault-retrieve bah ------------------------------- Retrieved data from vault "bah" ------------------------------- Data: c29tZSBzZWNyZXQK bah@freeipa-box$ ipa vault-retrieve bah --user=bah ------------------------------- Retrieved data from vault "bah" ------------------------------- Data: c29tZSBzZWNyZXQK [root@freeipa-box ~]# ipa vault-remove-member bah --users=bah --user=bah Vault name: bah Type: standard Owner users: admin Vault user: bah --------------------------- Number of members removed 1 --------------------------- bah@freeipa-box$ ipa vault-retrieve bah ipa: ERROR: bah: vault not found bah@freeipa-box$ ipa vault-retrieve bah --user=bah ipa: ERROR: bah: vault not found [root@freeipa-box ~]# ipa vault-add-owner bah --users=bah --user=bah Vault name: bah Type: standard Owner users: admin, bah Vault user: bah ------------------------ Number of owners added 1 ------------------------ [root@freeipa-box ~]# ipa vault-remove-owner bah --users=admin --user=bah Vault name: bah Type: standard Owner users: bah Vault user: bah -------------------------- Number of owners removed 1 -------------------------- bah@freeipa-box$ ipa vault-retrieve bah ------------------------------- Retrieved data from vault "bah" ------------------------------- Data: c29tZSBzZWNyZXQK bah@freeipa-box$ ipa vault-retrieve bah --user=bah ------------------------------- Retrieved data from vault "bah" ------------------------------- Data: c29tZSBzZWNyZXQK [root@freeipa-box ~]# ipa user-del bah ------------------ Deleted user "bah" ------------------ [root@freeipa-box ~]# ipa user-show bah ipa: ERROR: bah: user not found [root@freeipa-box ~]# ipa vault-find --user=bah --------------- 1 vault matched --------------- Vault name: bah Type: standard Vault user: bah ---------------------------- Number of entries returned 1 ---------------------------- [root@freeipa-box ~]# ipa user-add --first=bah --last=test --password bah Password: Enter Password again to verify: ---------------- Added user "bah" ---------------- User login: bah First name: bah Last name: test Full name: bah test Display name: bah test Initials: bt Home directory: /home/bah GECOS: bah test Login shell: /bin/sh Kerberos principal: bah@ABC.EXAMPLE.COM Email address: bah@abc.example.com UID: 1025000045 GID: 1025000045 Password: True Member of groups: ipausers Kerberos keys available: True bah@freeipa-box$ ipa vault-find --user=bah ---------------- 0 vaults matched ---------------- ---------------------------- Number of entries returned 0 ---------------------------- bah@freeipa-box$ ipa vault-retrieve bah --user=bah ipa: ERROR: bah: vault not found
Was discussed offline and was decided that creating a vault for non-existent user/service is a valid use-case.
Metadata Update from @spoore: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.