IMHP this Python API call should raise an exception. It took me a while to figure out that the permission name is in plural form, 'System: Read Stage Users' instead of 'System: Read Stage User'.
>>> from ipalib import api >>> api.bootstrap(context='cli', log=None) >>> api.finalize() >>> api.Backend.rpcclient.connect() >>> api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage User') {u'failed': {u'member': {u'permission': (('System', u'Read Stage User: permission not found'),)}}, u'completed': 0, u'result': {u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo', u'cn': (u'Portal management privilege',), u'objectclass': (u'groupofnames', u'top', u'nestedgroup'), u'member_role': (u'Portal management',), u'memberof_permission': (u'System: Change User password', u'System: Add Stage User'), u'description': (u'Portal privileges',)}}
Initialize the API
>>> from ipalib import api >>> from pprint import pprint >>> api.bootstrap(context='cli', log=None) >>> api.finalize() ipa: WARNING: session memcached servers not running >>> api.Backend.rpcclient.connect()
An unknown permission doesn't raise an exception. Please note that the message in {{{[u'failed'][u'member'][u'permission'][0]}}} is wrong, too. It should be {{{(u'System : Read Stage User', u'permission not found')}}}.
>>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage User')) {u'completed': 0, u'failed': {u'member': {u'permission': (('System', u'Read Stage User: permission not found'),)}}, u'result': {u'cn': (u'Portal management privilege',), u'description': (u'Portal privileges',), u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo', u'member_role': (u'Portal management',), u'memberof_permission': (u'System: Change User password', u'System: Add Stage User', u'System: Read Stage Users'), u'objectclass': (u'groupofnames', u'top', u'nestedgroup')}}
A permission add command also doesn't raise an exception if the privilege already has the permission. In this case {{{[u'failed'][u'member'][u'permission'][0]}}} is correct.
>>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage Users')) {u'completed': 0, u'failed': {u'member': {u'permission': ((u'System: Read Stage Users', u'This entry is already a member'),)}}, u'result': {u'cn': (u'Portal management privilege',), u'description': (u'Portal privileges',), u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo', u'member_role': (u'Portal management',), u'memberof_permission': (u'System: Change User password', u'System: Add Stage User', u'System: Read Stage Users'), u'objectclass': (u'groupofnames', u'top', u'nestedgroup')}}
Finally some permissions like u'System: Read User Standard Attributes' and u'System: Read User Addressbook Attributes' raise an exception:
>>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read User Standard Attributes')) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 761, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 888, in forward return self._call_command(command, params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 865, in _call_command return command(*params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1016, in _call return self.__request(name, args) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1010, in __request raise error_class(message=error['message']) ipalib.errors.ValidationError: invalid 'permission': cannot add permission "System: Read User Standard Attributes" with bindtype "anonymous" to a privilege
Can we make error detection simpler? Even a successful call has an 'failed' key with values. For example add an error count similar to completed count?
result['errors'] + result['completed'] == total amount of changes. >>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage Users')) {u'completed': 1, u'failed': {u'member': {u'permission': ()}}, u'result': {u'cn': (u'Portal management privilege',), u'description': (u'Portal privileges',), u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo', u'member_role': (u'Portal management',), u'memberof_permission': (u'System: Change User password', u'System: Add Stage User', u'System: Read Stage Users'), u'objectclass': (u'groupofnames', u'top', u'nestedgroup')}}
can be part of ipalib cleanup tickets
honza: proper information channel is messages/warnings
related doc ticket: #5303
Metadata Update from @cheimes: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
I'm closing this issue as duplicate of #5303. It doesn't make sense to keep both tickets open.
Metadata Update from @cheimes: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.