Issue #5242: privilege_add_permission doesn't raise exception for unknown permission - freeipa

freeipa

#5242 privilege_add_permission doesn't raise exception for unknown permission

Closed: duplicate 6 years ago Opened 8 years ago by cheimes.

IMHP this Python API call should raise an exception. It took me a while to figure out that the permission name is in plural form, 'System: Read Stage Users' instead of 'System: Read Stage User'.

>>> from ipalib import api
>>> api.bootstrap(context='cli', log=None)
>>> api.finalize()
>>> api.Backend.rpcclient.connect()
>>> api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage User')
{u'failed': {u'member': {u'permission': (('System', u'Read Stage User: permission not found'),)}}, u'completed': 0, u'result': {u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo', u'cn': (u'Portal management privilege',), u'objectclass': (u'groupofnames', u'top', u'nestedgroup'), u'member_role': (u'Portal management',), u'memberof_permission': (u'System: Change User password', u'System: Add Stage User'), u'description': (u'Portal privileges',)}}

cheimes commented 8 years ago

Initialize the API

>>> from ipalib import api
>>> from pprint import pprint
>>> api.bootstrap(context='cli', log=None)
>>> api.finalize()
ipa: WARNING: session memcached servers not running
>>> api.Backend.rpcclient.connect()

An unknown permission doesn't raise an exception. Please note that the message in {{{[u'failed'][u'member'][u'permission'][0]}}} is wrong, too. It should be {{{(u'System : Read Stage User', u'permission not found')}}}.

>>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage User'))
{u'completed': 0,
 u'failed': {u'member': {u'permission': (('System',
                                          u'Read Stage User: permission not found'),)}},
 u'result': {u'cn': (u'Portal management privilege',),
             u'description': (u'Portal privileges',),
             u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo',
             u'member_role': (u'Portal management',),
             u'memberof_permission': (u'System: Change User password',
                                      u'System: Add Stage User',
                                      u'System: Read Stage Users'),
             u'objectclass': (u'groupofnames', u'top', u'nestedgroup')}}

A permission add command also doesn't raise an exception if the privilege already has the permission. In this case {{{[u'failed'][u'member'][u'permission'][0]}}} is correct.

>>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage Users'))
{u'completed': 0,
 u'failed': {u'member': {u'permission': ((u'System: Read Stage Users',
                                          u'This entry is already a member'),)}},
 u'result': {u'cn': (u'Portal management privilege',),
             u'description': (u'Portal privileges',),
             u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo',
             u'member_role': (u'Portal management',),
             u'memberof_permission': (u'System: Change User password',
                                      u'System: Add Stage User',
                                      u'System: Read Stage Users'),
             u'objectclass': (u'groupofnames', u'top', u'nestedgroup')}}

Finally some permissions like u'System: Read User Standard Attributes' and u'System: Read User Addressbook Attributes' raise an exception:

>>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read User Standard Attributes'))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 761, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward
    return self.Backend.rpcclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 888, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 865, in _call_command
    return command(*params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1016, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1010, in __request
    raise error_class(message=error['message'])
ipalib.errors.ValidationError: invalid 'permission': cannot add permission "System: Read User Standard Attributes" with bindtype "anonymous" to a privilege

cheimes commented 8 years ago

Can we make error detection simpler? Even a successful call has an 'failed' key with values. For example add an error count similar to completed count?

result['errors'] + result['completed'] == total amount of changes.



>>> pprint(api.Command.privilege_add_permission(u'Portal management privilege', permission=u'System: Read Stage Users'))
{u'completed': 1,
 u'failed': {u'member': {u'permission': ()}},
 u'result': {u'cn': (u'Portal management privilege',),
             u'description': (u'Portal privileges',),
             u'dn': u'cn=Portal management privilege,cn=privileges,cn=pbac,dc=kdcproxy,dc=demo',
             u'member_role': (u'Portal management',),
             u'memberof_permission': (u'System: Change User password',
                                      u'System: Add Stage User',
                                      u'System: Read Stage Users'),
             u'objectclass': (u'groupofnames', u'top', u'nestedgroup')}}

pvoborni commented 8 years ago

can be part of ipalib cleanup tickets

pvoborni commented 8 years ago

honza: proper information channel is messages/warnings

related doc ticket: #5303

Metadata Update from @cheimes:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

cheimes commented 6 years ago

I'm closing this issue as duplicate of #5303. It doesn't make sense to keep both tickets open.

Metadata Update from @cheimes:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Command plugins

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#5242 privilege_add_permission doesn't raise exception for unknown permission Closed: duplicate 6 years ago Opened 8 years ago by cheimes.

Metadata

#5242 privilege_add_permission doesn't raise exception for unknown permission

Closed: duplicate 6 years ago Opened 8 years ago by cheimes.