#6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
Closed: fixed 5 years ago Opened 6 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1441262

Description of problem:
When a user with sufficient permissions creates a group using ipa group-add and
then deletes it again with group-del ipa gives an Insufficient access error,
but still deletes the group.

Version-Release number of selected component (if applicable):
Name        : ipa-server
Arch        : x86_64
Version     : 4.4.0
Release     : 14.el7.centos.6

How reproducible:
Every time

Steps to Reproduce:
1. create a user with Indirect Member of role: User Administrator
2. kinit user_admin
3. ipa group-add gtest
-------------------
Added group "gtest"
-------------------
  Group name: gtest
  GID: 1850000008
4. ipa group-del gtest

Actual results:
ipa: ERROR: Insufficient access:
ipa group-show gtest
ipa: ERROR: gtest: group not found


Expected results:
---------------------
Deleted group "gtest"
---------------------

Additional info:
works ok with user admin

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441262

6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441262

6 years ago

Metadata Update from @mbasti:
- Issue assigned to mbasti

6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: major
- Issue set to the milestone: FreeIPA 4.7

6 years ago

Metadata Update from @mbasti:
- Assignee reset

6 years ago

Metadata Update from @abbra:
- Issue assigned to abbra

5 years ago

master:

  • 1adc941 group-del: add a warning to logs when password policy could not be removed

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

ipa-4-6:

  • 164d907 group-del: add a warning to logs when password policy could not be removed

master:

  • 3dd5053 ipatests: Check if user with 'User Administrator' role can delete group.

ipa-4-6:

  • b5ac930 ipatests: Check if user with 'User Administrator' role can delete group.

ipa-4-8:

  • a457b79 ipatests: Check if user with 'User Administrator' role can delete group.

Login to comment on this ticket.

Metadata