Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1551141
Description of problem: "ipa hbacrule-mod rulename --servicecat='all'" returns this error: ipa: ERROR: service category cannot be set to 'all' while there are allowed services But in the hbacrule property page on web UI, you can set "Service category the rule applies to" to "Any Service" from "Specified Services and Groups", then save the hbacrule, and it clears out all existing services and service groups automatically. no errors return. Version-Release number of selected component (if applicable): ipa-server-4.5.0-21.el7.x86_64 How reproducible: Steps to Reproduce: 1. in web UI, create a hbacrule with "services" and "service groups" defined in the bottom of its property page. by default it is "Any Service". change it to "Specified Services and Groups", then add some random services or service groups below. 2. run "ipa hbacrule-mod <rulename> --servicecat='all'" from console, you should see the fore-mentioned error messages: ipa: ERROR: service category cannot be set to 'all' while there are allowed services 3. in the web UI, in the same hbacrule property page, change "Service category the rule applies to" from "Specified Services and Groups" to "Any Service", then click Save. now you can see all previously defined services and service groups are cleared out and save is successful. Actual results: described above Expected results: "ipa hbacrule-mod <rulename> --servicecat='all'" should be able to clear all defined services or service groups automatically, just like what is being done in web UI. Additional info:
Metadata Update from @fbarreto: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1551141
Metadata Update from @fbarreto: - Issue priority set to: normal
The behavior described in this ticket is not an issue but rather a design choice: - when an admin uses the GUI to change servicecategory='all' for an HBAC rule, he can see before modification if the rule already contains services because they would be displayed in the "Services" table. This means he is fully aware of the current HBAC rule definition, and that selecting 'Any service' will erase the list of services. - when the CLI is used, the admin may not realize that servicecategory='all' would erase a potentially long list of services. The decision was made to protect from unintentional deletion by adding the check and the error "ERROR: service category cannot be set to 'all' while there are allowed services".
Hence this ticket will be closed as invalid.
Metadata Update from @frenaud: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.