Using --attrs, --includeattrs and --excludeattrs is resulting in an error with a wrong attribute, but the change is applied.
There is an error, but "calicense" is added though.
Error, that calicense is not valid and not added.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server 389-ds-base pki-ca krb5-server freeipa-server-4.8.10-6.fc33.x86_64 freeipa-client-4.8.10-6.fc33.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.4.8-1.fc33.x86_64 pki-ca-10.10.0-2.fc33.noarch krb5-server-1.18.2-29.fc33.x86_64
The same issue happens with includedattrs and excludedattrs.
It is also unexpected that using new attrs on managed permissions is resulting in adding includedattrs and the removal of attrs is restulting in adding excludedattrs. Why are there arguments for includedattrs and excludedattrs then?
Creating the ACI is blowing up with a SyntaxError but this isn't causing the entire request to roll back apparently (the traceback is immense).
I'm not sure what's going on with includedattr and excludedattr unless the code is at least partly computing those and/or preventing toes from injured.
The permission object gets updated because the ACI is written in a post operation with no previous validation so by the time it fails the main entry is already written.
Interesting. It does have code that is supposed to roll back the change but it isn't working for some reason.
Ok, now I've got it. And that rollback blows up with the MidairCollision that is ultimately reported to the user.
The resulting modlist isn't being generated properly. It is just:
[(1, 'ipapermincludedattr', None), (1, 'memberindirect', None)]
1 == MOD_DELETE
It is raised by:
except ldap.NO_SUCH_ATTRIBUTE: # this is raised when a 'delete' attribute isn't found. # it indicates the previous attribute was removed by another # update, making the oldentry stale. raise errors.MidairCollision()
It is memberindirect throwing this off.
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/5411
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to Managed permissions commands now properly rollback changes if a generated ACI has incorrect syntax
Login to comment on this ticket.