#8646 permission-mod attrs, includedattrs and excludedattrs issues
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by twoerner.

Issue

Using --attrs, --includeattrs and --excludeattrs is resulting in an error with a wrong attribute, but the change is applied.

Steps to Reproduce

  1. ipa permission-mod "System: Modify Automount Maps" --attr=automountmapname --attr=description --attr=calicense
  2. "ipa: ERROR: change collided with another change"
    3.ipa permission-show "System: Modify Automount Maps" | grep calicense
    Effective attributes: automountmapname, calicense, description
    Included attributes: calicense

Actual behavior

There is an error, but "calicense" is added though.

Expected behavior

Error, that calicense is not valid and not added.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
389-ds-base pki-ca krb5-server
freeipa-server-4.8.10-6.fc33.x86_64
freeipa-client-4.8.10-6.fc33.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.4.8-1.fc33.x86_64
pki-ca-10.10.0-2.fc33.noarch
krb5-server-1.18.2-29.fc33.x86_64

Additional info:

The same issue happens with includedattrs and excludedattrs.

It is also unexpected that using new attrs on managed permissions is resulting in adding includedattrs and the removal of attrs is restulting in adding excludedattrs. Why are there arguments for includedattrs and excludedattrs then?


Creating the ACI is blowing up with a SyntaxError but this isn't causing the entire request to roll back apparently (the traceback is immense).

I'm not sure what's going on with includedattr and excludedattr unless the code is at least partly computing those and/or preventing toes from injured.

The permission object gets updated because the ACI is written in a post operation with no previous validation so by the time it fails the main entry is already written.

Interesting. It does have code that is supposed to roll back the change but it isn't working for some reason.

Ok, now I've got it. And that rollback blows up with the MidairCollision that is ultimately reported to the user.

The resulting modlist isn't being generated properly. It is just:

[(1, 'ipapermincludedattr', None), (1, 'memberindirect', None)]

1 == MOD_DELETE

It is raised by:

        except ldap.NO_SUCH_ATTRIBUTE:
            # this is raised when a 'delete' attribute isn't found.
            # it indicates the previous attribute was removed by another
            # update, making the oldentry stale.
            raise errors.MidairCollision()

It is memberindirect throwing this off.

Metadata Update from @rcritten:
- Issue assigned to rcritten

3 years ago

master:

  • 59d6c4d Remove virtual attributes before rolling back a permission
  • 8dd2eb4 ipatests: test that modifying a permission attrs handles failure

ipa-4-9:

  • 9ae7442 Remove virtual attributes before rolling back a permission
  • bdc383a ipatests: test that modifying a permission attrs handles failure

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @abbra:
- Custom field changelog adjusted to Managed permissions commands now properly rollback changes if a generated ACI has incorrect syntax

3 years ago

Login to comment on this ticket.

Metadata