Issue #9286: memberManager ACIs aren't allowing group-based manager access due to missing upgrade code - freeipa - Pagure.io

freeipa

#9286 memberManager ACIs aren't allowing group-based manager access due to missing upgrade code

Closed: fixed a year ago by frenaud. Opened a year ago by abbra.

New installation includes ACIs that allow both memberManager#USERDN and memberManager#GROUPDN access:

# Allow member managers to modify members of user groups
dn: cn=groups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers
to modify members of user groups"; allow (write) userattr =
"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)

# Allow member managers to modify members of a host group
dn: cn=hostgroups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers
to modify members of host groups"; allow (write) userattr =
"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)

However, upgrades don't get the GROUPDN part and thus do not allow group-based member managers.

This was reported as https://bugzilla.redhat.com/show_bug.cgi?id=2056009

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2056009

a year ago

abbra commented a year ago

PR: https://github.com/freeipa/freeipa/pull/6565

Metadata Update from @abbra:
- Issue assigned to abbra

a year ago

frenaud commented a year ago

master:

e1fd9eb updates: fix memberManager ACI to allow managers from a specified group

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2056009, https://bugzilla.redhat.com/show_bug.cgi?id=2148887 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2056009)

a year ago

frenaud commented a year ago

ipa-4-10:

42be04f updates: fix memberManager ACI to allow managers from a specified group

frenaud commented a year ago

ipa-4-9:

651e28c updates: fix memberManager ACI to allow managers from a specified group

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

frenaud commented a year ago

master:

4acd9fe ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario

frenaud commented a year ago

ipa-4-10:

e1f4f65 ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario

frenaud commented a year ago

ipa-4-9:

2fb6f02 ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario

Login to comment on this ticket.

Metadata

Assignee

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

cc

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=2056009, https://bugzilla.redhat.com/show_bug.cgi?id=2148887

tester

None

changelog

None

design

None

Powered by Pagure 5.13.3

Documentation • File an Issue • About • SSH Hostkey/Fingerprint

© Red Hat, Inc. and others.