#966 Group nesting may cause confusion
Closed: Fixed None Opened 13 years ago by edewata.

Netgroup nesting may cause confusion because membership obtained through nesting are indistinguishable from regular membership, but they are added automatically and cannot be deleted directly.

Steps to reproduce:

  1. Create 2 netgroups:[[BR]]

    ipa netgroup-add netgroup1[[BR]]
    ipa netgroup-add netgroup2[[BR]]

  2. Add the first netgroup as a member of the second netgroup:[[BR]]

    ipa netgroup-add-member netgroup2 --netgroups=netgroup1[[BR]]

  3. Add a user into the first netgroup:[[BR]]

    ipa netgroup-add-member netgroup1 --users=testuser[[BR]]

  4. View user's details:[[BR]]

    ipa user-show testuser[[BR]]

It will show that the user is a member of both netgroups (i.e. netgroup1, netgroup2) without any distinction which membership is obtained directly or through nesting. The same result will be shown in the Web UI in User's "Member Of Netgroups" list.

Looking at the user's details only, another administrator may try to remove the user from the second netgroup via Web UI or CLI:

ipa netgroup-remove-member netgroup2 --users=testuser

However, the operation will fail because the user is not a direct member of the second netgroup.

A possible solution: the indirect membership should be displayed in a separate attribute.


I am fine with not showing the indirect members at all. It seems that we can do a limited fix and not go for a "perfect" solution in v2.

This ticket has been generalized to cover all scenarios with group nesting including user groups, host groups, and net groups. The problem can be observed in the following associations:
- User's "Member Of User Groups"
- User's "Member Of Net Groups"
- User Group's "Member Of User Groups"
- User Group's "Member Of Net Groups"
- Host's "Member Of Host Groups"
- Host's "Member Of Net Groups"

Endi, can you outline how this can cause confusion? What is confusing about it?

To clarify the original bug description, assume there are 2 groups where the first one is a member of the second one. Suppose an admin is adding a user to the first group, the user will automatically become a member of the second group because of group nesting.

Separately, another admin may be reviewing the user membership via CLI (user-show) or Web UI, the admin will see that the user belongs to both groups. Suppose the admin (maybe mistakenly) determines that the user should not belong to the second group, the admin will try to remove the user from the second group but the operation will fail because the user is not a direct member of the second group.

This can be confusing because the CLI or the Web UI does indicate that the user is a member of the second group. The user's memberof list doesn't make any distinction between direct and indirect memberships whereas only direct memberships can be deleted.

Metadata Update from @edewata:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.0.2 RC2 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata