URL: https://github.com/freeipa/freeipa/pull/1886 Author: abbra Title: #1886: group-del: add a warning to logs when password policy could not be re… Action: opened
PR body: """ …moved When a user with sufficient permissions creates a group using ipa group-add and then deletes it again with group-del ipa gives an Insufficient access error, but still deletes the group. This is due to a need to remove an associaed password policy for the group. However, a password policy might be inaccessible to the user (created by a more powerful admin) and there is no way to check that it exists with current privileges other than trying to remove it. Seeing a Python exceptions in the Apache log without explanation is confusing to many users, so add a warning message that explains what happens here. Fixes: https://pagure.io/freeipa/issue/6884 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1886/head:pr1886 git checkout pr1886
From 1d334feac1352ba5156917783588e3856ab8067f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 30 Apr 2018 15:35:42 +0300 Subject: [PATCH] group-del: add a warning to logs when password policy could not be removed When a user with sufficient permissions creates a group using ipa group-add and then deletes it again with group-del ipa gives an Insufficient access error, but still deletes the group. This is due to a need to remove an associaed password policy for the group. However, a password policy might be inaccessible to the user (created by a more powerful admin) and there is no way to check that it exists with current privileges other than trying to remove it. Seeing a Python exceptions in the Apache log without explanation is confusing to many users, so add a warning message that explains what happens here. Fixes: https://pagure.io/freeipa/issue/6884 --- ipaserver/plugins/group.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py index 2d6aba1495..6e27073b77 100644 --- a/ipaserver/plugins/group.py +++ b/ipaserver/plugins/group.py @@ -20,6 +20,8 @@ import six +import logging + from ipalib import api from ipalib import Int, Str, Flag from ipalib.constants import PATTERN_GROUPUSER_NAME @@ -48,6 +50,8 @@ if six.PY3: unicode = str +logger = logging.getLogger(__name__) + if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc @@ -366,9 +370,16 @@ def pre_callback(self, ldap, dn, *keys, **options): def post_callback(self, ldap, dn, *keys, **options): assert isinstance(dn, DN) try: + # A user removing a group may have no rights to remove + # an associated policy. Make sure we log an explanation + # in the Apache logs for this. api.Command['pwpolicy_del'](keys[-1]) - except errors.NotFound: - pass + except (errors.NotFound, errors.ACIError) as e: + if isinstance(e, errors.ACIError): + logger.warning( + "While removing group %s, user lacked permissions " + "to remove corresponding password policy. This is " + "not an issue and can be ignored", keys[-1]) return True
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org