Re: [Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add

2014-10-08 Thread Martin Kosek 
On 10/07/2014 06:48 PM, Jan Cholasta wrote:
> Hi,
> 
> the attached patch fixes .
> 
> The error message is now the generic ACI error message, e.g. "Insufficient
> access: Insufficient 'add' privilege to add the entry
> 'krbprincipalname=something/somehost.example@example.com,cn=services,cn=accounts,dc=example,dc=com'.
> 
> "
> 
> Honza

Yup, simpler is better in this case. The certmonger tracker seems easier to
understand to me now:

# ipa-getcert list -i 20141008071708
Number of certificates and requests being tracked: 9.
Request ID '20141008071708':
status: CA_REJECTED
ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our
request, giving up: 2100 (RPC failed at server.  Insufficient access:
Insufficient 'add' privilege to add the entry
'krbprincipalname=test/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: 
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes


ACK. Pushed to:
master: 8e602eaf46b71ad8f713f549d6a823c70567bb22
ipa-4-1: ed5ffbfd75f3f1a62581c50a2c64d9e75fc74081
ipa-4-0: 80da03a2169de3a78edec42c1eab1f87734f49a7

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add

2014-10-07 Thread Jan Cholasta 

Hi,

the attached patch fixes .

The error message is now the generic ACI error message, e.g. 
"Insufficient access: Insufficient 'add' privilege to add the entry 
'krbprincipalname=something/somehost.example@example.com,cn=services,cn=accounts,dc=example,dc=com'.

"

Honza

--
Jan Cholasta
>From 4b812d600e9352d3dc37d896b0d4714f07b8cdc6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 7 Oct 2014 18:38:20 +0200
Subject: [PATCH] Remove misleading authorization error message in cert-request
 with --add

https://fedorahosted.org/freeipa/ticket/4540
---
 ipalib/plugins/cert.py | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index e4918a4..679ac14 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -365,11 +365,7 @@ class cert_request(VirtualCommand):
 if not add:
 raise errors.NotFound(reason=_("The service principal for "
 "this request doesn't exist."))
-try:
-service = api.Command['service_add'](principal, force=True)
-except errors.ACIError:
-raise errors.ACIError(info=_('You need to be a member of '
-'the serviceadmin role to add services'))
+service = api.Command['service_add'](principal, force=True)
 service = service['result']
 dn = service['dn']
 
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel