diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2018-04-30 15:35:42 +0300 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2018-05-03 16:44:57 +0200 |
| commit | 1adc941d1f1caeffa8cf490783b7819298e828ce (patch) | |
| tree | 0b3aea514b3cfa2225350c1b0c705583c3a5c1b3 /ipaserver/plugins/group.py | |
| parent | aa64ef03a04b6e2509924a9f968724232123be3a (diff) | |
| download | freeipa-1adc941d1f1caeffa8cf490783b7819298e828ce.tar.gz freeipa-1adc941d1f1caeffa8cf490783b7819298e828ce.tar.xz freeipa-1adc941d1f1caeffa8cf490783b7819298e828ce.zip | |
group-del: add a warning to logs when password policy could not be removed
When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.
This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.
Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.
Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Diffstat (limited to 'ipaserver/plugins/group.py')
| -rw-r--r-- | ipaserver/plugins/group.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py index 2d6aba149..1b09cf0bd 100644 --- a/ipaserver/plugins/group.py +++ b/ipaserver/plugins/group.py @@ -20,6 +20,8 @@ import six +import logging + from ipalib import api from ipalib import Int, Str, Flag from ipalib.constants import PATTERN_GROUPUSER_NAME @@ -48,6 +50,8 @@ from ipapython.dn import DN if six.PY3: unicode = str +logger = logging.getLogger(__name__) + if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc @@ -366,7 +370,16 @@ class group_del(LDAPDelete): def post_callback(self, ldap, dn, *keys, **options): assert isinstance(dn, DN) try: + # A user removing a group may have no rights to remove + # an associated policy. Make sure we log an explanation + # in the Apache logs for this. api.Command['pwpolicy_del'](keys[-1]) + except errors.ACIError: + logger.warning( + "While removing group %s, user lacked permissions " + "to remove corresponding password policy. This is " + "not an issue and can be ignored.", keys[-1] + ) except errors.NotFound: pass |