Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-48104

Default hbac rules are duplicated on remote server post ipa-migrate in prod-mode

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • ipa-4.12.2-2.el9
    • None
    • Important
    • 1
    • rhel-idm-ipa
    • ssg_idm
    • 10
    • 12
    • 2
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q4-Alpha-S3
    • Bug Fix
    • Hide
      .Migrating an IdM deployment no longer results in duplicate HBAC rules
      Previously, migrating from one Identity Management (IdM) deployment to another by using the `ipa-migrate` utility sometimes led to duplicate host-based access control (HBAC) rules on the destination server. Consequently, the "allow_all" and "allow_systemd-user" HBAC rules appeared twice when running the "ipa hbacrule-find" command on that server.

      The problem has been fixed and migrating IdM deployments no longer results in duplicate HBAC rules.
      Show
      .Migrating an IdM deployment no longer results in duplicate HBAC rules Previously, migrating from one Identity Management (IdM) deployment to another by using the `ipa-migrate` utility sometimes led to duplicate host-based access control (HBAC) rules on the destination server. Consequently, the "allow_all" and "allow_systemd-user" HBAC rules appeared twice when running the "ipa hbacrule-find" command on that server. The problem has been fixed and migrating IdM deployments no longer results in duplicate HBAC rules.
    • Done
    • x86_64
    • None

      What were you trying to do that didn't work?

      Default hbac rules are duplicated on the remote server during ipa-migrate prod-mode

      Please provide the package NVR for which bug is seen:

      ipa-server-4.12.0-4.el9.x86_64
      krb5-server-1.21.1-2.el9.x86_64
      389-ds-base-2.5.1-1.el9.x86_64

      How reproducible: Always

      Steps to reproduce

      1.  Install IPA local and remote server i.e testrelm.test domain
      2.  Add hbac rule and sudo rules on the local server.
      3.  Run ipa-migrate tool on remote server and
      4. #[root@remote ~]# ipa-migrate prod-mode local.testrelm.test -D 'cn=Directory Manager' -w password.
      5. Run ipa hbacrule-find on the remote server.

      Expected results

      Remove duplication of default hbac rules.

      Actual results

      allow_systemd-user and allow_all is duplicated on the remote server.

      [root@local ~]# ipa hbacrule-find
      --------------------
      3 HBAC rules matched
      --------------------
        Rule name: allow_all
        User category: all
        Host category: all
        Service category: all
        Description: Allow all users to access any host from any host
        Enabled: True

        Rule name: allow_systemd-user
        User category: all
        Host category: all
        Description: Allow pam_systemd to run user@.service to create a system user session
        Enabled: True

        Rule name: hbacrule1
        Enabled: True
      ----------------------------
      Number of entries returned 3
      ----------------------------

      [root@remote ~]# ipa hbacrule-find
      --------------------
      5 HBAC rules matched
      --------------------
        Rule name: allow_all
        User category: all
        Host category: all
        Service category: all
        Description: Allow all users to access any host from any host
        Enabled: True

        Rule name: allow_all
        User category: all
        Host category: all
        Service category: all
        Description: Allow all users to access any host from any host
        Enabled: True

        Rule name: allow_systemd-user
        User category: all
        Host category: all
        Description: Allow pam_systemd to run user@.service to create a system user session
        Enabled: True

        Rule name: allow_systemd-user
        User category: all
        Host category: all
        Description: Allow pam_systemd to run user@.service to create a system user session

       Rule name: hbacrule1
        Enabled: True
      ----------------------------
      Number of entries returned 5
      ----------------------------
        Enabled: True

        1. ipa-migrate.log
          19 kB

              rhn-engineering-mareynol Mark Reynolds
              sumenon@redhat.com Sudhir Menon
              Florence Renaud Florence Renaud
              Sudhir Menon Sudhir Menon
              Filip Hanzelka Filip Hanzelka
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: