Bug 56182 – overwriting multi-value attribute of existing object impossible without warnings

Bug 56182 - overwriting multi-value attribute of existing object impossible without warnings


Summary:	overwriting multi-value attribute of existing object impossible without warnings

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UDM - CLI
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-06-21 12:33 CEST by Moritz Bunkus
Modified:	2023-06-21 13:21 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
test case (2.77 KB, application/x-shellscript) 2023-06-21 12:33 CEST, Moritz Bunkus	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Bunkus 2023-06-21 12:33:23 CEST

Created attachment 11074 [details]
test case

UCS 5.0-3 errata 712

I have an existing object (saml/serviceprovider). I want to replace all the configured "LDAPAttribute" elements in a single udm call. This seems to only be possible by using '--set LDAPattribute="…"' twice in a single call. That, however, will cause UDM to emit the well-known but highly misleading warning:

> WARNING: multiple values for LDAPattributes given via --set. Use --append instead!

I'll attach a script to illustrate the issue. The script creates three SAML SPs. Each time the creation step only creates a single LDAP attribute mapping for mail → mail. The goal is then to replace that existing mapping with two new mappings for givenName → first_name & sn → last_name.

The three test cases are:

1. udm saml/serviceprovider modify … --set LDAPattributes="…" --set LDAPattributes="…"
2. udm saml/serviceprovider modify … --set LDAPattributes="…" --append LDAPattributes="…"
3. udm saml/serviceprovider modify … --append LDAPattributes="…" --append LDAPattributes="…"

The results are:

1. "--set" twice

This is almost OK: the modified object will have the two desired LDAP attribute mappings for givenName & sn, but not the one for mail. So far, so good. However, "udm" emits the warning shown above.

2. "--set" once, "--append" once

This is not OK:  the modified object will only have the one LDAP attribute mapping that's given via "--set" during the modification call. The one from "--append" is missing. This is due to the longstanding issue described in bug 4817.

3. "--append" twice

This is not OK: the modified object will contain all three LDAP attribute mappings: the one from the creation + the two from the modification.

---------------------------------

In my opinion there are two bugs here:

1. As "--set" & "--append" cannot be combined (as in: udm will ignore any "--append" if "--set" is used for the same attribute), udm must emit an error message (or at least a warning) due to invalid usage. At the moment the "--append" parameters are silently ignored.

2. As the only way to overwrite existing multi-value attributes is to only use "--set" for each value, the warning must be removed as udm cannot mind read: it doesn't know if the user wants to replace existing elements (only use "--set") or add to existing ones (only use "--append").

Comment 1 Florian Best

2023-06-21 13:05:30 CEST

Can you try two additional test cases:

5. udm saml/serviceprovider modify … --remove LDAPattributes --append LDAPattributes="…"
6. udm saml/serviceprovider modify … --remove LDAPattributes="…" --append LDAPattributes="…"

Comment 2 Moritz Bunkus 2023-06-21 13:20:32 CEST

Sure thing.

4. --remove "LDAPattributes" --append "LDAPattributes=givenName first_name" --append "LDAPattributes=sn last_name"

Result: no LDAPattributes at all. No warning emitted. I consider both to be a bug or at least worthy of a warning.

5. --remove "LDAPattributes=mail mail" --append "LDAPattributes=givenName first_name" --append "LDAPattributes=sn last_name"

Result: only the two wanted mappings for givenName & sn are present, but not the one for mail. This is OK. No warning emitted.

From a usability point of view this way isn't ideal either as I'd have to parse the existing attributes & explicitly mention them on the command line.

What I really want is a way to say "replace all existing values with these ones & don't shout about me being wrong about it".

OK, what I actually want is for udm to make correct usage easy & wrong usage hard. At the moment it makes correct usage (only "--set", no "--append") hard due to the misleading warning. It also makes wrong usage (combining "--set" with "--append", or argument-less "--replace" with "--append") hard due to there being no warning at all.

udm already warns us about unused arguments, which I consider very, very good as it makes wrong usage harder:

[0 root@trinculo ~] udm users/user modify --dn "$(udm users/user list --filter uid=mbunkus |grep '^DN:'|sed -e 's/^DN: //')" --set description=moocow dieserparameteristunbekannt
WARNING: the following arguments are ignored: "dieserparameteristunbekannt"

I guess the existing warning about "use --append instead" was supposed to prevent similar types of mistakes, but at the moment it warns about otherwise correct usage and is therefore a bad warning.

Comment 3 Moritz Bunkus 2023-06-21 13:21:29 CEST

Ugh, I meant to say:

> It also makes wrong usage (combining "--set" with "--append", or argument-less "--replace" with "--append") **easy** due to there being no warning at all.