[OPENDJ-2748] dsconfig --batch and --batchFilePath fail when configuring the global-aci. Created: 07/Mar/16  Updated: 08/Nov/19  Resolved: 21/Nov/16

Status: Done
Project: OpenDJ
Component/s: tools
Affects Version/s: 4.0.0, 3.0.1, 3.0.0, 2.6.3
Fix Version/s: 4.0.0

Type: Bug Priority: Major
Reporter: Lee Trujillo Assignee: Fabio Pistolesi
Resolution: Fixed Votes: 0
Labels: Verified, release-notes

Issue Links:
Relates
relates to OPENDJ-1667 dsconfig batch file processing remove... Done
is related to OPENDJ-1667 dsconfig batch file processing remove... Done
is related to OPENDJ-1840 dsconfig should support batching comm... Done
QA Assignee: Ondrej Fuchsik
Support Ticket IDs:

 Description   

Using dsconfig in "interactive mode" works when removing or adding global-aci's, but the same commands saved with --commandFilePath fail when using --batch or --batchFilePath. The batch sub-commands can fail highlighting syntax errors or silently with no errors at all.

Related enhancement: OPENDJ-1840

ds-cfg-global-aci: (targetattr!="userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone"

If the above were added or removed using dsconfig in interactive mode, the following command file is produced.

  1. dsconfig session start date: 07/Mar/2016:16:14:22 +0000
  1. Session operation number: 1
  2. Operation date: 07/Mar/2016:16:14:46 +0000
    dsconfig set-access-control-handler-prop \
    --remove global-aci:(targetattr!=\"userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN\")(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ (read,search,compare)\ userdn=\"ldap:///anyone\"\;) \
    --no-prompt

If you remove the comments and process this using --batchFilePath or paste it into an interactive --batch the command fails.

Example: --batchFilePath

opendj; bin/$ cat batchfile 
set-access-control-handler-prop \
          --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\"\)\(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ \(read,search,compare\)\ userdn=\"ldap:///anyone\"\;\) \
          --no-prompt

opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batchFilePath ./batchfile 
set-access-control-handler-prop           --remove
global-aci:\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version##3.0\;##acl##\Anonymous\##read\##access\\;##allow##\(read,search,compare\)##userdn=\ldap:///anyone\\;\)
--no-prompt

The value
"\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version
3.0\; acl \Anonymous\ read\ access\\; allow \(read,search,compare\)
userdn=\ldap:///anyone\\;\)" is not a valid value for the "global-aci"
property, which must have the following syntax: ACI

Example: --batch (same command)

opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batch
set-access-control-handler-prop \
          --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\"\)\(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ \(read,search,compare\)\ userdn=\"ldap:///anyone\"\;\) 
set-access-control-handler-prop           --remove
global-aci:\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version##3.0\;##acl##\Anonymous\##read\##access\\;##allow##\(read,search,compare\)##userdn=\ldap:///anyone\\;\)
The value
"\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version
3.0\; acl \Anonymous\ read\ access\\; allow \(read,search,compare\)
userdn=\ldap:///anyone\\;\)" is not a valid value for the "global-aci"
property, which must have the following syntax: ACI
---

Example: --batch with the raw un-escaped aci.

opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batch
set-access-control-handler-prop --remove global-aci:(targetattr!="userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
set-access-control-handler-prop --remove
global-aci:(targetattr!=userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN)(version
3.0; acl Anonymous##read##access; allow (read,search,compare)
userdn=ldap:///anyone;)
An error occurred while parsing the command-line arguments: Argument "3.0;"
does not start with one or two dashes and unnamed trailing arguments are not
allowed

See "dsconfig --help" to get more usage help
---

All non-global-aci based batch files process properly

opendj; bin/$ cat batch.db-cache 
set-backend-prop \
          --backend-name userRoot \
          --set db-cache-percent:80 \
          --no-prompt
opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batchFilePath ./batch.db-cache 
set-backend-prop           --backend-name userRoot           --set
db-cache-percent:80           --no-prompt

[07/Mar/2016:09:46:03 -0700] MODIFY REQ conn=5 op=6 msgID=7 dn="ds-cfg-backend-id=userRoot,cn=Backends,cn=config"
[07/Mar/2016:09:46:03 -0700] MODIFY RES conn=5 op=6 msgID=7 result=0 etime=13


 Comments   
Comment by Jean-Noël Rouvignac [ 14/Mar/16 ]

Duplicate of OPENDJ-411 ?

Comment by Fabio Pistolesi [ 06/Jun/16 ]

I am tempted to say the original evaluation (opends-4363) is still applicable:

The goal of the batch file is not to re-implement the unix shell script.
However, the most commonly used stuff (such as '"' and '\' to split a command in
several lines) must be supported.

The main problem is dsconfig --displayCommand displays a command line assuming it would be used in an interactive shell, so it escapes all characters with special meaning in a unix shell. Using the same unedited text in a batch file does not follow the same syntax.
I think it would be better to simplify by enclosing the text with a single quote, eventually escaping embedded single quotes by a backslash that can be stripped during parsing, and supporting comment lines and multiline commands.

Comment by Fabio Pistolesi [ 06/Jun/16 ]

It seems OPENDJ-411 is more a mix of weird escaping taking place (covered here) and enhancement on the UI for changing ACIs, with
emphasis on the latter.

Comment by Fabio Pistolesi [ 04/Jul/16 ]

Actually, using single quotes works until no single quotes have to be escaped, in which case it becomes really annoying , having to
escape with double quotes.

Comment by Ondrej Fuchsik [ 03/Nov/16 ]

Verified with OpenDJ-4.0.0 rev 2daf3a6626ef94d75790b1e3a118c7cb350e1018

Comment by Quentin CASTEL [X] (Inactive) [ 20/Nov/16 ]

modification of the status, in order to migrate the 'Zendesk ID' field to 'Support Ticket ID' field.

Generated at Sat Nov 28 22:43:09 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.