group-del: add a warning to logs when password policy could not be removed

When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.

This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.

Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.

Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaserver/plugins/group.py

@@ -20,6 +20,8 @@
 
 import six
 
+import logging
+
 from ipalib import api
 from ipalib import Int, Str, Flag
 from ipalib.constants import PATTERN_GROUPUSER_NAME
@@ -48,6 +50,8 @@ from ipapython.dn import DN
 if six.PY3:
     unicode = str
 
+logger = logging.getLogger(__name__)
+
 if api.env.in_server and api.env.context in ['lite', 'server']:
     try:
         import ipaserver.dcerpc
@@ -366,7 +370,16 @@ class group_del(LDAPDelete):
     def post_callback(self, ldap, dn, *keys, **options):
         assert isinstance(dn, DN)
         try:
+            # A user removing a group may have no rights to remove
+            # an associated policy. Make sure we log an explanation
+            # in the Apache logs for this.
             api.Command['pwpolicy_del'](keys[-1])
+        except errors.ACIError:
+            logger.warning(
+                "While removing group %s, user lacked permissions "
+                "to remove corresponding password policy. This is "
+                "not an issue and can be ignored.", keys[-1]
+            )
         except errors.NotFound:
             pass