A privilege cannot be a member of a permission, remove it from metadata

ticket 970

API.txt

@@ -1755,12 +1755,11 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: privilege_add_member
-args: 1,5,3
+args: 1,4,3
 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Privilege name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output'])
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output'])
 option: Str('version?', exclude='webui', flags=['no_option', 'no_output'])
-option: List('permission?', alwaysask=True, cli_name='permissions',ist('permission?', alwaysask=True, cli_name='permissions', doc='comma-separated list of permissions to add', label='permission', multivalue=True)
 option: List('role?', alwaysask=True, cli_name='roles',ist('role?', alwaysask=True, cli_name='roles', doc='comma-separated list of roles to add', label='role', multivalue=True)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('failed', <type 'dict'>, Gettext('Members that could not be added', domain='ipa', localedir=None))
@@ -1811,12 +1810,11 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: privilege_remove_member
-args: 1,5,3
+args: 1,4,3
 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Privilege name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output'])
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output'])
 option: Str('version?', exclude='webui', flags=['no_option', 'no_output'])
-option: List('permission?', alwaysask=True, cli_name='permissions',ist('permission?', alwaysask=True, cli_name='permissions', doc='comma-separated list of permissions to remove', label='permission', multivalue=True)
 option: List('role?', alwaysask=True, cli_name='roles',ist('role?', alwaysask=True, cli_name='roles', doc='comma-separated list of roles to remove', label='role', multivalue=True)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('failed', <type 'dict'>, Gettext('Members that could not be removed', domain='ipa', localedir=None))

ipalib/plugins/privilege.py

@@ -44,10 +44,8 @@ class privilege(LDAPObject):
         'memberindirect'
     ]
     attribute_members = {
-        'member': ['permission', 'role'],
+        'member': ['role'],
         'memberof': ['permission'],
-#        'memberindirect': ['permission'],
-        # FIXME: privilege can be member of ???
     }
     reverse_members = {
         'member': ['permission'],