Commit Graph

141 Commits

Author SHA1 Message Date
Julien Rische
f77c0a573c
kdb: fix vulnerability in GCD rules handling
The initial implementation of MS-SFU by MIT Kerberos was missing a
condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required adding special case for the
check_allowed_to_delegate() function: if the target service argument is
NULL, then it means the KDC is probing for general constrained
delegation rules, not actually checking a specific S4U2Proxy request.

In commit e86807b5, the behavior of ipadb_match_acl() was modified to
match the changes from upstream MIT Kerberos a441fbe3. However, a
mistake resulted in this mechanism to apply in cases where target
service argument is set AND unset. This results in S4U2Proxy requests to
be accepted regardless of the fact there is a matching service
delegation rule or not.

This vulnerability does not affect services having RBCD (resource-based
constrained delegation) rules.

This fixes CVE-2024-2698

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-10 12:46:05 +02:00
Alexander Bokovoy
84eed2a67f frontend: add systemd journal audit of executed API commands
For each executed command in server context, send the information about
the command to the systemd journal. The resulting string is similar to
what is recored in httpd's error_log for API requests coming through the
RPC layer.

In server mode operations are performed directly on the server over
LDAPI unix domain socket, so httpd end-point is not used and therefore
operations aren't recorded in the error_log.

With this change any IPA API operation is sent as an audit event to the
journal, alog with additional information collected by the journald
itself.

To aid with identification of these messages, an application name is
replaced with IPA.API and the actual name from api.env.script is made a
part of the logged message. The actual application script name is
available as part of the journal metadata anyway.

If no Kerberos authentication was used but rather LDAPI autobind was in
use, the name of the authenticated principal will be replaced with
[autobind].

Messages sent with syslog NOTICE priority.

More information is available in the design document 'audit-ipa-api.md'

Fixes: https://pagure.io/freeipa/issue/9589

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-22 17:06:23 -04:00
Alexander Bokovoy
9e861693fc
batch: add keeponly option
batch(methods=Dict(), keeponly=list) will allow to execute batch of
commands and remove from the output everything but the attributes which
names were passed in the keeponly list.

This can be useful if you are only interested in getting names and
assigned random passwords, for example.

Fix batch API test in test_integration/test_idm_api.py and use it to
validate keeponly option.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Rob Crittenden
6af8577d58 docs: Add a section on SELinux modules to the HSM design
Additional SELinux rules are necessary for the HSM to be
managed by IPA and certmonger. Given the infinite possible
naming combinations of library paths and modules this is
a best effort. A message is logged if a missing module
is detected.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
f658a264f9 doc: Add token-password-file to HSM design, set new OID
Clarify when the user will be prompted interactively during
installation.

Set the OID for ipaCaHSMConfiguration.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rafael Guterres Jeffman
6c6b9354b5 Replace netifaces with ifaddr
Python netifaces has been unmaintained and its main repository has been
archived since June, 2021.

Python ifaddr is an alternative to netifaces, is currently maintained,
and provides an API which requires little change for FreeIPA current
usage.

This patch modifies FreeIPA to rely on ifaddr instead of neitfaces, due
to its current maintainance status.

Fixes: https://pagure.io/freeipa/issue/9555

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-03 16:35:19 -04:00
Mark Reynolds
8084b94c17 Issue 9568 - Update IPA to IPA migration design doc
The usage for migrating DNS changed. It went from "--skip-dns",
to "--migrate-dns"

Fixes: https://pagure.io/freeipa/issue/9568

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-04-04 17:25:04 -04:00
Mark Reynolds
557f0a5639 Issue 9547 - Update IPA to IPA migration design doc
Update the ipa to ipa migration doc in regards to the new IPA migration tool

Fixes: https://pagure.io/freeipa/issue/9547

Signed-off-by: Mark Reynolds <mreynolds@redhatr.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-14 13:59:48 +01:00
Alexander Bokovoy
1d2897e3d7 ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).

This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.

Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.

Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.

Fixes: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-12 13:53:11 +01:00
Alexander Bokovoy
d4ffc53b2a doc/designs/id-mapping.md: expand on ID range allocation details
Related: https://pagure.io/freeipa/issue/9477

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-30 10:11:47 -05:00
Alexander Bokovoy
5adc07ae55 doc/Makefile: run sphinx in serial mode
Unfortunately, using pydata_sphinx_theme extension generates warnings in
sphix processing. These warnings cause documentation build to be
considered a failure:

WARNING: the pydata_sphinx_theme extension is not safe for parallel writing
WARNING: doing serial write
....
build finished with problems, 2 warnings.
make: *** [Makefile:24: html] Error 1

Since the build is already doing a serial write, enforce it from start.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-01-23 13:19:37 +01:00
Rob Crittenden
11877d5903 Include supported migration scenarios in the ipa-to-ipa docs
Lay out the supported migration paths. Users are likely to get
creative with migration so we need to narrow the path for which
we can provide support.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-09 16:15:23 -05:00
Alexander Bokovoy
7ee2d7d359 doc/designs: add description of identity mapping in IPA
Fixes: https://pagure.io/freeipa/issue/9477

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-11-28 17:02:47 +01:00
Christian Heimes
d97d62dead docs: Mention that Keycloak requires openid scope
See: https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-11-17 11:56:19 -05:00
Francisco Trivino
4af05dde48 Workshop: fix broken Sphinx cross-references.
Many of the workshop pages links are directing to URLs that end with
".rst" instead of ".html", as a result, these links are broken.

This commit introduces explicit targets and references to ensure that
the pages are correctly linked.

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-09-26 11:30:33 +02:00
Alexandra Nikandrova
dade02d5bb doc: typo in basic_usage.md
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-09-12 21:41:57 +02:00
Iker Pedrosa
105b03370c Passkey design: add second sssd design page
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Iker Pedrosa
957d67aca5 Passkey design: user verification clarification
User verification clarification regarding PIN prompt.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Iker Pedrosa
e0acc51ff5 Passkey design: fix user verification
User verification is a boolean attribute.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Alexander Bokovoy
e5c292cdad doc/designs: update link to SSSD passkey design page
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
0075c8b8f6 passkeyconfig: require-user-verification is a boolean
ipa passkeyconfig-mod now accepts Boolean values for
--require-user-verification

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
9963dcdd5b Passkey: update the API doc
Include changes related to passkey auth indicators.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
6f0da62f5a Passkey: add support for discoverable credentials
Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
a21214cb9e API: add new commands for passkey mappings
- ipa user-add-passkey
- ipa user-remove-passkey
- ipa stageuser-add-passkey
- ipa stageuser-remove-passkey

Fixes: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
4bd1be9e90 API: add new commands for ipa passkeyconfig-show | mod
Currently supports a single parameter:
--require-user-verification [ 'on', 'off', 'default']

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
574517cb16 Design for passkey support
Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Alexander Bokovoy
e0c4f83abd Change doc theme to 'book'
RTD theam is not compatible with Sphinx 7.0+
https://github.com/readthedocs/readthedocs.org/issues/10279

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-03 18:21:12 +02:00
Antonio Torres
88d8534e49 Extend API documentation
This includes:

* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
  permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-06 08:56:35 +02:00
Alexander Bokovoy
0bf0b2d251 doc/designs/rbcd.md: document use of S-1-18-* SIDs
Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
667b82a870 doc/designs/rbcd.md: add usage examples
Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
4239b77a6d IPA API changes to support RBCD
IPA API commands to manage RBCD access controls.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
b035ac8eb9 doc: add design document for Kerberos constrained delegation
FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.

Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.

This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Antonio Torres
c553e3ceb2 doc: allow notes on Param API Reference pages
The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-03-29 10:53:25 +02:00
Thorsten Scherf
2aeb963fc9 external-idp: change idp server name to reference name
When you  run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server.  Other files
are updated as well to reflect this change.

Additionally some typos are fixed with this patch too.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-03-03 05:08:02 +01:00
Rob Crittenden
50d40b5a9f doc: Update pruning design with implement enable/disable options
Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.

So --enable=TRUE to --enable and --enable=FALSE to --disable

Fixes: https://pagure.io/freeipa/issue/9323

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-20 10:43:17 +01:00
David Pascual
b0636c5408 doc: Use case examples for PR-CI checker tool
This document showcases common usecases for the user to
interact with the PR-CI checker tool.

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-18 09:02:27 +01:00
Rob Crittenden
724c8314b5 Fix setting values of 0 in ACME pruning
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.

Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.

Also indicate that the search time limit is in seconds.

Fixes: https://pagure.io/freeipa/issue/9325

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-02-09 13:28:23 -05:00
Antonio Torres
a2667b249e API doc: add usage guides for groups, HBAC and sudo rules
Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-08 14:20:38 -05:00
Antonio Torres
53f7a44c5c API doc: add note about ipa show-mappings to usage guide
As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list
command arguments and options directly through the CLI.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-07 13:37:20 -05:00
Rob Crittenden
7d1d91fc86 doc: add the --run command for manual job execution
A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.

Import the IPA CA chain for manual execution.

Also fix up some $ -> # to indicate root is needed.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-02 07:36:16 +01:00
Rob Crittenden
5d9f59038d doc: Design for certificate pruning
This describes how the certificate pruning capability of PKI
introduced in v11.3.0 will be integrated into IPA, primarily for
ACME.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-01-26 17:31:26 -05:00
Lenz Grimmer
4eba0481ec doc: Fix incorrect URL format
Replaced URL in Markdown Format with the proper reStructuredText markup
in file doc/workshop/12-external-idp-support.rst

Signed-off-by: Lenz Grimmer <lenz.grimmer@percona.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-01-22 11:39:12 +01:00
Antonio Torres
0a4506ba1b API doc: add basic user management guide
Add basic user management guide that includes various examples on
performing common tasks related to the user module, such as adding an
user, modifying it, adding certificates for it, etc.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-02 10:28:58 +01:00
Florence Blanc-Renaud
04aae0eecc API reference: update dnszone_add generated doc
Update doc/api/dnszone_add.md after commit c74c701
(Set 'idnssoaserial' to deprecated)

Related: https://pagure.io/freeipa/issue/9249

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-25 10:38:56 +01:00
Florence Blanc-Renaud
35876b4e11 API reference: update vault doc
Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).

Related: https://pagure.io/freeipa/issue/9259

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-25 10:38:56 +01:00
Rob Crittenden
a7b58b3c07 doc: Design for HSM support
Purpose is to add support for HSM installation of CA and KRA
on both initial server and replicas.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-11-18 16:05:31 -05:00
Antonio Torres
4caa5ca577 Add basic API usage guide
Add a guide explaining how to use the IPA API through Python. This
includes initializing the API, launching commands and retrieving
results, including batch operations.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-16 14:46:17 -05:00
Antonio Torres
988cb5a535 doc: generate API Reference
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-16 14:46:17 -05:00
Pavel Březina
c6a16a7e53 docs: add security section to idp
Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:44:13 -05:00
Christian Heimes
dbebed2e3a Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:32:05 +02:00