Bug #10015
closed
FreeIPA realm-proxy permissions do not allow for removing a DNS record at time of host delete
Description
Scenerio:
RedHat IdM (freeipa v.4.1.0) with foreman-proxy (1.8.0-0.1.RC2)
Realm proxy user, when removing a host does not remove associated DNS records due to the realm-proxy user not having permissions to read DNS.
Relevant IPA-related case here: https://fedorahosted.org/freeipa/ticket/4329
Diagnostics:
IPA permissions setup via `foreman-prepare-realm` are as follows:
$ ipa privilege-show 'Smart Proxy Host Management'
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: System: Add DNS Entries, System: Update DNS Entries, System: Remove Hosts, Retrieve Certificates from the CA, System: Modify Hosts, System: Manage Host Keytab, System:
Manage Host Enrollment Password, Add Host Enrollment Password, System: Remove DNS Entries, System: Modify Services, System: Manage Service Keytab, System: Manage Host
Certificates
Granting privilege to roles: Smart Proxy Host Manager
Attempt host delete using `realm-proxy` credentials
$ kinit realm-proxy -kt /etc/foreman-proxy/freeipa.keytab $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: realm-proxy@EXAMPLE.COM Valid starting Expires Service principal 04/02/15 15:14:51 04/03/15 15:14:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM $ ipa host-show foo.example.com Host name: foo.example.com Principal name: host/foo.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: foo.example.com $ ipa host-del --updatedns foo.example.com ipa: ERROR: foo.example.com: host not found
Corresponding error in IPA (/var/log/httpd/error_log):
[Thu Apr 02 15:16:52.426840 2015] [:error] [pid 49017] ipa: INFO: [xmlserver_session] realm-proxy@EXAMPLE.COM: host_del((u'foo.example.com',), updatedns=True, version=u'2.51'): NotFound
Delete without `--updatedns` works:
$ ipa host-del foo.example.com ------------------------------------- Deleted host "foo.example.com" -------------------------------------
Add permission to 'Smart Proxy Host Management'
$ ipa privilege-add-permission 'Smart Proxy Host Management' --permission='System: Read DNS Entries'
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: System: Add DNS Entries, System: Update DNS Entries, System: Remove Hosts, Retrieve Certificates from the CA, System: Modify Hosts, System: Manage Host Keytab, System:
Read DNS Entries, Add Host Enrollment Password, System: Remove DNS Entries, System: Modify Services, System: Manage Service Keytab, System: Manage Host Certificates,
System: Manage Host Enrollment Password
Granting privilege to roles: Smart Proxy Host Manager
-----------------------------
Number of permissions added 1
-----------------------------
Reattempt host delete WITH `--updatedns` now successful (host was re-added):
$ ipa host-del --updatedns foo.example.com ------------------------------------- Deleted host "foo.example.com" -------------------------------------
Is there any reason why 'System: Read DNS Entries' isn't added to the privilege for the 'v2' condition in `foreman-prepare-realm`? An equivalent permission IS present for the 'v1' condition.
Updated by Dominic Cleal about 9 years ago
- Category set to Realm
Probably no reason to be that way, please do consider filing a pull request: http://theforeman.org/contribute.html
(https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm)
Updated by The Foreman Bot about 8 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/405 added
Updated by Matthias Thubauville almost 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset smart-proxy:a28340b4351fa1e56b19461afd5e790d08ad87f7.
Updated by Dominic Cleal almost 8 years ago
- Assignee set to Matthias Thubauville
- translation missing: en.field_release set to 155