Bug #10015: FreeIPA realm-proxy permissions do not allow for removing a DNS record at time of host delete - Foreman

Bug #10015

FreeIPA realm-proxy permissions do not allow for removing a DNS record at time of host delete

Added by Heig Gregorian over 3 years ago. Updated 3 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Matthias Thubauville

Category:

Realm

Target version:

1.11.2

Difficulty:

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/smart-proxy/pull/405

Team Backlog:

Fixed in Releases:

Found in Releases:

Description

Scenerio:
RedHat IdM (freeipa v.4.1.0) with foreman-proxy (1.8.0-0.1.RC2)
Realm proxy user, when removing a host does not remove associated DNS records due to the realm-proxy user not having permissions to read DNS.
Relevant IPA-related case here: https://fedorahosted.org/freeipa/ticket/4329

Diagnostics:
IPA permissions setup via `foreman-prepare-realm` are as follows:

$ ipa privilege-show 'Smart Proxy Host Management'
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: System: Add DNS Entries, System: Update DNS Entries, System: Remove Hosts, Retrieve Certificates from the CA, System: Modify Hosts, System: Manage Host Keytab, System:
               Manage Host Enrollment Password, Add Host Enrollment Password, System: Remove DNS Entries, System: Modify Services, System: Manage Service Keytab, System: Manage Host
               Certificates
  Granting privilege to roles: Smart Proxy Host Manager

Attempt host delete using `realm-proxy` credentials

$ kinit realm-proxy -kt /etc/foreman-proxy/freeipa.keytab
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: realm-proxy@EXAMPLE.COM

Valid starting     Expires            Service principal
04/02/15 15:14:51  04/03/15 15:14:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
$ ipa host-show foo.example.com
  Host name: foo.example.com
  Principal name: host/foo.example.com@EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: foo.example.com
$ ipa host-del --updatedns foo.example.com
ipa: ERROR: foo.example.com: host not found

Corresponding error in IPA (/var/log/httpd/error_log):

[Thu Apr 02 15:16:52.426840 2015] [:error] [pid 49017] ipa: INFO: [xmlserver_session] realm-proxy@EXAMPLE.COM: host_del((u'foo.example.com',), updatedns=True, version=u'2.51'): NotFound

Delete without `--updatedns` works:

$ ipa host-del foo.example.com
-------------------------------------
Deleted host "foo.example.com" 
-------------------------------------

Add permission to 'Smart Proxy Host Management'

$ ipa privilege-add-permission 'Smart Proxy Host Management' --permission='System: Read DNS Entries'
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: System: Add DNS Entries, System: Update DNS Entries, System: Remove Hosts, Retrieve Certificates from the CA, System: Modify Hosts, System: Manage Host Keytab, System:
               Read DNS Entries, Add Host Enrollment Password, System: Remove DNS Entries, System: Modify Services, System: Manage Service Keytab, System: Manage Host Certificates,
               System: Manage Host Enrollment Password
  Granting privilege to roles: Smart Proxy Host Manager
-----------------------------
Number of permissions added 1
-----------------------------

Reattempt host delete WITH `--updatedns` now successful (host was re-added):

$ ipa host-del --updatedns foo.example.com
-------------------------------------
Deleted host "foo.example.com" 
-------------------------------------

Is there any reason why 'System: Read DNS Entries' isn't added to the privilege for the 'v2' condition in `foreman-prepare-realm`? An equivalent permission IS present for the 'v1' condition.