Bug #27290
openForeman Proxy cannot delete FreeIPA/RedHat IdM host entry
Description
the foreman smart proxy is not able to delete a host from RedHat IdM/FreeIPA.
it seems like that the "foreman-prepare-realm" script is broken, and misses some required permissions.
i already deleted the IPA user, that the smart proxy will use, as well as all roles/permission/etc that the foreman-prepare-realm script created, and rerun the script. the script itself showed no error.
the problem seems to be that the foreman smart proxy is not able to delete the host certificate.
foreman proxy version: 1.20.2
RedHat IdM version: 4.6.4
here is the error message from the foreman smart proxy log:
2019-07-12T09:52:32 796eb863 [I] Started DELETE /LINUX.EXAMPLE.COM/puppet-4.prod.fra.dc.linux.example.com
2019-07-12T09:52:32 796eb863 [D] verifying remote client 10.201.72.39 against trusted_hosts ["foreman.example.com"]
2019-07-12T09:52:32 796eb863 [D] Making IPA call: ["host_show", ["puppet-4.prod.fra.dc.linux.example.com"]]
2019-07-12T09:52:32 796eb863 [D] Requesting credentials for Kerberos principal realm-proxy-fmsmart-1.prod.va.dc@LINUX.EXAMPLE.COM using keytab /etc/foreman-proxy/freeipa.keytab
2019-07-12T09:52:32 796eb863 [D] Kerberos credential cache initialised with principal: realm-proxy-fmsmart-1.prod.va.dc@LINUX.EXAMPLE.COM
2019-07-12T09:52:32 796eb863 [D] freeipa: realm LINUX.EXAMPLE.COM
2019-07-12T09:52:32 796eb863 [D] freeipa: uri is https://ipa-1.prod.va.dc.linux.example.com/ipa/xml
2019-07-12T09:52:32 796eb863 [D] Making IPA call: ["host_del", ["puppet-4.prod.fra.dc.linux.example.com"], {"updatedns"=>false}]
2019-07-12T09:52:33 796eb863 [E] Insufficient access: not allowed to perform operation: revoke certificate
2019-07-12T09:52:33 796eb863 [D] <XMLRPC::FaultException> Insufficient access: not allowed to perform operation: revoke certificate
/usr/share/ruby/xmlrpc/client.rb:264:in `call'
/usr/share/foreman-proxy/modules/realm_freeipa/provider.rb:147:in `ipa_call'
/usr/share/foreman-proxy/modules/realm_freeipa/provider.rb:111:in `delete'
/usr/share/foreman-proxy/modules/realm/realm_api.rb:24:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in `block in compile!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in `[]'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:994:in `route_eval'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1015:in `block in process_route'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in `catch'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in `process_route'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:973:in `block in route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in `each'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in `route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1085:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1082:in `dispatch!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in `block in call!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in `call!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:895:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:86:in `call'
/usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:14:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/head.rb:13:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/show_exceptions.rb:25:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:182:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:2013:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in `block in call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1787:in `synchronize'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:66:in `block in call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:153:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
/usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `call'
/usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'