Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixes #27290 - allow foreman to delete host having service certificate #882

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fixes #27290 - allow foreman to delete host having service certificate #882

wants to merge 1 commit into from

Conversation

pandrieux
Copy link

Hello guys,

We just identified this error that we likely have for a long time but never cause issue before.

Foreman is not able to clean host entries from freeIPA when the host have a service certificate. There is no error on the web interface, but host, service , certificate, dns, entries are still present in freeIPA.

First, Foreman can't revoke certificate

$ less /var/log/foreman-proxy/proxy.log
2023-12-07T15:06:09 38ee19ed [I] Started DELETE /realm/EXAMPLE.COM/pan91.sandbox.example.com
2023-12-07T15:06:10 38ee19ed [E] Insufficient access: not allowed to perform operation: revoke certificate
2023-12-07T15:06:10 38ee19ed [W] Error details for Insufficient access: not allowed to perform operation: revoke certificate: <XMLRPC::FaultException>: Insufficient access: not allowed to perform operation: revoke certificate  2023-12-07T15:06:10 38ee19ed [W] Insufficient access: not allowed to perform operation: revoke certificate: <XMLRPC::FaultException>: Insufficient access: not allowed to perform operation: revoke certificate`

=> so i added perms 'Revoke Certificate'

Then Foreman can't delete the 'HTTP service'

$ less /var/log/foreman-proxy/proxy.log
2023-12-07T16:37:25 385d6cda [I] Started DELETE /realm/EXAMPLE.COM/pan91.sandbox.example.com
2023-12-07T16:37:26 385d6cda [E] Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=HTTP/pan91.sandbox.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.
2023-12-07T16:37:26 385d6cda [W] Error details for Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=HTTP/pan91.sandbox.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.: <XMLRPC::FaultException>: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=HTTP/pan91.sandbox.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.
2023-12-07T16:37:26 385d6cda [W] Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=HTTP/pan91.sandbox.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.: <XMLRPC::FaultException>: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=HTTP/pan91.sandbox.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.
/

=> so i added perms 'System: Remove Services'

then it cleans freeIPA entries.

Let me know if you need any further details on this matter
cc @bagasse ;)

@theforeman-bot
Copy link
Member

Can one of the admins verify this patch?

@pandrieux pandrieux changed the title allow foreman to delete host having service certificate fixes #27290 - allow foreman to delete host having service certificate Dec 7, 2023
@pandrieux pandrieux force-pushed the develop branch 2 times, most recently from f410b98 to fc3e730 Compare December 8, 2023 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Not yet reviewed
Projects
None yet
Milestone
No milestone
2 participants
@pandrieux @theforeman-bot