be3a0f3 Clean up the PKI securitydomain when removing a server

Authored and Committed by rcritten 2 years ago
    Clean up the PKI securitydomain when removing a server
    
    PKI has its own internal knowledge of servers and services
    in its securitydomain. This has not been cleaned up in the
    past but is becoming more of an issue as PKI now relies on its
    securitydomain for more things, and it has a healthcheck that
    reports inconsistencies.
    
    Removing entries is straightforward using the PKI REST API.
    
    In order to operate on the API access is needed. There was an
    unused Security Domain Administrators group that I've added to
    the resourceACLS we created for managing the securitydomain.
    The ipara user is added as a member of this group. The REST
    API binds to the CA using the IPA RA certificate.
    
    Related commits are b3c2197b7e4ed18a7febe3efa6396c2272ebccca
    and ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24.
    
    These resourceACLS were originally created as a backwards
    compatibility mechanism for dogtag v9 and later only created when a
    replica was installed purportedly to save a restart. I don't see
    any reason to not have these defined. They are apparently needed due
    to the PKI database upgrade issues.
    
    In any case if the purpose was to suppress these ACLS it failed
    because as soon as a replica with a CA was installed they were as
    well, and we need this ACL in order to manage the securitydomain.
    
    https://pagure.io/freeipa/issue/8930
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    
        
file modified
+20 -0
file modified
+12 -0