#4284 Add privileges and necessary permissions for disabling hosts
Closed: Fixed None Opened 6 years ago by rcritten.

There is no way to easily delegate disabling hosts right now, only full admins can do it.

I was able to achieve this using one new permission plus some existing ones using two privileges with this:

ipa permission-add 'Write Host Certificate' --permissions=write --attrs=usercertificate --type=host
ipa privilege-add 'Disable Host' --desc='Disable Hosts'
ipa privilege-add-permission 'Disable Host' --permissions='retrieve certificates from the ca' --permissions='revoke certificate' --permissions='manage host keytab' --permissions='write host certificate'
ipa privilege-add 'Disable Service' --desc='Disable Services'
ipa privilege-add-permission 'Disable Service' --permissions='modify services' --permissions='manage service keytab'

If we want a sample role do this:

ipa role-add 'Disable Hosts' --desc='Disable Hosts'
ipa role-add-privilege --privileges='Disable Service' --privileges='Disable Host' 'Disable Hosts'

This is needed for smoother Foreman smartproxy integration.


The host certificate permission part was already fixed in #4252. User with 'Host Administrators' privilege can already disable a host without service.

The only missing permission is to allow Hosts Administrators to manage service keytab:

$ kinit fbar
$ ipa host-disable vm-111.idm.lab.bos.redhat.com
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalKey' attribute of entry 'krbprincipalname=test/vm-111.idm.lab.bos.redhat.com@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.

Fix:

$ kinit admin
$ ipa privilege-add-permission 'Host Administrators' --permissions 'System: manage service keytab'

Result:

$ kinit fbar
$ ipa host-disable vm-111.idm.lab.bos.redhat.com

Patch freeipa-mkosek-472-let-host-administrators-use-host-disable-command.patch sent for review

master:

  • 50c30c8 Let Host Administrators use host-disable command

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 4.0 GA

3 years ago

Login to comment on this ticket.

Metadata