Clone of https://bugzilla.redhat.com/show_bug.cgi?id=1730363.
Description of problem: When a user creates a cert using IPA they are unable to revoke that cert. Version-Release number of selected component (if applicable): ipa-server-4.6.4-10.el7_6.2.x86_64 How reproducible: Always Steps to Reproduce: [root@shell01 3]# kinit rbac1test Password for rbac1test@IPA.REDHAT.COM: [root@shell01 3]# MUSER=rbac1test [root@shell01 3]# openssl req -newkey rsa:4096 -keyout ${MUSER}.key -new -sha256 -nodes -days 730 -subj "/emailAddress=${MUSER}@redhat.com/CN=${MUSER}/O=IPA.REDHAT.COM/UID=${MUSER},cn=users,cn=accounts,dc=ipa,dc=redhat,dc=com" -out ${MUSER}.csr && chmod 600 ${MUSER}.key Generating a 4096 bit RSA private key .........................................................................................++ .........................................++ writing new private key to 'rbac1test.key' ----- [root@shell01 3]# ipa cert-request --profile-id=caIPAuserCert --ca=ipa --principal="${MUSER}@IPA.REDHAT.COM" ${MUSER}.csr --certificate-out=${MUSER}.crt Issuing CA: ipa Certificate: ... Subject: UID=rbac1test,CN=users,CN=accounts,DC=ipa,DC=redhat,DC=com,E=$request.auth_token.mail[0]$ Issuer: CN=Certificate Authority,O=IPA.REDHAT.COM Not Before: Tue Jul 16 14:09:54 2019 UTC Not After: Fri Jul 16 14:09:54 2021 UTC Serial number: 12085 Serial number (hex): 0x2F35 [dminnich@dminnichlt ~]$ ipa cert-show 0x2F35 --raw --all certificate: .. certificate_chain: ... certificate_chain: .. certificate_chain: ... certificate_chain: .. serial_number: 12085 serial_number_hex: 0x2F35 owner: uid=rbac1test,cn=users,cn=accounts,dc=ipa,dc=redhat,dc=com [root@shell01 3]# ipa cert-revoke 0x2F35 --revocation-reason=0 ipa: ERROR: Insufficient access: not allowed to perform operation: revoke certificate I do not want to give the user the "Revoke Certificate" permission which would allow them to revoke any certificate. IPA allows a kinited /etc/krb5.keytab host to revoke its cert but not other hosts certs. I'd like to see the same thing for users. Perhaps checking "owner" on the cert entry or for certs stored in "certificate" in their record would allow for some authorization? Actual results: ipa: ERROR: Insufficient access: not allowed to perform operation: revoke certificate Expected results: Certificate revoked Additional info: We use a lot of mutual TLS authentication. Allowing a development team to revoke and issue a new certificate when somebody leaves their team instead of reaching out to the centralized IAM team for the initial revoke would be a win.
Metadata Update from @ftweedal: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1730363
See blog post with ideas: https://frasertweedale.github.io/blog-redhat/posts/2019-07-19-revocation-self-service.html
Metadata Update from @pcech: - Issue tagged with: Falcon
Log in to comment on this ticket.