Bug 1568748

Summary: Allow hosts to delete their own services
Product: Red Hat Enterprise Linux 7 Reporter: Standa Laznicka <slaznick>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: amore, ndehadra, pasik, pvoborni, rcritten, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:58:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Standa Laznicka 2018-04-18 08:40:30 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/7486

### Request for enhancement
As a host i can add and modify services but I can't remove my own services

A service may be decommissioned on the host and needs to be removed.

### Issue
Ticket #4567 gave hosts the ability to add and modify its own services. Removing its services was overlooked. See commit ce50630d5ece036e35d8e11db8383e4e7e9159ae

#### Steps to Reproduce
1. ```# kinit -kt /etc/krb5.keytab```
2. ```# ipa service-add test/ipa.example.com```
3. ```# ipa service-del test/ipa.example.com```
```
ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=test/ipa.example.com,cn=services,cn=accounts,dc=example,dc=com'.```
Comment 2 Petr Vobornik 2018-05-18 15:39:29 UTC 
Fixed upstream

master:
    2de1aa2 ACL: Allow hosts to remove services they manage


ipa-4-6:
    93f0a23 ACL: Allow hosts to remove services they manage
Comment 6 Sudhir Menon 2018-08-23 12:55:27 UTC 
Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using

ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-5.el7.noarch
selinux-policy-3.13.1-215.el7.noarch


[root@master ~]# kinit -kt /etc/krb5.keytab

[root@master ~]# klist -kte /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 2018-08-23T12:46:23 host/master.apollo.test (aes256-cts-hmac-sha1-96) 
   2 2018-08-23T12:46:23 host/master.apollo.test (aes128-cts-hmac-sha1-96) 
   2 2018-08-23T12:46:23 host/master.apollo.test (des3-cbc-sha1) 
   2 2018-08-23T12:46:23 host/master.apollo.test (arcfour-hmac) 
   2 2018-08-23T12:46:23 host/master.apollo.test (camellia128-cts-cmac) 
   2 2018-08-23T12:46:23 host/master.apollo.test (camellia256-cts-cmac) 

[root@master ~]# ipa service-add test/master.apollo.test
---------------------------------------------------
Added service "test/master.apollo.test"
---------------------------------------------------
  Principal name: test/master.apollo.test
  Principal alias: test/master.apollo.test
  Managed by: master.apollo.test

[root@master ~]# ipa service-del test/master.apollo.test
-----------------------------------------------------
Deleted service "test/master.apollo.test"
-----------------------------------------------------
Comment 8 errata-xmlrpc 2018-10-30 10:58:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187