Bug 1821181

Summary: Delete operation protection for admin user
Product: Red Hat Enterprise Linux 8 Reporter: Daniele <dconsoli>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: Ganna Kaihorodova <gkaihoro>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: abokovoy, fhanzelk, frenaud, gkaihoro, mpolovka, mvarun, pasik, rcritten, rjeffman, tscherf
Target Milestone: rcKeywords: Bugfix, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ipa-4.9.12-6.module+el8.9.0+19634+c162f948 Doc Type: Bug Fix
Doc Text:
.Deleting the IdM `admin` user is now no longer permitted Previously, nothing prevented you from deleting the Identity Management (IdM) `admin` user if you were a member of the `admins` group. The absence of the `admin` user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the `admin` user. As a result, the IdM-AD trust works correctly.
 Story Points: ---
Clone Of:
: 2229712 (view as bug list) Environment:
Last Closed: 2023-11-14 15:32:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2229712    

Description Daniele 2020-04-06 09:08:53 UTC 
1. Proposed title of this feature request
[RFE] Delete operation protection for admin user
2. Who is the customer behind the request?
Account: 5584962 - Sberbank Rossii OAO
TAM customer: yes
CSM customer: no
Strategic: yes

3. What is the nature and description of the request?
An user belonging to the admin group can delete the admin user, even though this is not a supported operation.
Such an operation can be performed by mistake and recovering requires manual steps.

4. Why does the customer need this? (List the business requirements here)
While we do rely on common sense, human mistake can happen, especially in a large organization. Having a way to avoid getting in this situation can potentially save a lot of time.

5. How would the customer like to achieve this? (List the functional requirements here)
Being able to prevent the admin user to be deleted.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Try to delete admin user from a user in the admin group.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
As soon as possible

9. Is the sales team involved in this request and do they have any additional input?
This is one of the requests that Sberbank raised as part of a large escalation around their overall dissatisfaction about IPA's stability and reliability.

10. List any affected packages or components.

11. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 3 Florence Blanc-Renaud 2020-04-06 09:27:25 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this RFE cannot be kept even as a stretch goal and is moved to RHEL8 for proper evaluation.
Comment 8 Florence Blanc-Renaud 2020-05-15 12:40:18 UTC 
RHEL 7.9 is already near the end of a development phase and this bug cannot be kept for 7.9, hence it is moved to RHEL 8 for proper evaluation and planning.
Comment 10 Theodoros Apazoglou 2021-09-14 15:32:44 UTC 
*** Bug 2003877 has been marked as a duplicate of this bug. ***
Comment 15 Florence Blanc-Renaud 2023-08-01 11:54:15 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8878
Comment 16 Florence Blanc-Renaud 2023-08-01 11:56:44 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/dea35922cd086883c0699646ec39fdef8f0ba579
Comment 17 Rob Crittenden 2023-08-01 22:03:59 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/4b02322fc786ee9caaa0380659507a2cec0d4101

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/f215d3f45396fa29bdd69f56096b50842df14908
Comment 19 Florence Blanc-Renaud 2023-08-08 10:54:53 UTC 
Additional fix for the webui test:
master:
https://pagure.io/freeipa/c/e49ec1048db85f514e2db5960f773e5d56fa0cec
Comment 20 Florence Blanc-Renaud 2023-08-08 14:51:44 UTC 
Additional fix for the webui test:
ipa-4-10:
https://pagure.io/freeipa/c/13d5e88eb4ebb7a0132cbb050a9d230304ecbcff

ipa-4-9:
https://pagure.io/freeipa/c/7d62d84bdd3c2acd2f4bf70bb5fabf14c72e8ee7
Comment 21 Michal Polovka 2023-08-11 08:53:24 UTC 
Pre-verified using automation from test_webui/test_user.py with ipa-server-4.9.12-6.module+el8.9.0+19634+c162f948.x86_64

Failed 	test_webui/test_user.py::test_user::()::test_certificate_serial 		
Passed 	test_webui/test_user.py::test_user::()::test_crud 		
Passed 	test_webui/test_user.py::test_user::()::test_associations 	 	
Passed 	test_webui/test_user.py::test_user::()::test_indirect_associations 	
Passed 	test_webui/test_user.py::test_user::()::test_actions  	
Passed 	test_webui/test_user.py::test_user::()::test_certificates 	 	
Passed 	test_webui/test_user.py::test_user::()::test_password_expiration_notification 	 	
Passed 	test_webui/test_user.py::test_user::()::test_grace_login_limit 	
Passed 	test_webui/test_user.py::test_user::()::test_login_without_username 	
Passed 	test_webui/test_user.py::test_user::()::test_disable_delete_admin 	 	
Passed 	test_webui/test_user.py::test_user::()::test_add_user_special 	 	
Passed 	test_webui/test_user.py::test_user::()::test_add_delete_undo_reset_multivalue 	
Passed 	test_webui/test_user.py::test_user::()::test_user_misc 	
Passed 	test_webui/test_user.py::test_user::()::test_menu_click_minimized_window 	
Passed 	test_webui/test_user.py::test_user::()::test_enabled_by_default 	
Passed 	test_webui/test_user.py::test_user_no_private_group::()::test_noprivate_nonposix 	 	
Passed 	test_webui/test_user.py::test_user_no_private_group::()::test_noprivate_posix 	
Passed 	test_webui/test_user.py::test_user_no_private_group::()::test_noprivate_gidnumber 	
Passed 	test_webui/test_user.py::TestLifeCycles::()::test_life_cycles 	
Passed 	test_webui/test_user.py::TestSSHkeys::()::test_ssh_keys 	

The failure in test_certificate_serial is a known issue. Marking as pre-verified - tested.
Comment 26 errata-xmlrpc 2023-11-14 15:32:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6977