Bug 1411249 - IDM Host re-enrol fails with ERROR -- : Insufficient access: not allowed to perform operation: revoke certificate
Summary: IDM Host re-enrol fails with ERROR -- : Insufficient access: not allowed to p...
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Realm
Version: 6.2.6
Hardware: Unspecified
OS: Linux
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Kedar Bidarkar
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-09 09:11 UTC by Geoff Gatward
Modified: 2018-08-02 20:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-08-02 20:58:21 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Geoff Gatward 2017-01-09 09:11:28 UTC
Description of problem:
Just tried rebuilding a couple of test hosts on my Sat 6.2.6 install, and found that the idm_register snippet had not been running. In the foreman-proxy/proxy.log was an entry each time the provisioning token was accessed:

ERROR -- : Insufficient access: not allowed to perform operation: revoke certificate

This was working at the end of last year - have upgraded both Satellite (6.2.4 -> 6.2.6) and also ipa-server - suspect new permission required in IdM server due to various recent ipa-server RHSA erratum 

Version-Release number of selected component (if applicable):
RHEL 7.3

How reproducible:

Steps to Reproduce:
1. Configure Satellite Realm proxy
2. Configure host to kickstart as a member of the IdM realm
3. After host has been built, mark host for rebuild in Satellite and reboot it
4. Error will be seen in proxy.log as host accesses kickstart template - IdM re-registration is triggered but fails due to insufficient permission

Actual results:
idm_register snippet is not run on build, so host does not enrol in IPA.
foreman-proxy/proxy.log shows ERROR message

Expected results:
host enrols to IPA on build, no errors in proxy log

Additional info:
Solution seems to be toI add the  'Revoke Certificate'  privilege to the 'Smart Proxy Host Manager' role in IPA. With this set there is no error logged and hosts could be rebuilt.

Should be updated in 'foreman-realm-prepare' script and existing installations would need the additional permission added to the realm-capsule user.

Comment 1 Stephen Benjamin 2017-01-09 14:44:23 UTC
What version of IPA did you upgrade from?

Comment 2 Geoff Gatward 2017-01-09 20:13:45 UTC
I'm not sure exactly when this issue appeared as I was not constantly building machines, however it was working with the initial 4.4.0 in RHEL 7.3.
Update sequence according to yum history was
4.2.0-15.el7_2.19 -> 4.4.0-12.el7    (RHEL 7.2 to 7.3 update)
4.4.0-12.el7 -> 4.4.0-14.el7_3.el7   (Problem identified here)

Comment 3 Stephen Benjamin 2017-01-09 20:47:30 UTC

Comment 6 Kedar Bidarkar 2017-09-27 18:01:59 UTC
I have the setup automated, but it's complicated to have a testcase in PASS/FAIL format.

No, I will try and test this thing soon.

Comment 7 Bryan Kearney 2018-08-02 20:58:21 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.

Note You need to log in before you can comment on or make changes to this bug.