Bug 1568748 - Allow hosts to delete their own services
Summary: Allow hosts to delete their own services
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-18 08:40 UTC by Standa Laznicka
Modified: 2018-10-30 10:59 UTC (History)
7 users (show)

Fixed In Version: ipa-4.6.4-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:58:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3187 None None None 2018-10-30 10:59:53 UTC

Description Standa Laznicka 2018-04-18 08:40:30 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/7486

### Request for enhancement
As a host i can add and modify services but I can't remove my own services

A service may be decommissioned on the host and needs to be removed.

### Issue
Ticket #4567 gave hosts the ability to add and modify its own services. Removing its services was overlooked. See commit ce50630d5ece036e35d8e11db8383e4e7e9159ae

#### Steps to Reproduce
1. ```# kinit -kt /etc/krb5.keytab```
2. ```# ipa service-add test/ipa.example.com```
3. ```# ipa service-del test/ipa.example.com```
```
ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=test/ipa.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.```

Comment 2 Petr Vobornik 2018-05-18 15:39:29 UTC
Fixed upstream

master:
    2de1aa2 ACL: Allow hosts to remove services they manage


ipa-4-6:
    93f0a23 ACL: Allow hosts to remove services they manage

Comment 6 Sudhir Menon 2018-08-23 12:55:27 UTC
Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using

ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-5.el7.noarch
selinux-policy-3.13.1-215.el7.noarch


[root@master ~]# kinit -kt /etc/krb5.keytab

[root@master ~]# klist -kte /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 2018-08-23T12:46:23 host/master.apollo.test@APOLLO.TEST (aes256-cts-hmac-sha1-96) 
   2 2018-08-23T12:46:23 host/master.apollo.test@APOLLO.TEST (aes128-cts-hmac-sha1-96) 
   2 2018-08-23T12:46:23 host/master.apollo.test@APOLLO.TEST (des3-cbc-sha1) 
   2 2018-08-23T12:46:23 host/master.apollo.test@APOLLO.TEST (arcfour-hmac) 
   2 2018-08-23T12:46:23 host/master.apollo.test@APOLLO.TEST (camellia128-cts-cmac) 
   2 2018-08-23T12:46:23 host/master.apollo.test@APOLLO.TEST (camellia256-cts-cmac) 

[root@master ~]# ipa service-add test/master.apollo.test
---------------------------------------------------
Added service "test/master.apollo.test@APOLLO.TEST"
---------------------------------------------------
  Principal name: test/master.apollo.test@APOLLO.TEST
  Principal alias: test/master.apollo.test@APOLLO.TEST
  Managed by: master.apollo.test

[root@master ~]# ipa service-del test/master.apollo.test
-----------------------------------------------------
Deleted service "test/master.apollo.test@APOLLO.TEST"
-----------------------------------------------------

Comment 8 errata-xmlrpc 2018-10-30 10:58:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187


Note You need to log in before you can comment on or make changes to this bug.