Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1881677 - [RFE] allow enrollment to Red Hat IdM (freeIPA) with an expiration date
Summary: [RFE] allow enrollment to Red Hat IdM (freeIPA) with an expiration date
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.3
Hardware: All
OS: All
unspecified
low
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-22 21:01 UTC by joel
Modified: 2021-04-13 10:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description joel 2020-09-22 21:01:19 UTC
Description of problem:
We have a team which runs many build jobs in AWS that provision hosts, register to RedHat IdM/freeIPA, run a task, then terminate the EC2. They do their best  to always de-register hosts before terminating, but when build jobs are aborted or fail mid-run, we often end up having to manually terminate the EC2s. The same is true in rare cases when hosts become corrupted or unreachable. If there was a way that the ephemeral hosts could enroll with a way to indicate that the hosts should expire in after a set amount of time, then it would help the admins with the regular maintenance and cleanup of expired hosts.

Version-Release number of selected component (if applicable):
8.3 beta

Comment 1 Alexander Bokovoy 2020-09-23 06:37:37 UTC
There is already krbPrincipalExpiration attribute that defines the time after which the principal is not active anymore.

It can be modified on the host entries manually, by setting time in Zulu format (YYYYMMDDHHmmZ):

ipa host-mod foo.bar.z --setattr krbprincipalexpiration=202009290000Z

this would set host/foo.bar.z principal to expire on 00:00 of 2020/09/29 in UTC timezone

Unfortunately, IPA CLI does not allow to search by the principal expiration in host-find or service-find commands.

Since this attribute is not set by default for hosts, it can be then used in cleanup scripts with LDAP searches to match hosts with explicitly set expiration.

For example, I have a host 'client.ipa.test' to which I set krbPrincipalExpiration to 00:00 of 2020/09/29 in UTC timezone:

# ipa host-mod client.ipa.test --setattr krbprincipalexpiration=202009290000Z
-------------------------------
Modified host "client.ipa.test"
-------------------------------
  Host name: client.ipa.test
  Platform: x86_64
  Operating system: 5.7.17-200.fc32.x86_64
  Principal name: host/client.ipa.test@IPA.TEST
  Principal alias: host/client.ipa.test@IPA.TEST
  SSH public key fingerprint: SHA256:MmZwEvtbk+JmTij6kU1twCTEZKGgaijyKGNZx9+CNuk root@client.ipa.test-c49dc8 (ssh-dss), SHA256:wHymevFCzMOM2izMawZ+U+5enECUaxjGTuw31uWfPTs root@client.ipa.test-c49dc8 (ssh-rsa),
                              SHA256:qAGO0Yweyh0hxlpNyO/cUYJjiVACndL3+0gZNt9xLeo root@client.ipa.test-c49dc8 (ecdsa-sha2-nistp256), SHA256:I1V7/xsYjxUqeupQuD6NrWoH9hLCAAFw8AqU31yPA34 root@client.ipa.test-c49dc8 (ssh-ed25519)
  Password: False
  Keytab: True
  Managed by: client.ipa.test

The search below would match only those hosts that have expiration time between 00:00 of 2020/09/23 and 00:00 of 2020/10/01 in UTC timezone:

# ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=ipa,dc=test '(&(objectclass=ipaHost)(&(krbprincipalexpiration<=202010010000Z)(krbprincipalexpiration>=202009230000Z)))' fqdn
SASL/GSSAPI authentication started
SASL username: admin@IPA.TEST
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=computers,cn=accounts,dc=ipa,dc=test> with scope subtree
# filter: (&(objectclass=ipaHost)(&(krbprincipalexpiration<=202010010000Z)(krbprincipalexpiration>=202009230000Z)))
# requesting: fqdn 
#

# client.ipa.test, computers, accounts, ipa.test
dn: fqdn=client.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test
fqdn: client.ipa.test

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

Comment 2 Alexander Bokovoy 2020-09-23 06:38:29 UTC
Let me know if this helps to define a workaround time being.

Comment 5 Dmitri Pal 2020-10-05 17:25:15 UTC
I would assume that the hosts that belong to a specific environment can be easily put into a host group.
So then we can have a script or a system role/playbook to reset all the hosts in a specific group making all of them ready for re-enrollment. But this solves the problem of re-enrollment of the same hosts. If we are talking about dead bodies that need cleanup then yes, an attribute with time stamp and some periodic cleanup should solve the problem.

This is a regular request.

Comment 7 joel 2020-11-30 16:52:50 UTC
Thanks for the help, cu closed the case.


Note You need to log in before you can comment on or make changes to this bug.