Deleting host with certmonger managed cert throws cert revoke error, realm entry not removed

Stevedd · May 12, 2020, 7:45pm

Problem:
Deleting a host from Foreman which has a certificate requested via certmonger results in the realm entry not removed.

Proxy log:

2020-05-12T10:46:19 856184ef [I] Started DELETE /REALM/zapps001.realm.name 
2020-05-12T10:46:23 856184ef [E] Insufficient access: not allowed to perform operation: revoke certificate

The proxy user has the following role / permissions:

ipa role-show 'Smart Proxy Host Manager'
Role name: Smart Proxy Host Manager
Description: Smart Proxy management
Member users: realm-proxy
Privileges: Smart Proxy Host Management

ipa privilege-show 'Smart Proxy Host Management'
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: Retrieve Certificates from the CA, System: Add DNS Entries, System: Read DNS Entries, System: Remove
               DNS Entries, System: Update DNS Entries, System: Manage Host Certificates, System: Manage Host
               Enrollment Password, System: Manage Host Keytab, System: Modify Hosts, System: Remove Hosts, System:
               Manage Service Keytab, System: Modify Services, Add Host Enrollment Password
  Granting privilege to roles: Smart Proxy Host Manager

ipa permission-show "System: Manage Host Certificates"
  Permission name: System: Manage Host Certificates
  Granted rights: write
  Effective attributes: usercertificate
  Default attributes: usercertificate
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=realm,dc=name
  Type: host
  Permission flags: SYSTEM, V2, MANAGED
  Granted to Privilege: Host Administrators, Host Enrollment, Smart Proxy Host Management
  Indirect Member of roles: IT Specialist, Enrollment Administrator, Smart Proxy Host Manager

I would think that System: Manage Host Certificates -> write would also allow a revoke operation, is this not true?

Expected outcome:
Host would be deleted and all realm entries would be removed.

Foreman and Proxy versions:
1.22
Foreman and Proxy plugin versions:

foreman-debug-1.22.2-1.el7.noarch
foreman-installer-1.22.2-1.el7.noarch
foreman-installer-katello-1.22.2-1.el7.noarch
foreman-proxy-1.22.2-1.el7.noarch
foreman-proxy-content-3.12.3-1.el7.noarch
foreman-release-1.22.2-1.el7.noarch
foreman-selinux-1.22.2-1.el7.noarch

Distribution and version:
CentOS 7.8

Stevedd · May 12, 2020, 8:14pm

It looks like the proxy user configuration using the old (v1) permission structure in IPA included a --permission=‘revoke certificate’:

/usr/sbin/foreman-prepare-realm:

if [ "$PERMISSION_SYSTEM" == "v1" ];
then
  ipa permission-add 'modify host password' --permissions='write' --type='host' --attrs='userpassword'
  ipa permission-add 'write host certificate' --permissions='write' --type='host' --attrs='usercertificate'
  ipa permission-add 'modify host userclass' --permissions='write' --type='host' --attrs='userclass'

  ipa privilege-add-permission 'Smart Proxy Host Management' --permission='modify host password' --permission='writ
e host certificate' \
    --permission='modify host userclass' --permission='add hosts' --permission='remove hosts' --permission='modify 
host password' \
    --permission='modify host userclass' --permission='modify hosts' --permission='revoke certificate' \
    --permission='manage host keytab' --permission='write host certificate' --permission='retrieve certificates from the ca' \
    --permission='modify services' --permission='manage service keytab' --permission='read dns entries' \
    --permission='remove dns entries' --permission='add dns entries' --permission='update dns entries'
else
  ipa permission-add 'Add Host Enrollment Password' --permission='add' --type='host' --attrs='userpassword'

  ipa privilege-add-permission 'Smart Proxy Host Management' --permission='System: Manage Host Enrollment Password' \
    --permission='System: Manage Host Certificates' --permission='System: Modify Hosts' --permission='System: Remove Hosts' \
    --permission='System: Manage Host Keytab' --permission='Retrieve Certificates from the CA' --permission='System: Modify Services' \
    --permission='System: Manage Service Keytab' --permission='System: Add DNS Entries' --permission='System: Update DNS Entries' \
    --permission='System: Remove DNS Entries' --permission='System: Read DNS Entries' --permission='Add Host Enrollment Password'
fi