Problem:
Deleting a host from Foreman which has a certificate requested via certmonger results in the realm entry not removed.
Proxy log:
2020-05-12T10:46:19 856184ef [I] Started DELETE /REALM/zapps001.realm.name
2020-05-12T10:46:23 856184ef [E] Insufficient access: not allowed to perform operation: revoke certificate
The proxy user has the following role / permissions:
ipa role-show 'Smart Proxy Host Manager'
Role name: Smart Proxy Host Manager
Description: Smart Proxy management
Member users: realm-proxy
Privileges: Smart Proxy Host Management
ipa privilege-show 'Smart Proxy Host Management'
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: Retrieve Certificates from the CA, System: Add DNS Entries, System: Read DNS Entries, System: Remove
DNS Entries, System: Update DNS Entries, System: Manage Host Certificates, System: Manage Host
Enrollment Password, System: Manage Host Keytab, System: Modify Hosts, System: Remove Hosts, System:
Manage Service Keytab, System: Modify Services, Add Host Enrollment Password
Granting privilege to roles: Smart Proxy Host Manager
ipa permission-show "System: Manage Host Certificates"
Permission name: System: Manage Host Certificates
Granted rights: write
Effective attributes: usercertificate
Default attributes: usercertificate
Bind rule type: permission
Subtree: cn=computers,cn=accounts,dc=realm,dc=name
Type: host
Permission flags: SYSTEM, V2, MANAGED
Granted to Privilege: Host Administrators, Host Enrollment, Smart Proxy Host Management
Indirect Member of roles: IT Specialist, Enrollment Administrator, Smart Proxy Host Manager
I would think that System: Manage Host Certificates -> write would also allow a revoke operation, is this not true?
Expected outcome:
Host would be deleted and all realm entries would be removed.
Foreman and Proxy versions:
1.22
Foreman and Proxy plugin versions:
foreman-debug-1.22.2-1.el7.noarch
foreman-installer-1.22.2-1.el7.noarch
foreman-installer-katello-1.22.2-1.el7.noarch
foreman-proxy-1.22.2-1.el7.noarch
foreman-proxy-content-3.12.3-1.el7.noarch
foreman-release-1.22.2-1.el7.noarch
foreman-selinux-1.22.2-1.el7.noarch
Distribution and version:
CentOS 7.8