ACL: Allow hosts to remove services they manage

Allow hosts to delete services they own. This is an ACL that complements existing one that allows to create services on the same host. Add a test that creates a host and then attempts to create and delete a service using its own host keytab. Fixes: https://pagure.io/freeipa/issue/7486 Reviewed-By: Rob Crittenden <[email protected]>
sgoveas · Apr 19, 2018 · 2de1aa2 · 2de1aa2
1 parent 0f85933
commit 2de1aa2
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
@@ -124,10 +124,11 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe
 dn: $SUFFIX
 add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
 
-# Hosts can add their own services
+# Hosts can add and delete their own services
 dn: cn=services,cn=accounts,$SUFFIX
 remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can delete own services"; allow(delete) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 
 # CIFS service on the master can manage ID ranges
 dn: cn=ranges,cn=etc,$SUFFIX

diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -31,6 +31,7 @@
 
 from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker
 from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
+from ipatests.util import change_principal, host_keytab
 
 import base64
 from ipapython.dn import DN
@@ -1343,3 +1344,30 @@ def test_update_indicator(self, indicators_host, indicators_service):
             updates={u'krbprincipalauthind': u'radius'},
             expected_updates={u'krbprincipalauthind': [u'radius']}
         )
+
+
+@pytest.fixture(scope='function')
+def managing_host(request):
+    tracker = HostTracker(name=u'managinghost2', fqdn=fqdn2)
+    return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='function')
+def managed_service(request):
+    tracker = ServiceTracker(
+        name=u'managed-service', host_fqdn=fqdn2)
+    return tracker.make_fixture(request)
+
+
+@pytest.mark.tier1
+class TestManagedServices(XMLRPC_test):
+    def test_managed_service(
+            self, managing_host, managed_service):
+        """ Add a host and then add a service as a host
+            Finally, remove the service as a host """
+        managing_host.ensure_exists()
+        with host_keytab(managing_host.name) as keytab_filename:
+            with change_principal(managing_host.attrs['krbcanonicalname'][0],
+                                  keytab=keytab_filename):
+                managed_service.create()
+                managed_service.delete()