There is no way to easily delegate disabling hosts right now, only full admins can do it.
I was able to achieve this using one new permission plus some existing ones using two privileges with this:
ipa permission-add 'Write Host Certificate' --permissions=write --attrs=usercertificate --type=host ipa privilege-add 'Disable Host' --desc='Disable Hosts' ipa privilege-add-permission 'Disable Host' --permissions='retrieve certificates from the ca' --permissions='revoke certificate' --permissions='manage host keytab' --permissions='write host certificate' ipa privilege-add 'Disable Service' --desc='Disable Services' ipa privilege-add-permission 'Disable Service' --permissions='modify services' --permissions='manage service keytab'
If we want a sample role do this:
ipa role-add 'Disable Hosts' --desc='Disable Hosts' ipa role-add-privilege --privileges='Disable Service' --privileges='Disable Host' 'Disable Hosts'
This is needed for smoother Foreman smartproxy integration.
The host certificate permission part was already fixed in #4252. User with 'Host Administrators' privilege can already disable a host without service.
The only missing permission is to allow Hosts Administrators to manage service keytab:
$ kinit fbar $ ipa host-disable vm-111.idm.lab.bos.redhat.com ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalKey' attribute of entry 'krbprincipalname=test/vm-111.idm.lab.bos.redhat.com@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.
Fix:
$ kinit admin $ ipa privilege-add-permission 'Host Administrators' --permissions 'System: manage service keytab'
Result:
$ kinit fbar $ ipa host-disable vm-111.idm.lab.bos.redhat.com
attachment freeipa-mkosek-472-let-host-administrators-use-host-disable-command.patch
Patch freeipa-mkosek-472-let-host-administrators-use-host-disable-command.patch sent for review
Starting review
master:
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 4.0 GA
Login to comment on this ticket.