[Freeipa-devel] [DRAFT] Per-domain DNS update permissions
Martin Kosek
mkosek at redhat.com
Mon Jun 18 06:29:29 UTC 2012
On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote:
> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote:
> > Hello all,
> >
> > In a scope of ticket 2511 I would like to implement an ability to
> > delegate a DNS update permissions to chosen user (or host) without
> > having to give the user full "Update DNS Entries" privileges, i.e. allow
> > him to modify any DNS zone or record.
> >
> > So far, this is what I would like to do (comments welcome):
> >
> > 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute
> > in MAY list
> > 2) Create new DNS commands:
> > a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS]
> > b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS]
> > - these commands would add/remove chosen user/host DN to managedBy
> > attribute in chosen DNS zone
> > 3) Add new generic ACIs to cn=dns,$SUFFIX:
> > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
> > "Users and hosts can add DNS entries";allow (add) userattr =
> > "parent[1].managedby#USERDN";)
> > ... add similar ACIs for UPDATE, REMOVE access
> >
> > With these steps done, all that an administrator would need to do to
> > delegate a management of a DNS zone "example.com" is to run this
> > command:
> > $ ipa dnszone-add-managedby example.com --users=fbar
> >
> > The only downside I found so far is that the user would already need to
> > have "Read DNS Entries" permission assigned, otherwise he would not be
> > able to actually read DNS entries (allow rules can't take precedence
> > over deny rule we implemented to deny public access to DNS tree).
> >
> > An admin could of course create a special privilege and role with just
> > "Read DNS Entries" permission and then assign it to relevant
> > users/groups, but this looks awkward. Any idea to make this simpler?
> > Maybe creating a group "dns readers" by default which would allow such
> > access?
>
> Change the deny rule to deny to everyone except the user in
> "parent[1].managedby#USERDN" ?
>
> Simo.
>
Good idea, I will do that. I will just use
"parent[0,1].managedby#USERDN" so that user can also read the zone
record. This way, a selected user will have read/write access to the
chosen zone only, which is exactly what we want to achieve.
Martin
More information about the Freeipa-devel
mailing list