[Freeipa-devel] [DRAFT] Per-domain DNS update permissions
Rob Crittenden
rcritten at redhat.com
Mon Jun 18 15:37:19 UTC 2012
Martin Kosek wrote:
> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote:
>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote:
>>> Hello all,
>>>
>>> In a scope of ticket 2511 I would like to implement an ability to
>>> delegate a DNS update permissions to chosen user (or host) without
>>> having to give the user full "Update DNS Entries" privileges, i.e. allow
>>> him to modify any DNS zone or record.
>>>
>>> So far, this is what I would like to do (comments welcome):
>>>
>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute
>>> in MAY list
>>> 2) Create new DNS commands:
>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS]
>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS]
>>> - these commands would add/remove chosen user/host DN to managedBy
>>> attribute in chosen DNS zone
>>> 3) Add new generic ACIs to cn=dns,$SUFFIX:
>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>> "Users and hosts can add DNS entries";allow (add) userattr =
>>> "parent[1].managedby#USERDN";)
>>> ... add similar ACIs for UPDATE, REMOVE access
>>>
>>> With these steps done, all that an administrator would need to do to
>>> delegate a management of a DNS zone "example.com" is to run this
>>> command:
>>> $ ipa dnszone-add-managedby example.com --users=fbar
>>>
>>> The only downside I found so far is that the user would already need to
>>> have "Read DNS Entries" permission assigned, otherwise he would not be
>>> able to actually read DNS entries (allow rules can't take precedence
>>> over deny rule we implemented to deny public access to DNS tree).
>>>
>>> An admin could of course create a special privilege and role with just
>>> "Read DNS Entries" permission and then assign it to relevant
>>> users/groups, but this looks awkward. Any idea to make this simpler?
>>> Maybe creating a group "dns readers" by default which would allow such
>>> access?
>>
>> Change the deny rule to deny to everyone except the user in
>> "parent[1].managedby#USERDN" ?
>>
>> Simo.
>>
>
> Good idea, I will do that. I will just use
> "parent[0,1].managedby#USERDN" so that user can also read the zone
> record. This way, a selected user will have read/write access to the
> chosen zone only, which is exactly what we want to achieve.
Yes, this sounds workable to me too.
rob
More information about the Freeipa-devel
mailing list