[Freeipa-devel] [PATCH] 277 Per-domain DNS record permissions

Tue Jun 19 06:30:09 UTC 2012

On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote:
> >> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote:
> >>> Hello all,
> >>>
> >>> In a scope of ticket 2511 I would like to implement an ability to
> >>> delegate a DNS update permissions to chosen user (or host) without
> >>> having to give the user full "Update DNS Entries" privileges, i.e. allow
> >>> him to modify any DNS zone or record.
> >>>
> >>> So far, this is what I would like to do (comments welcome):
> >>>
> >>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute
> >>> in MAY list
> >>> 2) Create new DNS commands:
> >>>    a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS]
> >>>    b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS]
> >>>    - these commands would add/remove chosen user/host DN to managedBy
> >>> attribute in chosen DNS zone
> >>> 3) Add new generic ACIs to cn=dns,$SUFFIX:
> >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
> >>> "Users and hosts can add DNS entries";allow (add) userattr =
> >>> "parent[1].managedby#USERDN";)
> >>> ... add similar ACIs for UPDATE, REMOVE access
> >>>
> >>> With these steps done, all that an administrator would need to do to
> >>> delegate a management of a DNS zone "example.com" is to run this
> >>> command:
> >>> $ ipa dnszone-add-managedby example.com --users=fbar
> >>>
> >>> The only downside I found so far is that the user would already need to
> >>> have "Read DNS Entries" permission assigned, otherwise he would not be
> >>> able to actually read DNS entries (allow rules can't take precedence
> >>> over deny rule we implemented to deny public access to DNS tree).
> >>>
> >>> An admin could of course create a special privilege and role with just
> >>> "Read DNS Entries" permission and then assign it to relevant
> >>> users/groups, but this looks awkward. Any idea to make this simpler?
> >>> Maybe creating a group "dns readers" by default which would allow such
> >>> access?
> >>
> >> Change the deny rule to deny to everyone except the user in
> >> "parent[1].managedby#USERDN" ?
> >>
> >> Simo.
> >>
> >
> > Good idea, I will do that. I will just use
> > "parent[0,1].managedby#USERDN" so that user can also read the zone
> > record. This way, a selected user will have read/write access to the
> > chosen zone only, which is exactly what we want to achieve.
> 
> Yes, this sounds workable to me too.
> 
> rob
> 

Ok, thank you both. I finished the patch, it should work fine for both
new installs and upgrades.

After the upgrade, all you have to do to delegate read/write privileges
to the zone is this command:

# ipa dnszone-add-managedby example.com --users=fbar

fbar then will be able to actually see the zone with dnszone-show +
modify it. Delegated permissions have several limitations though:
1) Delegated user cannot delete the zone
2) Delegated user cannot add or remove another users to the managedBy
list

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-277-per-domain-dns-record-permissions.patch
Type: text/x-patch
Size: 34112 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120619/f600859a/attachment.bin>