[Freeipa-devel] [PATCH] 277 Per-domain DNS record permissions
Martin Kosek
mkosek at redhat.com
Tue Jun 19 10:04:21 UTC 2012
On Tue, 2012-06-19 at 08:30 +0200, Martin Kosek wrote:
> On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote:
> > >> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote:
> > >>> Hello all,
> > >>>
> > >>> In a scope of ticket 2511 I would like to implement an ability to
> > >>> delegate a DNS update permissions to chosen user (or host) without
> > >>> having to give the user full "Update DNS Entries" privileges, i.e. allow
> > >>> him to modify any DNS zone or record.
> > >>>
> > >>> So far, this is what I would like to do (comments welcome):
> > >>>
> > >>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute
> > >>> in MAY list
> > >>> 2) Create new DNS commands:
> > >>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS]
> > >>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS]
> > >>> - these commands would add/remove chosen user/host DN to managedBy
> > >>> attribute in chosen DNS zone
> > >>> 3) Add new generic ACIs to cn=dns,$SUFFIX:
> > >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
> > >>> "Users and hosts can add DNS entries";allow (add) userattr =
> > >>> "parent[1].managedby#USERDN";)
> > >>> ... add similar ACIs for UPDATE, REMOVE access
> > >>>
> > >>> With these steps done, all that an administrator would need to do to
> > >>> delegate a management of a DNS zone "example.com" is to run this
> > >>> command:
> > >>> $ ipa dnszone-add-managedby example.com --users=fbar
> > >>>
> > >>> The only downside I found so far is that the user would already need to
> > >>> have "Read DNS Entries" permission assigned, otherwise he would not be
> > >>> able to actually read DNS entries (allow rules can't take precedence
> > >>> over deny rule we implemented to deny public access to DNS tree).
> > >>>
> > >>> An admin could of course create a special privilege and role with just
> > >>> "Read DNS Entries" permission and then assign it to relevant
> > >>> users/groups, but this looks awkward. Any idea to make this simpler?
> > >>> Maybe creating a group "dns readers" by default which would allow such
> > >>> access?
> > >>
> > >> Change the deny rule to deny to everyone except the user in
> > >> "parent[1].managedby#USERDN" ?
> > >>
> > >> Simo.
> > >>
> > >
> > > Good idea, I will do that. I will just use
> > > "parent[0,1].managedby#USERDN" so that user can also read the zone
> > > record. This way, a selected user will have read/write access to the
> > > chosen zone only, which is exactly what we want to achieve.
> >
> > Yes, this sounds workable to me too.
> >
> > rob
> >
>
> Ok, thank you both. I finished the patch, it should work fine for both
> new installs and upgrades.
>
> After the upgrade, all you have to do to delegate read/write privileges
> to the zone is this command:
>
> # ipa dnszone-add-managedby example.com --users=fbar
>
> fbar then will be able to actually see the zone with dnszone-show +
> modify it. Delegated permissions have several limitations though:
> 1) Delegated user cannot delete the zone
> 2) Delegated user cannot add or remove another users to the managedBy
> list
>
> Martin
This is a ticket to add Web UI support for this functionality:
https://fedorahosted.org/freeipa/ticket/2851
Martin
More information about the Freeipa-devel
mailing list