[Freeipa-devel] [PATCH] 277 Per-domain DNS record permissions
Petr Viktorin
pviktori at redhat.com
Tue Jun 19 13:16:03 UTC 2012
On 06/19/2012 08:30 AM, Martin Kosek wrote:
> On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote:
>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote:
>>>>> Hello all,
>>>>>
>>>>> In a scope of ticket 2511 I would like to implement an ability to
>>>>> delegate a DNS update permissions to chosen user (or host) without
>>>>> having to give the user full "Update DNS Entries" privileges, i.e. allow
>>>>> him to modify any DNS zone or record.
>>>>>
>>>>> So far, this is what I would like to do (comments welcome):
>>>>>
>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute
>>>>> in MAY list
>>>>> 2) Create new DNS commands:
>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS]
>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS]
>>>>> - these commands would add/remove chosen user/host DN to managedBy
>>>>> attribute in chosen DNS zone
>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX:
>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>>> "Users and hosts can add DNS entries";allow (add) userattr =
>>>>> "parent[1].managedby#USERDN";)
>>>>> ... add similar ACIs for UPDATE, REMOVE access
>>>>>
>>>>> With these steps done, all that an administrator would need to do to
>>>>> delegate a management of a DNS zone "example.com" is to run this
>>>>> command:
>>>>> $ ipa dnszone-add-managedby example.com --users=fbar
>>>>>
>>>>> The only downside I found so far is that the user would already need to
>>>>> have "Read DNS Entries" permission assigned, otherwise he would not be
>>>>> able to actually read DNS entries (allow rules can't take precedence
>>>>> over deny rule we implemented to deny public access to DNS tree).
>>>>>
>>>>> An admin could of course create a special privilege and role with just
>>>>> "Read DNS Entries" permission and then assign it to relevant
>>>>> users/groups, but this looks awkward. Any idea to make this simpler?
>>>>> Maybe creating a group "dns readers" by default which would allow such
>>>>> access?
>>>>
>>>> Change the deny rule to deny to everyone except the user in
>>>> "parent[1].managedby#USERDN" ?
>>>>
>>>> Simo.
>>>>
>>>
>>> Good idea, I will do that. I will just use
>>> "parent[0,1].managedby#USERDN" so that user can also read the zone
>>> record. This way, a selected user will have read/write access to the
>>> chosen zone only, which is exactly what we want to achieve.
>>
>> Yes, this sounds workable to me too.
>>
>> rob
>>
>
> Ok, thank you both. I finished the patch, it should work fine for both
> new installs and upgrades.
>
> After the upgrade, all you have to do to delegate read/write privileges
> to the zone is this command:
>
> # ipa dnszone-add-managedby example.com --users=fbar
>
> fbar then will be able to actually see the zone with dnszone-show +
> modify it. Delegated permissions have several limitations though:
> 1) Delegated user cannot delete the zone
> 2) Delegated user cannot add or remove another users to the managedBy
> list
>
> Martin
>
Would it be possible to delegate the rights to groups, not only to
individual users?
--
Petr³
More information about the Freeipa-devel
mailing list