On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > > Hello all, > > > > In a scope of ticket 2511 I would like to implement an ability to > > delegate a DNS update permissions to chosen user (or host) without > > having to give the user full "Update DNS Entries" privileges, i.e. allow > > him to modify any DNS zone or record. > > > > So far, this is what I would like to do (comments welcome): > > > > 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > > in MAY list > > 2) Create new DNS commands: > > a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > > b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > > - these commands would add/remove chosen user/host DN to managedBy > > attribute in chosen DNS zone > > 3) Add new generic ACIs to cn=dns,$SUFFIX: > > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl > > "Users and hosts can add DNS entries";allow (add) userattr = > > "parent[1].managedby#USERDN";) > > ... add similar ACIs for UPDATE, REMOVE access > > > > With these steps done, all that an administrator would need to do to > > delegate a management of a DNS zone "example.com" is to run this > > command: > > $ ipa dnszone-add-managedby example.com --users=fbar > > > > The only downside I found so far is that the user would already need to > > have "Read DNS Entries" permission assigned, otherwise he would not be > > able to actually read DNS entries (allow rules can't take precedence > > over deny rule we implemented to deny public access to DNS tree). > > > > An admin could of course create a special privilege and role with just > > "Read DNS Entries" permission and then assign it to relevant > > users/groups, but this looks awkward. Any idea to make this simpler? > > Maybe creating a group "dns readers" by default which would allow such > > access? > > Change the deny rule to deny to everyone except the user in > "parent[1].managedby#USERDN" ? > > Simo. >
Good idea, I will do that. I will just use "parent[0,1].managedby#USERDN" so that user can also read the zone record. This way, a selected user will have read/write access to the chosen zone only, which is exactly what we want to achieve. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
