On Tue, 2012-06-19 at 08:30 +0200, Martin Kosek wrote: > On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > > >> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > > >>> Hello all, > > >>> > > >>> In a scope of ticket 2511 I would like to implement an ability to > > >>> delegate a DNS update permissions to chosen user (or host) without > > >>> having to give the user full "Update DNS Entries" privileges, i.e. allow > > >>> him to modify any DNS zone or record. > > >>> > > >>> So far, this is what I would like to do (comments welcome): > > >>> > > >>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > > >>> in MAY list > > >>> 2) Create new DNS commands: > > >>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > > >>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > > >>> - these commands would add/remove chosen user/host DN to managedBy > > >>> attribute in chosen DNS zone > > >>> 3) Add new generic ACIs to cn=dns,$SUFFIX: > > >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > > >>> "Users and hosts can add DNS entries";allow (add) userattr = > > >>> "parent[1].managedby#USERDN";) > > >>> ... add similar ACIs for UPDATE, REMOVE access > > >>> > > >>> With these steps done, all that an administrator would need to do to > > >>> delegate a management of a DNS zone "example.com" is to run this > > >>> command: > > >>> $ ipa dnszone-add-managedby example.com --users=fbar > > >>> > > >>> The only downside I found so far is that the user would already need to > > >>> have "Read DNS Entries" permission assigned, otherwise he would not be > > >>> able to actually read DNS entries (allow rules can't take precedence > > >>> over deny rule we implemented to deny public access to DNS tree). > > >>> > > >>> An admin could of course create a special privilege and role with just > > >>> "Read DNS Entries" permission and then assign it to relevant > > >>> users/groups, but this looks awkward. Any idea to make this simpler? > > >>> Maybe creating a group "dns readers" by default which would allow such > > >>> access? > > >> > > >> Change the deny rule to deny to everyone except the user in > > >> "parent[1].managedby#USERDN" ? > > >> > > >> Simo. > > >> > > > > > > Good idea, I will do that. I will just use > > > "parent[0,1].managedby#USERDN" so that user can also read the zone > > > record. This way, a selected user will have read/write access to the > > > chosen zone only, which is exactly what we want to achieve. > > > > Yes, this sounds workable to me too. > > > > rob > > > > Ok, thank you both. I finished the patch, it should work fine for both > new installs and upgrades. > > After the upgrade, all you have to do to delegate read/write privileges > to the zone is this command: > > # ipa dnszone-add-managedby example.com --users=fbar > > fbar then will be able to actually see the zone with dnszone-show + > modify it. Delegated permissions have several limitations though: > 1) Delegated user cannot delete the zone > 2) Delegated user cannot add or remove another users to the managedBy > list > > Martin
This is a ticket to add Web UI support for this functionality: https://fedorahosted.org/freeipa/ticket/2851 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel