Re: [Pdns-users] Question about logging changes
Dirk Bartley wrote: > You could log the who of who is logged into the database, but if the database > connection is done from a front end, it would always be the users the front > end > connects to the database as. But if you have a front end, just manage it by > who > is logged into the Front end. Depends on the frontend. If it lets the user impersonate as personal user account on the DB connection you get the real who. It would be nice if the PowerDNS API would have a config option like "connect-as-user" to avoid using a hard-coded API password/key. In this case you could also let the database backend enforce access control even for API requests. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
On Tue, 2017-11-28 at 17:10 +0100, Michael Ströder wrote: > How do you plan to maintain the data? > > E.g. if you're using LDAP server as backend *and* you're going to > maintain the data via LDAP it more boils down how to audit write > operations on the LDAP server. And this depends on the features of the > LDAP server you're planning to use. Personally I love accesslog overlay > (originally implemented for delta-replication) in OpenLDAP because it > automatigally gives you a perfect audit trail in a separate database. > > Ciao, Michael. > Thank you for the quick reply. A very good thought. It looks like decisions depend on how we choose to maintain the data. Dirk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
Thank you for the quick reply! On Tue, 2017-11-28 at 16:10 +, Brian Candler wrote: > On 28/11/2017 16:02, Dirk Bartley wrote: > > > > One of the features being > > requested is the ability to log the who, what and when of all changes > > to the data that dns is serving. > > My first inclination would be to use a SQL backend, and put triggers on > the tables to record all insert/update/delete operations. That probably > won't capture the "who" though. You could log the who of who is logged into the database, but if the database connection is done from a front end, it would always be the users the front end connects to the database as. But if you have a front end, just manage it by who is logged into the Front end. I was wondering for what already exists before advocating that we write one. Looks like I should be looking at the documentation of the API. Thank you very kindly. Dirk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
On 28/11/2017 16:02, Dirk Bartley wrote: One of the features being requested is the ability to log the who, what and when of all changes to the data that dns is serving. My first inclination would be to use a SQL backend, and put triggers on the tables to record all insert/update/delete operations. That probably won't capture the "who" though. That depends on how people are making the changes - e..g through a web interface which talks to the API? Through a web interface which talks directly to the database, like poweradmin? Maybe the logging is best done at that layer, since only that layer knows who has authenticated to it. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
Dirk Bartley wrote: > I have been asked to look at some options for assisting my employer to > alter the way our internal dns is served. One of the features being > requested is the ability to log the who, what and when of all changes > to the data that dns is serving. Of course when I search for change > logging, I get the change logs of the code. Would there be a better > phrase than "change log" to search for. Is this the kind of feature > that already exists, or is this the kind of feature that would be > better accomplished by writing a front end that we would force everyone > here to use that does the update. We are considering using LDAP as a > backend for the dns service. How do you plan to maintain the data? E.g. if you're using LDAP server as backend *and* you're going to maintain the data via LDAP it more boils down how to audit write operations on the LDAP server. And this depends on the features of the LDAP server you're planning to use. Personally I love accesslog overlay (originally implemented for delta-replication) in OpenLDAP because it automatigally gives you a perfect audit trail in a separate database. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about logging changes
Greetings I have been asked to look at some options for assisting my employer to alter the way our internal dns is served. One of the features being requested is the ability to log the who, what and when of all changes to the data that dns is serving. Of course when I search for change logging, I get the change logs of the code. Would there be a better phrase than "change log" to search for. Is this the kind of feature that already exists, or is this the kind of feature that would be better accomplished by writing a front end that we would force everyone here to use that does the update. We are considering using LDAP as a backend for the dns service. All assistance is appreciated. Thank you very kindly in advance. Dirk Bartley -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
