52f69aa Per-domain DNS record permissions

Authored and Committed by mkosek 11 years ago
    Per-domain DNS record permissions
    
    IPA implements read/write permissions for DNS record or zones.
    Provided set of permissions and privileges can, however, only grant
    access to the whole DNS tree, which may not be appropriate.
    Administrators may miss more fine-grained permissions allowing
    them to delegate access per-zone.
    
    Create a new IPA auxiliary objectclass ipaDNSZone allowing
    a managedBy attribute for a DNS zone. This attribute will hold
    a group DN (in this case a permission) which allows its members
    to read or write in a zone. Member permissions in given zone
    will only have 2 limitations:
    1) Members cannot delete the zone
    2) Members cannot edit managedBy attribute
    
    Current DNS deny ACI used to enforce read access is removed so that
    DNS privileges are based on allow ACIs only, which is much more
    flexible approach as deny ACIs have always precedence and limit
    other extensions. Per-zone access is allowed in 3 generic ACIs
    placed in cn=dns,$SUFFIX so that no special ACIs has to be added
    to DNS zones itselves.
    
    2 new commands have been added which allows an administrator to
    create the system permission allowing the per-zone access and
    fill a zone's managedBy attribute:
     * dnszone-add-permission: Add per-zone permission
     * dnszone-remove-permission: Remove per-zone permission
    
    https://fedorahosted.org/freeipa/ticket/2511
    
        
file modified
+24 -1
file modified
+1 -1
file modified
+1 -0
file modified
+4 -1
file modified
+10 -2
file modified
+79 -0
file modified
+42 -1