Issue #2510: Add or update DNS ACIs with new attributes - freeipa

freeipa

#2510 Add or update DNS ACIs with new attributes

Closed: Fixed None Opened 12 years ago by mkosek.

Ticket #2215 added new attributes (idnsAllowQuery, idnsAllowTransfer, idnsAllowSyncPTR, idnsForwardPolicy, idnsForwardPolicy, idnsZoneRefresh, idnsPersistentSearch) adding new features in bind-dyndb-ldap plugin.

We need to update DNS ACIs so that non-admin users with appropriate permissions can change these settings.

I would propose to update permission "update dns entries" with the new attributes and create a new permission for global DNS configuration updates.

mkosek commented 12 years ago

How to test:

Before the update, user with DNS Administrator won't be able to update new attributes like DNS zone forwarders, policy (the list is in ticket description):

# ipa user-add --first=Foo --last=Bar fbar
# ipa passwd fbar
# ipa role-add dnsrole --desc=foo
# ipa role-add-privilege dnsrole --privileges="DNS Administrators"
# ipa role-add-member dnsrole --users=fbar
# kinit fbar

# ipa dnszone-add example.com --name-server=`hostname`
Administrator e-mail address [hostmaster.example.com.]: 
  Zone name: example.com
  Authoritative nameserver: vm-068.idm.lab.bos.redhat.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 2012140301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

[root@vm-068 ~]# ipa dnszone-mod example.com --dynamic-update=TRUE
  Zone name: example.com
  Authoritative nameserver: vm-068.idm.lab.bos.redhat.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 2012140301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;

# ipa dnszone-mod example.com --forwarder=10.0.0.1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'idnsForwarders' attribute of entry 'idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.

# ipa dnszone-mod example.com --forward-policy=only
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'idnsForwardPolicy' attribute of entry 'idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.

# ipa dnsconfig-mod --forwarder=10.0.0.1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'idnsForwarders' attribute of entry 'cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.

mkosek commented 12 years ago

attachment
freeipa-mkosek-236-amend-permissions-for-new-dns-attributes.patch

mkosek commented 12 years ago

Patch freeipa-mkosek-236-amend-permissions-for-new-dns-attributes.patch sent for review

rcritten commented 12 years ago

master: b944ad4

ipa-2-2: a7a0c34

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03

7 years ago

Metadata

Assignee

mkosek

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.2 Core Effort - 2012/03

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

DNS

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#2510 Add or update DNS ACIs with new attributes Closed: Fixed None Opened 12 years ago by mkosek.

Metadata

#2510 Add or update DNS ACIs with new attributes

Closed: Fixed None Opened 12 years ago by mkosek.