Convert DNS default permissions to managed

Convert the existing default permissions. The Read permission is split between Read DNS Entries and Read DNS Configuration. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-06-09 15:06:35 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-18 14:45:50 +0200
commit: 853b6ef4ce5f2dd5fd459672521c5e32467192bc (patch)
tree: ff015f8a7da622380fb600b02c781d39c9d82488
parent: 16ee6847e493df0d28b6c1baa9a48ea29752bef5 (diff)
download: freeipa-853b6ef4ce5f2dd5fd459672521c5e32467192bc.tar.gz
freeipa-853b6ef4ce5f2dd5fd459672521c5e32467192bc.tar.xz
freeipa-853b6ef4ce5f2dd5fd459672521c5e32467192bc.zip
5 files changed, 118 insertions, 88 deletions
diff --git a/ACI.txt b/ACI.txt
index 2ceaacc07..6b75e79c3 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -10,6 +10,18 @@ dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=exampl
 aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Write DNS Configuration";allow (write) groupdn = "ldap:///cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index d27f105b7..a2b126714 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -9,14 +9,6 @@ aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS ent
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
 aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";)
-
 dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
@@ -32,54 +24,3 @@ objectClass: groupofnames
 objectClass: nestedgroup
 cn: DNS Servers
 description: DNS Servers
-
-dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: groupofnames
-objectClass: top
-objectClass: ipapermission
-cn: add dns entries
-description: Add DNS entries
-member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: groupofnames
-objectClass: top
-objectClass: ipapermission
-cn: remove dns entries
-description: Remove DNS entries
-member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: groupofnames
-objectClass: top
-objectClass: ipapermission
-cn: update dns entries
-description: Update DNS entries
-member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Read DNS Entries
-description: Read DNS entries
-ipapermissiontype: SYSTEM
-member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: groupofnames
-objectClass: top
-objectClass: ipapermission
-cn: Write DNS Configuration
-description: Write DNS Configuration
-member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 7c3a284b8..3c3212d58 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -244,9 +244,9 @@ replace:aci:'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*
 
 # The original DNS permissions lacked the tag.
 dn: $SUFFIX
-replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
-replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
-replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
+remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
+remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
+remove:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
 
 # SELinux User Mapping
 dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update
index 475a0c05c..f0dbc9ce3 100644
--- a/install/updates/40-dns.update
+++ b/install/updates/40-dns.update
@@ -1,23 +1,3 @@
-# Add missing member values to attach permissions to their respective
-# privileges
-# Memberof task is already being run in 55-pbacmemberof.update
-dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
-addifexist:objectclass: ipapermission
-addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
-addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
-
-dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
-addifexist:objectclass: ipapermission
-addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
-addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
-
-dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
-addifexist:objectclass: ipapermission
-addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
-addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
-
-dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX
-addifexist:objectclass: ipapermission
 
 # update DNS container
 dn: cn=dns, $SUFFIX
@@ -26,14 +6,10 @@ addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
 addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)'
 addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
 
-# update DNS acis with new idnsRecord attributes
-dn: $SUFFIX
-replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
-replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
-
 # replace DNS tree deny rule with managedBy enhanced allow rule
 dn: cn=dns, $SUFFIX
-replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)'
+replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
+replace:aci:'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
 
 # add DNS plugin
 dn: cn=IPA DNS,cn=plugins,cn=config
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 736162368..b149f1f07 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1843,6 +1843,77 @@ class dnszone(LDAPObject):
             doc=_('Allow inline DNSSEC signing of records in the zone'),
         ),
     )
+    managed_permissions = {
+        'System: Add DNS Entries': {
+            'non_object': True,
+            'ipapermright': {'add'},
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn),
+            'replaces': [
+                '(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'DNS Administrators', 'DNS Servers'},
+        },
+        'System: Read DNS Entries': {
+            'non_object': True,
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn),
+            'ipapermdefaultattr': {
+                'objectclass',
+                'a6record', 'aaaarecord', 'afsdbrecord', 'arecord',
+                'certrecord', 'cn', 'cnamerecord', 'dnamerecord', 'dnsclass',
+                'dnsttl', 'dsrecord', 'hinforecord', 'idnsallowdynupdate',
+                'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer',
+                'idnsforwarders', 'idnsforwardpolicy', 'idnsname',
+                'idnssoaexpire', 'idnssoaminimum', 'idnssoamname',
+                'idnssoarefresh', 'idnssoaretry', 'idnssoarname',
+                'idnssoaserial', 'idnsupdatepolicy', 'idnszoneactive',
+                'keyrecord', 'kxrecord', 'locrecord', 'managedby', 'mdrecord',
+                'minforecord', 'mxrecord', 'naptrrecord', 'nsecrecord',
+                'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord',
+                'sigrecord', 'srvrecord', 'sshfprecord', 'txtrecord',
+            },
+            'replaces_system': ['Read DNS Entries'],
+            'default_privileges': {'DNS Administrators', 'DNS Servers'},
+        },
+        'System: Remove DNS Entries': {
+            'non_object': True,
+            'ipapermright': {'delete'},
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn),
+            'replaces': [
+                '(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'DNS Administrators', 'DNS Servers'},
+        },
+        'System: Update DNS Entries': {
+            'non_object': True,
+            'ipapermright': {'write'},
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn),
+            'ipapermdefaultattr': {
+                'a6record', 'aaaarecord', 'afsdbrecord', 'arecord',
+                'certrecord', 'cn', 'cnamerecord', 'dnamerecord', 'dnsclass',
+                'dnsttl', 'dsrecord', 'hinforecord', 'idnsallowdynupdate',
+                'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer',
+                'idnsforwarders', 'idnsforwardpolicy', 'idnsname',
+                'idnssoaexpire', 'idnssoaminimum', 'idnssoamname',
+                'idnssoarefresh', 'idnssoaretry', 'idnssoarname',
+                'idnssoaserial', 'idnsupdatepolicy', 'idnszoneactive',
+                'keyrecord', 'kxrecord', 'locrecord', 'managedby', 'mdrecord',
+                'minforecord', 'mxrecord', 'naptrrecord', 'nsecrecord',
+                'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord',
+                'sigrecord', 'srvrecord', 'sshfprecord', 'txtrecord',
+            },
+            'replaces': [
+                '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)',
+                '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)',
+                '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'DNS Administrators', 'DNS Servers'},
+        },
+    }
 
     def get_dn(self, *keys, **options):
         zone = keys[-1]
@@ -3455,6 +3526,36 @@ class dnsconfig(LDAPObject):
             label=_('Zone refresh interval'),
         ),
     )
+    managed_permissions = {
+        'System: Write DNS Configuration': {
+            'non_object': True,
+            'ipapermright': {'write'},
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('cn=dns', api.env.basedn),
+            'ipapermtargetfilter': ['(objectclass=idnsConfigObject)'],
+            'ipapermdefaultattr': {
+                'idnsallowsyncptr', 'idnsforwarders', 'idnsforwardpolicy',
+                'idnspersistentsearch', 'idnszonerefresh'
+            },
+            'replaces': [
+                '(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'DNS Administrators', 'DNS Servers'},
+        },
+        'System: Read DNS Configuration': {
+            'non_object': True,
+            'ipapermright': {'read'},
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('cn=dns', api.env.basedn),
+            'ipapermtargetfilter': ['(objectclass=idnsConfigObject)'],
+            'ipapermdefaultattr': {
+                'objectclass',
+                'idnsallowsyncptr', 'idnsforwarders', 'idnsforwardpolicy',
+                'idnspersistentsearch', 'idnszonerefresh'
+            },
+            'default_privileges': {'DNS Administrators', 'DNS Servers'},
+        },
+    }
 
     def get_dn(self, *keys, **kwargs):
         return DN(api.env.container_dns, api.env.basedn)
author	Petr Viktorin <pviktori@redhat.com>	2014-06-09 15:06:35 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-18 14:45:50 +0200
commit	853b6ef4ce5f2dd5fd459672521c5e32467192bc (patch)
tree	ff015f8a7da622380fb600b02c781d39c9d82488
parent	16ee6847e493df0d28b6c1baa9a48ea29752bef5 (diff)
download	freeipa-853b6ef4ce5f2dd5fd459672521c5e32467192bc.tar.gz freeipa-853b6ef4ce5f2dd5fd459672521c5e32467192bc.tar.xz freeipa-853b6ef4ce5f2dd5fd459672521c5e32467192bc.zip