diff options
author | Martin Basti <mbasti@redhat.com> | 2014-10-16 10:41:24 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
commit | 5556b7f50e2939d0c61d852f2b0dcd82ba2fcf9c (patch) | |
tree | c88f2dbc6c0046e022315fdc66b3a8bf0491e9a6 /ipalib/plugins/dns.py | |
parent | d673ebe4a11981646a81abc97e3f632687693631 (diff) | |
download | freeipa-5556b7f50e2939d0c61d852f2b0dcd82ba2fcf9c.tar.gz freeipa-5556b7f50e2939d0c61d852f2b0dcd82ba2fcf9c.tar.xz freeipa-5556b7f50e2939d0c61d852f2b0dcd82ba2fcf9c.zip |
DNSSEC: ACI
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipalib/plugins/dns.py')
-rw-r--r-- | ipalib/plugins/dns.py | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 7fafd0d26..ca5f1729d 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2208,6 +2208,7 @@ class dnszone(DNSZoneBase): ), ) # Permissions will be apllied for forwardzones too + # Store permissions into api.env.basedn, dns container could not exists managed_permissions = { 'System: Add DNS Entries': { 'non_object': True, @@ -2282,6 +2283,58 @@ class dnszone(DNSZoneBase): ], 'default_privileges': {'DNS Administrators', 'DNS Servers'}, }, + 'System: Read DNSSEC metadata': { + 'non_object': True, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=dns', api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'], + 'ipapermdefaultattr': { + 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish', + 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete', + 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep', + 'idnsSecKeyRef', 'cn', 'objectclass', + }, + 'default_privileges': {'DNS Administrators'}, + }, + 'System: Manage DNSSEC metadata': { + 'non_object': True, + 'ipapermright': {'all'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=dns', api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'], + 'ipapermdefaultattr': { + 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish', + 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete', + 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep', + 'idnsSecKeyRef', 'cn', 'objectclass', + }, + 'default_privileges': {'DNS Servers'}, + }, + 'System: Manage DNSSEC keys': { + 'non_object': True, + 'ipapermright': {'all'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=keys', 'cn=sec', 'cn=dns', api.env.basedn), + 'ipapermdefaultattr': { + 'ipaPublicKey', 'ipaPrivateKey', 'ipaSecretKey', + 'ipaWrappingMech','ipaWrappingKey', + 'ipaSecretKeyRef', 'ipk11Private', 'ipk11Modifiable', 'ipk11Label', + 'ipk11Copyable', 'ipk11Destroyable', 'ipk11Trusted', + 'ipk11CheckValue', 'ipk11StartDate', 'ipk11EndDate', + 'ipk11UniqueId', 'ipk11PublicKeyInfo', 'ipk11Distrusted', + 'ipk11Subject', 'ipk11Id', 'ipk11Local', 'ipk11KeyType', + 'ipk11Derive', 'ipk11KeyGenMechanism', 'ipk11AllowedMechanisms', + 'ipk11Encrypt', 'ipk11Verify', 'ipk11VerifyRecover', 'ipk11Wrap', + 'ipk11WrapTemplate', 'ipk11Sensitive', 'ipk11Decrypt', + 'ipk11Sign', 'ipk11SignRecover', 'ipk11Unwrap', + 'ipk11Extractable', 'ipk11AlwaysSensitive', + 'ipk11NeverExtractable', 'ipk11WrapWithTrusted', + 'ipk11UnwrapTemplate', 'ipk11AlwaysAuthenticate', + 'objectclass', + }, + 'default_privileges': {'DNS Servers'}, + }, } def _rr_zone_postprocess(self, record, **options): |