diff options
-rw-r--r-- | ACI.txt | 6 | ||||
-rw-r--r-- | ipalib/plugins/dns.py | 53 |
2 files changed, 59 insertions, 0 deletions
@@ -39,8 +39,14 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example +aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: dc=ipa,dc=example +aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: dc=ipa,dc=example aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 7fafd0d26..ca5f1729d 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2208,6 +2208,7 @@ class dnszone(DNSZoneBase): ), ) # Permissions will be apllied for forwardzones too + # Store permissions into api.env.basedn, dns container could not exists managed_permissions = { 'System: Add DNS Entries': { 'non_object': True, @@ -2282,6 +2283,58 @@ class dnszone(DNSZoneBase): ], 'default_privileges': {'DNS Administrators', 'DNS Servers'}, }, + 'System: Read DNSSEC metadata': { + 'non_object': True, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=dns', api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'], + 'ipapermdefaultattr': { + 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish', + 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete', + 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep', + 'idnsSecKeyRef', 'cn', 'objectclass', + }, + 'default_privileges': {'DNS Administrators'}, + }, + 'System: Manage DNSSEC metadata': { + 'non_object': True, + 'ipapermright': {'all'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=dns', api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'], + 'ipapermdefaultattr': { + 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish', + 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete', + 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep', + 'idnsSecKeyRef', 'cn', 'objectclass', + }, + 'default_privileges': {'DNS Servers'}, + }, + 'System: Manage DNSSEC keys': { + 'non_object': True, + 'ipapermright': {'all'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=keys', 'cn=sec', 'cn=dns', api.env.basedn), + 'ipapermdefaultattr': { + 'ipaPublicKey', 'ipaPrivateKey', 'ipaSecretKey', + 'ipaWrappingMech','ipaWrappingKey', + 'ipaSecretKeyRef', 'ipk11Private', 'ipk11Modifiable', 'ipk11Label', + 'ipk11Copyable', 'ipk11Destroyable', 'ipk11Trusted', + 'ipk11CheckValue', 'ipk11StartDate', 'ipk11EndDate', + 'ipk11UniqueId', 'ipk11PublicKeyInfo', 'ipk11Distrusted', + 'ipk11Subject', 'ipk11Id', 'ipk11Local', 'ipk11KeyType', + 'ipk11Derive', 'ipk11KeyGenMechanism', 'ipk11AllowedMechanisms', + 'ipk11Encrypt', 'ipk11Verify', 'ipk11VerifyRecover', 'ipk11Wrap', + 'ipk11WrapTemplate', 'ipk11Sensitive', 'ipk11Decrypt', + 'ipk11Sign', 'ipk11SignRecover', 'ipk11Unwrap', + 'ipk11Extractable', 'ipk11AlwaysSensitive', + 'ipk11NeverExtractable', 'ipk11WrapWithTrusted', + 'ipk11UnwrapTemplate', 'ipk11AlwaysAuthenticate', + 'objectclass', + }, + 'default_privileges': {'DNS Servers'}, + }, } def _rr_zone_postprocess(self, record, **options): |