Bug 801931
Summary: | [RFE] Expand current 'update dns entries' permission to be per-domain level? | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jason Montleon <jmontleo> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | CC: | jgalipea, mkosek |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-1.el6 | Doc Type: | Enhancement |
Doc Text: |
Feature: Allow Administrators delegate write privileges to selected zone only.
Reason: When Administrator wanted to delegate privileges to update DNS zone to other Identity Management user, he had to allow write access to entire DNS tree which may not be always appropriate.
Result (if any): Administrator can use dnszone-add-permission command to create a system permission allowing its assignee to read and write only a selected DNS zone managed by Identity Management.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:10:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jason Montleon
2012-03-09 21:15:40 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2511 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0 With this fix, you can use new command "dnszone-add-permission $ZONE" to generate a system permission that grants its members read and write permissions to given $ZONE (and not to any other zone). Verified using ipa-server-3.0.0-8.el6.x86_64 Results of automated tests: [ PASS ] ipa-rbac-1010 - Can list zone managed by user [ PASS ] ipa-rbac-1011 - Cannot list zone not managed by user [ PASS ] ipa-rbac-1012 - Cannot add permission for zone not managed by user [ PASS ] ipa-rbac-1013 - Cannot add a new zone [ PASS ] ipa-rbac-1014 - Cannot delete zone managed by user [ PASS ] ipa-rbac-1015 - Cannot edit managedBy attr for zone managed by user [ PASS ] ipa-rbac-1016 - Can enable/disable zone managed by user [ PASS ] ipa-rbac-1017 - Cannot enable/disable zone not managed by user [ PASS ] ipa-rbac-1018 - Can read Global configuration, but cannot modify it [ PASS ] ipa-rbac-1019 - Can add/delete/modify/find DNS records [ PASS ] ipa-rbac-1020 - Cannot remove permission to manage this zone [ PASS ] ipa-rbac-1021 - Verify can use dig to do DNS queries [ PASS ] ipa-rbac-1022 - User with permission removed can no longer access the zone Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |