Description of problem:
Right now it does not look as though there is a way to restrict access for users so that they can only edit specific zones. In a large enough organization it is unreasonable to expect that there are not different groups responsible for maintaining different zones.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install IPA
2. update dns entries permission to users
3. Try to restrict access to specific domains
No way to limit access
There should be a way to limit access
Even better would be the ability to go so far as to edit a specific PTR/A/CNAME record. This might be useful for self service scenarios where a user has been given a static lease in order to allow them to update their dns name on their own.
For an A record, allow them to change the name but not the ip address, and so on.
With this fix, you can use new command "dnszone-add-permission $ZONE" to generate a system permission that grants its members read and write permissions to given $ZONE (and not to any other zone).
Verified using ipa-server-3.0.0-8.el6.x86_64
Results of automated tests:
[ PASS ] ipa-rbac-1010 - Can list zone managed by user
[ PASS ] ipa-rbac-1011 - Cannot list zone not managed by user
[ PASS ] ipa-rbac-1012 - Cannot add permission for zone not managed by user
[ PASS ] ipa-rbac-1013 - Cannot add a new zone
[ PASS ] ipa-rbac-1014 - Cannot delete zone managed by user
[ PASS ] ipa-rbac-1015 - Cannot edit managedBy attr for zone managed by user
[ PASS ] ipa-rbac-1016 - Can enable/disable zone managed by user
[ PASS ] ipa-rbac-1017 - Cannot enable/disable zone not managed by user
[ PASS ] ipa-rbac-1018 - Can read Global configuration, but cannot modify it
[ PASS ] ipa-rbac-1019 - Can add/delete/modify/find DNS records
[ PASS ] ipa-rbac-1020 - Cannot remove permission to manage this zone
[ PASS ] ipa-rbac-1021 - Verify can use dig to do DNS queries
[ PASS ] ipa-rbac-1022 - User with permission removed can no longer access the zone
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.