From Fedora Project Wiki

Revision as of 08:59, 13 September 2012 by Mkosek (talk | contribs) (Created page with "== Testcase FreeIPA v3 DNS delegation == Since FreeIPA 2.2, role based access model (RBAC) for DNS followed a different pattern than the rest of the objects (users, hosts, .....")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Testcase FreeIPA v3 DNS delegation

Since FreeIPA 2.2, role based access model (RBAC) for DNS followed a different pattern than the rest of the objects (users, hosts, ...) stored in FreeIPA database. As DNS tree may contain sensitive information and also a structure of the whole managed network, unprivileged users can no longer read DNS zones in LDAP unless they are granted a Read DNS Entries. This new permission accompanied standard add, update and delete permissions. Without this permission, unprivileged users can only use regular DNS queries to read DNS data.

Administrator may, however, require a more fine-grained access delegation model and allow selected user to control only one DNS zone and not the entire DNS tree, e.g. a lab administrator in a school may only control DNS records of his lab and not all DNS records in the entire school. Thus, FreeIPA 3.0 introduced a concept of per-zone permission which allows read, add, update and delete access to one DNS zone only.

Adding a per-zone permission

Server installation

First, install IPA with DNS support (--setup-dns option). You should have 2 DNS zones defined from the beginning - a forward zone and a reverse zone, e.g.:

# kinit admin
Password for admin@EXAMPLE.COM: 
# ipa dnszone-find
  Zone name: 78.16.10.in-addr.arpa.
  Authoritative nameserver: ipa.example.com.
  Administrator e-mail address: hostmaster.78.16.10.in-addr.arpa.
  SOA serial: 1347520528
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: example.com
  Authoritative nameserver: ipa.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1347520528
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

User with per-zone access

Lets say you want to create a new DNS zone for a lab lab.example.com and delegate an access to it to unprivileged user labadmin.

# ipa user-add --first=Lab --last=Admin --random labadmin
---------------------
Added user "labadmin"
---------------------
  User login: labadmin
  First name: Lab
  Last name: Admin
  Full name: Lab Admin
  Display name: Lab Admin
  Initials: LA
  Home directory: /home/labadmin
  GECOS field: Lab Admin
  Login shell: /bin/sh
  Kerberos principal: labadmin@EXAMPLE.COM
  Email address: labadmin@example.com
  Random password: <random password>
  UID: 908800001
  GID: 908800001
  Password: True
  Kerberos keys available: True
# kinit labadmin
Password for labadmin@EXAMPLE.COM: 

Now, as a newly created labadmin user you should see no DNS zone as the account does not have a Read DNS Entries permission granted:

# ipa dnszone-find
----------------------------
Number of entries returned 0
----------------------------

As mentioned above, labuser can only run regular DNS queries like the rest of the (anonymous) users:

# dig ipa.example.com 
;; QUESTION SECTION:
;ipa.example.com.		IN	A 

;; ANSWER SECTION:
ipa.example.com.	1200	IN	A	10.16.78.86

Creating per-zone permission

Now, kinit back as admin user and create a delegated zone lab.example.com:

# ipa dnszone-add lab.example.com --name-server=hostname
Administrator e-mail address [hostmaster.lab.example.com.]: 
  Zone name: lab.example.com
  Authoritative nameserver: ipa.example.com.
  Administrator e-mail address: hostmaster.lab.example.com.
  SOA serial: 1347521692
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant
                      EXAMPLE.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

Then generate a new per-zone permission we will later grant to labadmin:

# ipa dnszone-add-permission lab.example.com
---------------------------------------------------------
Added system permission "Manage DNS zone lab.example.com"
---------------------------------------------------------

This command creates a regular system RBAC permission of that can be combined with the rest of the RBAC permissions:

# ipa permission-show "Manage DNS zone lab.example.com"
  Permission name: Manage DNS zone lab.example.com
  Permission Type: SYSTEM

Grant per-zone permission to user

Permission can be now granted to labuser with standard role and privilege commands already practiced in previous test day:

# ipa privilege-add "Control Lab DNS zone"
Description: Control Lab DNS zone
--------------------------------------
Added privilege "Control Lab DNS zone"
--------------------------------------
  Privilege name: Control Lab DNS zone
  Description: Control Lab DNS zone

# ipa privilege-add-permission "Control Lab DNS zone" --permissions="Manage DNS zone lab.example.com"
  Privilege name: Control Lab DNS zone
  Description: Control Lab DNS zone
  Permissions: manage dns zone lab.example.com
-----------------------------
Number of permissions added 1
-----------------------------

# ipa role-add "Lab Administrator"
Description: Lab Administrator
------------------------------
Added role "Lab Administrator"
------------------------------
  Role name: Lab Administrator
  Description: Lab Administrator

# ipa role-add-privilege "Lab Administrator" --privileges="Control Lab DNS zone"
  Role name: Lab Administrator
  Description: Lab Administrator
  Privileges: Control Lab DNS zone
----------------------------
Number of privileges added 1
----------------------------

# ipa role-add-member "Lab Administrator" --users=labadmin
  Role name: Lab Administrator
  Description: Lab Administrator
  Member users: labadmin
  Privileges: Control Lab DNS zone
-------------------------
Number of members added 1
-------------------------

Testing per-zone permission

When per-zone permission is created and granted to labadmin user, we can kinit as labadmin and test new DNS privileges.

Allowed actions

User should now see the zone lab.example.com that was delegated to him:

# kinit labadmin
Password for labadmin@EXAMPLE.COM: 
# ipa dnszone-find
  Zone name: lab.example.com
  Authoritative nameserver: ipa.example.com.
  Administrator e-mail address: hostmaster.lab.example.com.
  SOA serial: 1347521693
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 1
----------------------------

As you can see, he only see the delegated zone and not the rest of DNS zones (example.com and 78.16.10.in-addr.arpa.). labadmin user can now add, update or delete DNS records in this zone:

# ipa dnsrecord-add lab.example.com host1 --a-rec=10.16.78.101
  Record name: host1
  A record: 10.16.78.101

# ipa dnsrecord-mod lab.example.com host1 --a-rec=10.16.78.110
  Record name: host1
  A record: 10.16.78.110

# dig host1.lab.example.com
;; QUESTION SECTION:
;host1.lab.example.com.		IN	A

;; ANSWER SECTION:
host1.lab.example.com.	86400	IN	A	10.16.78.110

;; AUTHORITY SECTION:
lab.example.com.	86400	IN	NS	ipa.example.com.

# ipa dnsrecord-del lab.example.com host1 --del-all
----------------------
Deleted record "host1"
----------------------

labadmin can also change DNS zone configuration and for example make the zone resolvable only from chosen network:

# ipa dnszone-mod lab.example.com --allow-query=10.16.78.0/24
  Zone name: lab.example.com
  Authoritative nameserver: ipa.example.com.
  Administrator e-mail address: hostmaster.lab.example.com.
  SOA serial: 1347525520
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: 10.16.78.0/24;
  Allow transfer: none;

Forbidden actions

Unlike global DNS administrators, labadmin cannot delete the zone that was delegated to him:

# ipa dnszone-del lab.example.com
ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry 'idnsname=lab.example.com,cn=dns,dc=example,dc=com'.

Obviously, he cannot add DNS records to other zones or add new zones:

# ipa dnsrecord-add example.com host --a-rec=10.0.0.1
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=host,idnsname=example.com,cn=dns,dc=example,dc=com'.

# ipa dnszone-add lab2.example.com --name-server=hostname
Administrator e-mail address [hostmaster.lab2.example.com.]: 
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=lab2.example.com,cn=dns,dc=example,dc=com'.

Deleting per-zone permission

When admin wants to remove the per-zone permission granted to labadmin he can either remove the permission from the privilege Control Lab DNS zone or remove it at all:

# kinit admin
Password for admin@EXAMPLE.COM: 
# ipa dnszone-remove-permission lab.example.com
-----------------------------------------------------------
Removed system permission "Manage DNS zone lab.example.com"
-----------------------------------------------------------

labadmin user then immediately loose access to DNS zone lab.example.com:

# kinit labadmin
Password for labadmin@EXAMPLE.COM: 
# ipa dnszone-find
----------------------------
Number of entries returned 0
----------------------------