Testcase FreeIPA v3 DNS delegation
Since FreeIPA 2.2, role based access model (RBAC) for DNS followed a different pattern than the rest of the objects (users, hosts, ...) stored in FreeIPA database. As DNS tree may contain sensitive information and also a structure of the whole managed network, unprivileged users can no longer read DNS zones in LDAP unless they are granted a Read DNS Entries. This new permission accompanied standard add, update and delete permissions. Without this permission, unprivileged users can only use regular DNS queries to read DNS data.
Administrator may, however, require a more fine-grained access delegation model and allow selected user to control only one DNS zone and not the entire DNS tree, e.g. a lab administrator in a school may only control DNS records of his lab and not all DNS records in the entire school. Thus, FreeIPA 3.0 introduced a concept of per-zone permission which allows read, add, update and delete access to one DNS zone only.
Adding a per-zone permission
Server installation
First, install IPA with DNS support (--setup-dns option). You should have 2 DNS zones defined from the beginning - a forward zone and a reverse zone, e.g.:
# kinit admin Password for admin@EXAMPLE.COM: # ipa dnszone-find Zone name: 78.16.10.in-addr.arpa. Authoritative nameserver: ipa.example.com. Administrator e-mail address: hostmaster.78.16.10.in-addr.arpa. SOA serial: 1347520528 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: example.com Authoritative nameserver: ipa.example.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1347520528 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 2 ----------------------------
User with per-zone access
Lets say you want to create a new DNS zone for a lab lab.example.com and delegate an access to it to unprivileged user labadmin.
# ipa user-add --first=Lab --last=Admin --random labadmin --------------------- Added user "labadmin" --------------------- User login: labadmin First name: Lab Last name: Admin Full name: Lab Admin Display name: Lab Admin Initials: LA Home directory: /home/labadmin GECOS field: Lab Admin Login shell: /bin/sh Kerberos principal: labadmin@EXAMPLE.COM Email address: labadmin@example.com Random password: <random password> UID: 908800001 GID: 908800001 Password: True Kerberos keys available: True # kinit labadmin Password for labadmin@EXAMPLE.COM:
Now, as a newly created labadmin user you should see no DNS zone as the account does not have a Read DNS Entries permission granted:
# ipa dnszone-find ---------------------------- Number of entries returned 0 ----------------------------
As mentioned above, labuser can only run regular DNS queries like the rest of the (anonymous) users:
# dig ipa.example.com ;; QUESTION SECTION: ;ipa.example.com. IN A ;; ANSWER SECTION: ipa.example.com. 1200 IN A 10.16.78.86
Creating per-zone permission
Now, kinit back as admin user and create a delegated zone lab.example.com:
# ipa dnszone-add lab.example.com --name-server=hostname
Administrator e-mail address [hostmaster.lab.example.com.]:
Zone name: lab.example.com
Authoritative nameserver: ipa.example.com.
Administrator e-mail address: hostmaster.lab.example.com.
SOA serial: 1347521692
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant
EXAMPLE.COM krb5-self * SSHFP;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
Then generate a new per-zone permission we will later grant to labadmin:
# ipa dnszone-add-permission lab.example.com --------------------------------------------------------- Added system permission "Manage DNS zone lab.example.com" ---------------------------------------------------------
This command creates a regular system RBAC permission of that can be combined with the rest of the RBAC permissions:
# ipa permission-show "Manage DNS zone lab.example.com" Permission name: Manage DNS zone lab.example.com Permission Type: SYSTEM
Grant per-zone permission to user
Permission can be now granted to labuser with standard role and privilege commands already practiced in previous test day:
# ipa privilege-add "Control Lab DNS zone" Description: Control Lab DNS zone -------------------------------------- Added privilege "Control Lab DNS zone" -------------------------------------- Privilege name: Control Lab DNS zone Description: Control Lab DNS zone # ipa privilege-add-permission "Control Lab DNS zone" --permissions="Manage DNS zone lab.example.com" Privilege name: Control Lab DNS zone Description: Control Lab DNS zone Permissions: manage dns zone lab.example.com ----------------------------- Number of permissions added 1 ----------------------------- # ipa role-add "Lab Administrator" Description: Lab Administrator ------------------------------ Added role "Lab Administrator" ------------------------------ Role name: Lab Administrator Description: Lab Administrator # ipa role-add-privilege "Lab Administrator" --privileges="Control Lab DNS zone" Role name: Lab Administrator Description: Lab Administrator Privileges: Control Lab DNS zone ---------------------------- Number of privileges added 1 ---------------------------- # ipa role-add-member "Lab Administrator" --users=labadmin Role name: Lab Administrator Description: Lab Administrator Member users: labadmin Privileges: Control Lab DNS zone ------------------------- Number of members added 1 -------------------------
Testing per-zone permission
When per-zone permission is created and granted to labadmin user, we can kinit as labadmin and test new DNS privileges.
Allowed actions
User should now see the zone lab.example.com that was delegated to him:
# kinit labadmin Password for labadmin@EXAMPLE.COM: # ipa dnszone-find Zone name: lab.example.com Authoritative nameserver: ipa.example.com. Administrator e-mail address: hostmaster.lab.example.com. SOA serial: 1347521693 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 1 ----------------------------
As you can see, he only see the delegated zone and not the rest of DNS zones (example.com and 78.16.10.in-addr.arpa.). labadmin user can now add, update or delete DNS records in this zone:
# ipa dnsrecord-add lab.example.com host1 --a-rec=10.16.78.101 Record name: host1 A record: 10.16.78.101 # ipa dnsrecord-mod lab.example.com host1 --a-rec=10.16.78.110 Record name: host1 A record: 10.16.78.110 # dig host1.lab.example.com ;; QUESTION SECTION: ;host1.lab.example.com. IN A ;; ANSWER SECTION: host1.lab.example.com. 86400 IN A 10.16.78.110 ;; AUTHORITY SECTION: lab.example.com. 86400 IN NS ipa.example.com. # ipa dnsrecord-del lab.example.com host1 --del-all ---------------------- Deleted record "host1" ----------------------
labadmin can also change DNS zone configuration and for example make the zone resolvable only from chosen network:
# ipa dnszone-mod lab.example.com --allow-query=10.16.78.0/24 Zone name: lab.example.com Authoritative nameserver: ipa.example.com. Administrator e-mail address: hostmaster.lab.example.com. SOA serial: 1347525520 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: 10.16.78.0/24; Allow transfer: none;
Forbidden actions
Unlike global DNS administrators, labadmin cannot delete the zone that was delegated to him:
# ipa dnszone-del lab.example.com ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry 'idnsname=lab.example.com,cn=dns,dc=example,dc=com'.
Obviously, he cannot add DNS records to other zones or add new zones:
# ipa dnsrecord-add example.com host --a-rec=10.0.0.1
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=host,idnsname=example.com,cn=dns,dc=example,dc=com'.
# ipa dnszone-add lab2.example.com --name-server=hostname
Administrator e-mail address [hostmaster.lab2.example.com.]:
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=lab2.example.com,cn=dns,dc=example,dc=com'.
Deleting per-zone permission
When admin wants to remove the per-zone permission granted to labadmin he can either remove the permission from the privilege Control Lab DNS zone or remove it at all:
# kinit admin Password for admin@EXAMPLE.COM: # ipa dnszone-remove-permission lab.example.com ----------------------------------------------------------- Removed system permission "Manage DNS zone lab.example.com" -----------------------------------------------------------
labadmin user then immediately loose access to DNS zone lab.example.com:
# kinit labadmin Password for labadmin@EXAMPLE.COM:
# ipa dnszone-find ---------------------------- Number of entries returned 0 ----------------------------