dnsdist: Allow editing the ACL via the API #4658

Merged
merged 1 commit into from Nov 18, 2016

Projects

None yet

3 participants

@rgacogne
Member
rgacogne commented Nov 3, 2016 edited

Short description

  • Add /api/v1/servers/localhost/config/acl to be able to retrieve and update the current ACL.
  • Add setAPIWritable(bool, [dir]) to allow modifications from the API, and to specify an optional directory where updated configuration files are written to on such update. The directory should be included in the configuration with includeDirectory() to be of any use.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added regression tests
pdns/README-dnsdist.md
@@ -1224,6 +1224,7 @@ Here are all functions:
* quit or ^D: exit the console
* `webserver(address:port, password [, apiKey [, customHeaders ]])`: launch a webserver with stats on that address with that password
* `includeDirectory(dir)`: all files ending in `.conf` in the directory `dir` are loaded into the configuration
+ * `setAPIWritable(bool, [dir])`: allow modifications via the API. If `dir` iset set, it must be a valid directory where the configuration files will be written by the API. Otherwise the modifications done via the API will not be written to the configuration and will not persist after a reload
@zeha
zeha Nov 9, 2016 Collaborator

typo: iset set

pdns/dnsdist-console.cc
@@ -321,6 +321,7 @@ const std::vector<ConsoleKeyword> g_consoleKeywords{
{ "QTypeRule", true, "qtype", "matches queries with the specified qtype" },
{ "RCodeRule", true, "rcode", "matches responses with the specified rcode" },
{ "setACL", true, "{netmask, netmask}", "replace the ACL set with these netmasks. Use `setACL({})` to reset the list, meaning no one can use us" },
+ { "setAPIWritable", true, "bool, dir", "allow modifications via the API. if `dir`is set, it must be a valid directory where the configuration files will be written by the API" },
@zeha
zeha Nov 9, 2016 Collaborator

missed space before is set

pdns/dnsdist-lua2.cc
+ g_apiConfigDirectory = *apiConfigDir;
+ }
+ else {
+ errlog("The API configuration directory cannot be empty!");
@zeha
zeha Nov 9, 2016 Collaborator

this has confusion potential: "is this about the string itself or the directory?"

pdns/dnsdist-web.cc
+ }
+
+ if (resp.status == 200) {
+ vinfolog("Updating the ACL via the API");
@zeha
zeha Nov 9, 2016 Collaborator

maybe also log actual changes made? (for "audit")

@rgacogne
Member

Updated to fix the issues reported by @zeha (thanks!).

@wojas
Contributor
wojas commented Nov 18, 2016

Can the config setting name be renamed from 'acl' to 'allow-from' to be consistent with the recursor and auth server REST API?

@rgacogne rgacogne merged commit 7448bae into PowerDNS:master Nov 18, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@rgacogne rgacogne deleted the rgacogne:dnsdist-set-acl branch Nov 18, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment