-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consolidate vinyldns sys admins #953
Comments
Longer term we should consider RBAC, and simply assign roles to groups/users. A "sysadmin" role would be a good first candidate and could replace the current concept of "super" users. I can imagine other types of roles (e.g., batch queue review). Shorter term, being able to designate a group as a "sysadmin" group would be a good first step. |
in the current version the "super user" is build in and pays a huge role; but I can see no way to assign a super user so at least a short term fix is needed. I vote both hands. |
@JanuszU "super user" is mostly on par (or entirely on par) with "support user" at this point. @remerle we never did develop a user/role/privilege system (outside of zone level access controls and zone admins). At its inception, we did not see the need for it. I could certainly see an initially hard-coded set of privileges and a single role for "support" coming about, at least a pattern could be put in place for future expansion. The immediate need follows: In addition, we need the ability to register a user via the API, as well as see other users in the system. This could be done by the "root" account or "super" users. @JanuszU not sure if you have any other needs. @remerle not sure if you heard of anything else as well. |
@pauljamescleary The functionality I need is a group of admins-approvers and a group of users that may apply for a change or a new record. All their applications need an approve. It would be best if the users have access only to assigned zones while admins to all. |
@JanuszU thanks for the info, let me see if I understand right. You need a group of admins who are "approvers" who can review+approve certain DNS changes
"A group of users that may apply for a change for a new record"
"It would be best if the users have access to only assigned zones"
Let me know if this helps. In short, I think that we have the ability to support most of your needs today. Will be happy to answer questions, and update our Docs in short order with whatever is not clear (I know there are a lot of switches so I certainly sympathize) |
@pauljamescleary thanks for putting the access rights clear. Currently the access is "zone centric". |
@JanuszU hmm, so do you mean something like "If anyone changes these records, let ME approve them"? Would the process follow:
Or was it something different, I am trying to parse "enter a record set for approval", do you mean "give these users right to make changes, but require ALL changes to be approved"? |
@pauljamescleary Your 3 step solution sounds very good. If I could assign such ACL to a group would be delicious. |
@JanuszU thanks. Could you elaborate on how you see this working? Wondering if you could provide a little more context / even an example or a story that walks through "who" sets it up, and how they go about setting it up. When you mention "Step 3", I assume you mean someone sets up a rule / RBAC / ACL somewhere in VinylDNS that says "these kinds of changes need to be approved by the zone admins". I am wondering "who" sets up that authorization check, and at what level(s) it applies (i.e. globally across ZONES (like a subdomain), at the zone level only, both) |
@pauljamescleary I think it goes clear from Your 3 points. |
@JanuszU thanks for the clarity. It circles back to the RBAC for approvers. I like that idea alot. It goes beyond ACL rules, where you can grant an ACL rule and in the end instead of automatically applying they can be approved. Lacking full RBAC, a smaller, interim solution could be to add an "approval group" to an ACL rule (or would that be at the zone level?).
There is also the issue of "batch changes / DNS requests" have a somewhat different workflow than requests hitting a zone directly. It does complicate this a bit. Imagine if you will that a batch change goes in that touches 2 zones. Each zone has a different "approver group". How does the entire batch change ultimately get approved in its entirety. (you can amplify this challenge by 1000 as you can make 1000 changes in the same DNS request). So this is a bit bigger than what I mentioned above. We would need to have "item level approval" on a DNS request. Not sure how this would work |
@pauljamescleary I am just describing my scenario. We are a mid size business, having about a 200 zones. |
Thanks @JanuszU , in your common use case "A+PTR", would you require approval for just the "A", just the "PTR", or both? On our end, typically users do not care much about PTR and do it for completeness, so authorization matters most for the A record / forward zone. |
@pauljamescleary "A" record is crucial o course, if it helps coding make it just for the forward zones |
Is your feature request related to a problem? Please describe.
Right now, the concept of a sysadmin is spread across a few flags in the database that are now rather unaccessible. For users to use shared zones, they have to be a super user or a support user, which cannot be updated without some kind of script.
Describe the solution you'd like
The text was updated successfully, but these errors were encountered: