Opened 9 years ago

Closed 9 years ago

#1165 closed task (complete)

allow specifying xfrout ACL per zone basis

Reported by: jinmei Owned by: jinmei
Priority: medium Milestone: Sprint-20111011
Component: xfrout Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DNS Feature Depending on Ticket:
Estimated Difficulty: 4 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no

Description

Currently xfrout can only have process-wide ACL, but the common practice
is to configure different zones with different access control policies
(such as by using different TSIG keys).

Ideally we should solve this in a generic way (like introducing
generic zone configuration and having xfrout refer to it), but it
would be a big task while the usage gap for xfrout would be more
urgent. So the proposal is to solve this in a possibly ad hoc, xfrout
specific way as a middle term workaround.

Subtickets

Change History (13)

comment:1 Changed 9 years ago by stephen

  • Milestone changed from Next-Sprint-Proposed to Sprint-20110927

comment:2 Changed 9 years ago by jelte

  • Estimated Difficulty changed from 0 to 4

comment:3 follow-up: Changed 9 years ago by jinmei

  • Owner set to jinmei
  • Status changed from new to accepted

comment:4 in reply to: ↑ 3 Changed 9 years ago by jinmei

Replying to jinmei:

Branch trac1165 is ready for review.

I believe the implementation is straightforward. I made a couple of
unrelated cleanup/refactoring changes (I hope they are acceptable).
See the commit log for the intent of such changes.

I originally plan to do a few more things for this ticket:

  • add system tests
  • update bind10-guide

but I decided to defer them to keep the branch concise. My plan is
to create a separate new task for these remaining points.

The proposed changelog entry is as follows:

288.?	[func]*		jinmei
	b10-xfrout: ACLs for xfrout can now be configured per zone basis.
	A per zone ACl is part of a more general zone configuration.  A
	quick example for configuring an ACL for zone "example.com" that
	rejects any transfer request for that zone is as follows:
	> config add Xfrout/zone_config
	> config set Xfrout/zone_config[0]/origin "example.com"
	> config add Xfrout/zone_config[0]/transfer_acl
	> config set Xfrout/zone_config[0]/transfer_acl[0] {"action": "REJECT"}
	The previous global ACL (query_acl) was renamed to transfer_acl,
	which now works as the default ACL.  Note: backward compatibility
	is not provided, so an existing configuration using query_acl
	needs to be updated by hand.
	Note: the per zone configuration framework is a temporary
	workaround.  It will eventually be redesigned as a system wide
	configuration.
	(Trac #1165, git TBD)

(btw: I saw an error after "config add Xfrout/zone_config[0]/transfer_acl",
but the entry was actually created. It seems like a bug of bindctl or
config module).

comment:5 Changed 9 years ago by jinmei

  • Owner changed from jinmei to UnAssigned
  • Status changed from accepted to reviewing

comment:6 Changed 9 years ago by jelte

  • Milestone changed from Sprint-20110927 to Sprint-20111011

comment:7 Changed 9 years ago by stephen

  • Owner changed from UnAssigned to stephen

comment:8 follow-up: Changed 9 years ago by stephen

  • Owner changed from stephen to jinmei

Review of commit 40cd22fc64c7755efe60cd42cb12851cf3de55a4

src/bin/xfrout/xfrout.py.in
Corrected one typo in an error message and pushed.

src/bin/xfrout/xfrout.spec.pre.in
There appear to be some tabs in the file.

src/bin/xfrout/xfrout_messages.mes
A few typos and grammatical errors - these have been corrected and the updated file pushed.

comment:9 in reply to: ↑ 8 Changed 9 years ago by jinmei

Replying to stephen:

Review of commit 40cd22fc64c7755efe60cd42cb12851cf3de55a4

src/bin/xfrout/xfrout.py.in
Corrected one typo in an error message and pushed.

src/bin/xfrout/xfrout_messages.mes
A few typos and grammatical errors - these have been corrected and the updated file pushed.

Thanks, they look good.

src/bin/xfrout/xfrout.spec.pre.in
There appear to be some tabs in the file.

Good catch, removed them.

comment:10 Changed 9 years ago by jinmei

  • Owner changed from jinmei to stephen

comment:11 follow-up: Changed 9 years ago by stephen

  • Owner changed from stephen to jinmei

All OK, please merge.

comment:12 in reply to: ↑ 11 Changed 9 years ago by jinmei

Replying to stephen:

All OK, please merge.

Merge done, closing ticket. Thanks for the review.

comment:13 Changed 9 years ago by jinmei

  • Resolution set to complete
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.