[bind10-dev] authentication mechanism for cmdctl

Shane Kerr shane at isc.org
Wed Mar 31 14:55:27 UTC 2010 

Jeremy,

On Wed, 2010-03-31 at 08:54 -0500, Jeremy C. Reed wrote: 
> The username and password part is also useful for the case of 
> multiple users having access to bindctl and needing to use it.
> (File permissions are fine too, such as having a group be able to read 
> the cert file and then maintain group members for it.)

All communication between client software & the server should be over
SSL (or TLS or whatever it is these days).

The client software should use a certificate to authenticate the SERVER
identity.

The server software can use either a client certificate OR
username/password to authenticate a user. If users choose to have a
single client certificate for all users, that is their choice - the same
as if they had a single user/pass for all access. I don't think we
either want to or need to mix the two methods.

(Of course, we should probably support a single user with both
username/password and client certificate methods, in case a user wants
to have the option to use username/password when they are away from a
computer which has their certificate.)

> In the long run I'd like the cmdctl backend to be able to have different 
> classifications of users, for example:
> 
> 1) be able to retrieve stats, read some configurations (for example so a 
> webgui could talk to it to generate reports but not make any changes or 
> for a novice sysadmin can report about system status but can't make 
> changes)
> 
> 2) be able to maintain own zone (for example remote zone owner can add 
> or change entries, resign, etc.)
> 
> 3) be able to update any zones, add zones, remove zones
> 
> 4) be able to make configuration changes for tuning for specific zones 
>    or maybe specific networks
> 
> 5) be able to make system-wide configuration changes

Yes we absolutely need some sort of "roles" for users, or other ways to
assign permissions. This may be something we add in year 3, or may be
something for year 2, depending on feedback we get from users and other
people in the community.

--
Shane

More information about the bind10-dev mailing list