Feature #6210
closed
create user privilege for only DNS Host and Domain Overrides in DNS Resolver
0%
Description
Currently, the only way to allow privilege to add/edit DNS overrides is to allow access to the entire DNS Resolver Options General Settings page. I have a use case currently where admins want to extend override capability to a set of users for a network dedicated to testing devices and DNS overrides happen all the time, but admins are nervous of allowing these overrides to somehow get out of this network. So if the testers only had access to the overrides everyone would be happy.
Updated by Joe Passavanti about 9 years ago
I submitted a pull request https://github.com/pfsense/pfsense/pull/2891
Updated by Chris Buechler about 9 years ago
- Status changed from New to Rejected
This isn't desirable. We don't want to add yet another new menu item, for a use case that I think you're the only person in the world who wants, and introduce inconsistency between Forwarder and Resolver and even within Resolver itself. Granting privs to the Resolver as a whole is going to be required for this use case. That isn't all that much different than just the overrides.
Updated by Joe Passavanti about 9 years ago
Chris Buechler wrote:
This isn't desirable. We don't want to add yet another new menu item, for a use case that I think you're the only person in the world who wants, and introduce inconsistency between Forwarder and Resolver and even within Resolver itself. Granting privs to the Resolver as a whole is going to be required for this use case. That isn't all that much different than just the overrides.
I'm the only one who has a use case for RBAC? Seriously? And without even any discussion, bam, just delete it, after it was merged? Thanks for preventing our implementation from ever getting your upgrades.
Updated by NOYB NOYB about 9 years ago
If you wish to discuss it, options, and alternatives.
New DNS Resolver Overrides Page
https://forum.pfsense.org/index.php?topic=114065.0
Updated by Chris Buechler about 9 years ago
Sorry, but it shouldn't have been merged in the first place. There is discussion on the forum NOYB linked as to why. If we added a single menu item for everything that 1 in a hundred thousand people wanted, we'd have a huge mess of thousands of menu items. Things in that regard are already a bit out of control.
RBAC for that purpose is common, but at that granular of a level, it's not. You can grant users access to add host and/or domain overrides plus the general config for Resolver to accomplish that end result. People who have access to change domain and host overrides virtually always need access to the general Resolver config anyway, and there are worse things they can do than break the general Resolver config.