SSO Login is being implemented on this site. Existing users: Your existing password must be reset the first time you login using SSO. Click here to reset your password first before login. Your new username will be your email.

API & Integration, DevOps,NetOps,SecOps


[RESOLVED] set specific DNS permissions via WAPI

[ Edited ]
Posts: 2
2113     0

I want to create an API-only service account that can only create and update A & TXT records in a subzone. All of this should be automated via the WAPI interface.


Steps I had in mind:

1. create subzone: POST https://{{grid_master}}/wapi/v2.7/zone_auth?_return_fields=fqdn

2. create group: POST https://{{grid_master}}/wapi/v2.7/admingroup (for now I add a local user manually, but want to link it to an AD group later)

3. block this group to all resources (deny IPV6_HOST_ADDRESS / HOST / IPV6_NETWORK / NETWORK / HOST_ADDRESS / NETWORK_VIEW / PORT_CONTROL)

4. allow this group access to subzone (A and TXT records only)


The problem is I can't find the objects to add the permissions via the WAPI for steps 3 and 4. As an example, I can only find the object for IPV6_HOST_ADDRESS if I create such a permission via the GUI first (which then shows "_ref": "permission/b25lLmhpZXJfcnVsZSQuY29tLmluZm9ibG94LmRucy5uZXR3b3JrX3ZpZXdfcGFyZW50JC8uLi5jb20uaW5mb2Jsb3gub25lLmFkbWluX2dyb3VwJC5rOHMxLmRucy5ob3N0X2FkZHJlc3M7aXNfaXB2ND1mYWxzZQ:k8s1/DENY" if I check via the API)


Same goes for the A and TXT records in a DNS zone. I can retrieve the object of a zone via https://{{grid_master}}/wapi/v2.7/zone_auth? which gives 

"_ref": "zone_auth/". I can only find the objects for A and TXT if I again create a permission via the GUI and query via the API.


Any thoughts?

[RESOLVED] Re: set specific DNS permissions via WAPI

Posts: 2
2114     0

Answering my own question here: I approached my quest differently.


Instead of trying to find the object IDs, I wanted to know all parameters to the 'permission' API call. I managed to get that via the 'permission?_schema' call. In the result I found the field 'resource_type' which I could use to set the global permissions required for step 3.


I should be able to also apply the 'resource_type = A' for step 4, but apparantely there is no way to also specify the fqdn for the zone I want to apply it to. I still have to give full access to the zone for now.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You