Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

API & Integration, DevOps,NetOps,SecOps

Reply

[RESOLVED] set specific DNS permissions via WAPI

[ Edited ]
jtiri
New Member
Posts: 2

‎09-02-2019 01:21 PM - edited ‎09-04-2019 05:26 AM

3235     0

I want to create an API-only service account that can only create and update A & TXT records in a subzone. All of this should be automated via the WAPI interface.

 

Steps I had in mind:

1. create subzone: POST https://{{grid_master}}/wapi/v2.7/zone_auth?_return_fields=fqdn

2. create group: POST https://{{grid_master}}/wapi/v2.7/admingroup (for now I add a local user manually, but want to link it to an AD group later)

3. block this group to all resources (deny IPV6_HOST_ADDRESS / HOST / IPV6_NETWORK / NETWORK / HOST_ADDRESS / NETWORK_VIEW / PORT_CONTROL)

4. allow this group access to subzone (A and TXT records only)

 

The problem is I can't find the objects to add the permissions via the WAPI for steps 3 and 4. As an example, I can only find the object for IPV6_HOST_ADDRESS if I create such a permission via the GUI first (which then shows "_ref": "permission/b25lLmhpZXJfcnVsZSQuY29tLmluZm9ibG94LmRucy5uZXR3b3JrX3ZpZXdfcGFyZW50JC8uLi5jb20uaW5mb2Jsb3gub25lLmFkbWluX2dyb3VwJC5rOHMxLmRucy5ob3N0X2FkZHJlc3M7aXNfaXB2ND1mYWxzZQ:k8s1/DENY" if I check via the API)

 

Same goes for the A and TXT records in a DNS zone. I can retrieve the object of a zone via https://{{grid_master}}/wapi/v2.7/zone_auth?fqdn~=mydomain.com which gives 

"_ref": "zone_auth/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5qbmpsYWIuZHZsLWFwcHMudGVzdDI:mydomain.com/Internal". I can only find the objects for A and TXT if I again create a permission via the GUI and query via the API.

 

Any thoughts?

Reply
0 Kudos

[RESOLVED] Re: set specific DNS permissions via WAPI
jtiri
New Member
Posts: 2

‎09-04-2019 05:26 AM

3235     0

Answering my own question here: I approached my quest differently.

 

Instead of trying to find the object IDs, I wanted to know all parameters to the 'permission' API call. I managed to get that via the 'permission?_schema' call. In the result I found the field 'resource_type' which I could use to set the global permissions required for step 3.

 

I should be able to also apply the 'resource_type = A' for step 4, but apparantely there is no way to also specify the fqdn for the zone I want to apply it to. I still have to give full access to the zone for now.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community