-
Notifications
You must be signed in to change notification settings - Fork 54
Authentication Tokens (Overview)
Please read the Authentication Tokens, what are they all about? blog post for another take on the topic when it was first introduced to PowerDNS on Rails.
PowerDNS on Rails has the aim to become a single interface for all aspects of managing DNS infrastructure powered by PowerDNS.This means providing access to domain owners, if required, and API’s for easily integrating with your DNS network.
Leveraging the growing PowerDNS on Rails API can really help you as developer forget about the low-level nastiness of DNS and use a (soon to be) beautiful REST API. This works for a lot of cases, until you want to start exposing the management of the domains to people registered in your system, without giving them users in PowerDNS on Rails.
Authentication tokens allows you to overcome this issue by requesting PowerDNS on Rails to generate a token with very granular permissions for a specific domain with an expiry time as well. So tokens don’t last for ever either, preventing people from distributing tokens around.
Tokens contain a series of policies inside them, which are used to control the access level a token has. These policies can exists on domain level or RR level. The token has the following policy attributes:
| Attribute | Possible Values | Usage |
|---|---|---|
| policy | deny, allow | Is the last checked attribute when deciding whether a token is allowed to perform an action |
| new | false, true | Is the token allowed to add new records |
| remove | false,true | Is the token allowed to remove records |
| allowed | empty, [ [], [] ] | An array of arrays used to indicate which records (by name and type) can be changed |
| protected | empty, [ [], [] ] | An array of arrays used to indicate which records (by name and type) must be protected at all cost |
| protected_types | empty, [] | An array of record types (A,MX) which can’t be changed, no matter what name they have |
The above list exposes the internal workings of the authentication tokens, we recommend using the REST API for generating these tokens.
Coming soon