Closed iaean closed 1 year ago
Yes, this can be changed, but needs a little change in the data structure. I suggest to require at least the TLD to be specific, otherwise a DNS3L_
group will allow everything. Planned.
Thx. Please avoid new config syntax. We are just changing semantics. An empty TLD is invalid, of course. IMHO its a bug if a group with prefix and empty TLD is (mis)interpreted as none empty TLD.
There is a user with the following
groups
claim inside a valid ID token:There is a
dns3ld
with the follwing root zones config:If this user tries to claim a certificate
dns3ld
is complaining with the following unexpected error:{"code":500,"message":"user has no permission for zone 'foo.example.com.'"}
Expected behaviour is that privilege escalation based on less specific domain suffix is used what enables the user to modify anything under
example.com
as mentioned in docs.Docs seems to be not specific enough and API is missing a statement. What will be fixed soon.