PowerDNS Web-GUI - Built by Flask
PowerDNS-Admin supports PowerDNS autoritative server versions 3.4.2 and higher.
I assume that you have already installed powerdns service. Make sure that your /etc/pdns/pdns.conf
has these contents
PowerDNS 4.0.0 and later
api=yes
api-key=your-powerdns-api-key
webserver=yes
PowerDNS before 4.0.0
experimental-json-interface=yes
experimental-api-key=your-powerdns-api-key
webserver=yes
This will enable API access in PowerDNS so PowerDNS-Admin can intergrate with PowerDNS.
We will create a database which used by this web application. Please note that this database is difference from pdns database itself.
You could use any database that SQLAlchemy supports. For example MySQL (you will need to pip install MySQL-python
to use MySQL backend):
MariaDB [(none)]> CREATE DATABASE powerdnsadmin;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON powerdnsadmin.* TO powerdnsadmin@'%' IDENTIFIED BY 'your-password';
For testing purpose, you could also use SQLite as backend. This way you do not have to install MySQL-python
dependency.
In this installation guide, I am using CentOS 7 and run my python stuffs with virtualenv. If you don't have it, lets install it:
$ sudo yum install python-pip
$ sudo pip install virtualenv
In your python web app directory, create a flask
directory via virtualenv
$ virtualenv flask
Enable virtualenv and install python 3rd libraries
$ source ./flask/bin/activate
(flask)$ pip install -r requirements.txt
Web application configuration is stored in config.py
file. Let's clone it from config_template.py
file and then edit it
(flask)$ cp config_template.py config.py
(flask)$ vim config.py
You can configure group based security by tweaking the below parameters in config.py
. Groups membership comes from LDAP.
Setting LDAP_GROUP_SECURITY
to True enables group-based security. With this enabled only members of the two groups listed below are allowed to login. Members of LDAP_ADMIN_GROUP
will get the Administrator role and members of LDAP_USER_GROUP
will get the User role. Sample config below:
LDAP_GROUP_SECURITY = True
LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'
LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'
Create database after having proper configs
(flask)% ./create_db.py
Run the application and enjoy!
(flask)$ ./run.py
SAML authentication is supported. Setting are retrieved from Metdata-XML. Metadata URL is configured in config.py as well as caching interval. Following Assertions are supported and used by this application:
Microsoft Active Directory Federation Services can be used as Identity Provider for SAML login. The Following rules should be configured to send all attribute information to PowerDNS-Admin. The nameidentifier should be something stable from the idp side. All other attributes are update when singing in.
Name-Identifiers Type is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
c:[Type == "<here goes your source claim>"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Name-Identifiers Type is "givenname"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]
=> issue(Type = "givenname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");
Name-Identifiers Type is "surname"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
=> issue(Type = "surname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");
Name-Identifiers Type is "email"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");