<h2>The origins</h2>
<p>Please read the <a href="http://www.opensourcery.co.za/2008/10/07/authentication-tokens-what-are-they-all-about/">Authentication Tokens, what are they all about?</a> blog post for another take on the topic when it was first introduced to PowerDNS on Rails.</p>
<h2>Redux</h2>
<p>PowerDNS on Rails has the aim to become a single interface for all aspects of managing <span class="caps">DNS</span> infrastructure powered by PowerDNS.This means providing access to domain owners, if required, and API’s for easily integrating with your <span class="caps">DNS</span> network.</p>
<p>Leveraging the growing PowerDNS on Rails <span class="caps">API</span> can really help you as developer forget about the low-level nastiness of <span class="caps">DNS</span> and use a (soon to be) beautiful <span class="caps">REST</span> <span class="caps">API</span>. This works for a lot of cases, until you want to start exposing the management of the domains to people registered in <i>your</i> system, without giving them users in PowerDNS on Rails.</p>
<p>Authentication tokens allows you to overcome this issue by requesting PowerDNS on Rails to generate a token with very granular permissions for <i>a specific domain</i> with an expiry time as well. So tokens don’t last for ever either, preventing people from distributing tokens around.</p>
<h2>Token Policies (and defaults)</h2>
<p>Tokens contain a series of policies inside them, which are used to control the access level a token has. These policies can exists on <i>domain level</i> or <i>RR level</i>. The token has the following policy attributes:</p>
<table>
<tr>
<th>Attribute</th>
<th>Possible Values</th>
<th>Usage</th>
</tr>
<tr>
<td>policy</td>
<td><strong>deny</strong>, allow</td>
<td>Is the <i>last</i> checked attribute when deciding whether a token is allowed to perform an action</td>
</tr>
<tr>
<td>new</td>
<td><strong>false</strong>, true</td>
<td>Is the token allowed to add new records</td>
</tr>
<tr>
<td>remove</td>
<td><strong>false</strong>,true</td>
<td>Is the token allowed to remove records</td>
</tr>
<tr>
<td>allowed</td>
<td><strong>empty</strong>, [ [], [] ]</td>
<td>An array of arrays used to indicate which records (by name <i>and</i> type) can be changed</td>
</tr>
<tr>
<td>protected</td>
<td><strong>empty</strong>, [ [], [] ]</td>
<td>An array of arrays used to indicate which records (by name <i>and</i> type) must be protected at all cost</td>
</tr>
<tr>
<td>protected_types</td>
<td><strong>empty</strong>, []</td>
<td>An array of record types (A,MX) which can’t be changed, no matter what name they have</td>
</tr>
</table>
<p><em>The above list exposes the internal workings of the authentication tokens, we recommend using the <span class="caps">REST</span> <span class="caps">API</span> for generating these tokens.</em></p>
<h2>Example Tokens</h2>
<p><i>Coming soon</i></p>
2009-11-26T20:26:04-08:00
139518
authentication-tokens-overview
37131
Authentication Tokens (Overview)
2009-02-18T03:29:49-08:00
8756