PowerDNS-Admin/README.md

# PowerDNS-Admin
PowerDNS Web-GUI - Built by Flask
[![Build Status](https://travis-ci.org/thomasDOTde/PowerDNS-Admin.svg?branch=master)](https://travis-ci.org/thomasDOTde/PowerDNS-Admin)

#### Features:
- Multiple domain management
- Local / LDAP user authentication
- Support Two-factor authentication (TOTP)
- Support SAML authentication
- Google oauth authentication
- Github oauth authentication
- User management
- User access management based on domain
- User activity logging
- Dashboard and pdns service statistics
- DynDNS 2 protocol support
- Edit IPv6 PTRs using IPv6 addresses directly (no more editing of literal addresses!)

## Setup

### PowerDNS Version Support:
PowerDNS-Admin supports PowerDNS autoritative server versions **3.4.2** and higher. 

### pdns Service
I assume that you have already installed powerdns service. Make sure that your `/etc/pdns/pdns.conf` has these contents

PowerDNS 4.0.0 and later
```
api=yes
api-key=your-powerdns-api-key
webserver=yes
```

PowerDNS before 4.0.0
```
experimental-json-interface=yes
experimental-api-key=your-powerdns-api-key
webserver=yes
```

This will enable API access in PowerDNS so PowerDNS-Admin can intergrate with PowerDNS.

### Create Database
We will create a database which used by this web application. Please note that this database is difference from pdns database itself.

You could use any database that SQLAlchemy supports. For example MySQL (you will need to `pip install MySQL-python` to use MySQL backend):
```
MariaDB [(none)]> CREATE DATABASE powerdnsadmin;

MariaDB [(none)]> GRANT ALL PRIVILEGES ON powerdnsadmin.* TO powerdnsadmin@'%' IDENTIFIED BY 'your-password';
```
For testing purpose, you could also use SQLite as backend. This way you do not have to install `MySQL-python` dependency.


### PowerDNS-Admin

In this installation guide, I am using CentOS 7 and run my python stuffs with *virtualenv*. If you don't have it, lets install it:
```
$ sudo yum install python-pip
$ sudo pip install virtualenv
```

In your python web app directory, create a `flask` directory via `virtualenv`
```
$ virtualenv flask
```

Enable virtualenv and install python 3rd libraries
```
$ source ./flask/bin/activate
(flask)$ pip install -r requirements.txt
```

Web application configuration is stored in `config.py` file. Let's clone it from `config_template.py` file and then edit it
```
(flask)$ cp config_template.py config.py 
(flask)$ vim config.py
```

You can configure group based security by tweaking the below parameters in `config.py`. Groups membership comes from LDAP.
Setting `LDAP_GROUP_SECURITY` to True enables group-based security. With this enabled only members of the two groups listed below are allowed to login. Members of `LDAP_ADMIN_GROUP` will get the Administrator role and members of `LDAP_USER_GROUP` will get the User role. Sample config below:
```
LDAP_GROUP_SECURITY = True
LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'
LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'
```

Create database after having proper configs
```
(flask)% ./create_db.py
```


Run the application and enjoy!
```
(flask)$ ./run.py
```

### SAML Authentication
SAML authentication is supported. Setting are retrieved from Metdata-XML.
Metadata URL is configured in config.py as well as caching interval.
Following Assertions are supported and used by this application:
- nameidentifier in form of email address as user login
- email used as user email address
- givenname used as firstname
- surname used as lastname

### ADFS claim rules as example
Microsoft Active Directory Federation Services can be used as Identity Provider for SAML login.
The Following rules should be configured to send all attribute information to PowerDNS-Admin.
The nameidentifier should be something stable from the idp side. All other attributes are update when singing in.

#### sending the nameidentifier
Name-Identifiers Type is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
```
c:[Type == "<here goes your source claim>"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
```

#### sending the firstname
Name-Identifiers Type is "givenname"
```
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]
 => issue(Type = "givenname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");
```

#### sending the lastname
Name-Identifiers Type is "surname"
```
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
 => issue(Type = "surname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");
```

#### sending the email
Name-Identifiers Type is "email"
```
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
```

### Screenshots
![login page](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-login.png?raw=true)
![dashboard](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-dashboard.png?raw=true)
![create domain page](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-domaincreate.png?raw=true)
![manage domain page](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-domainmanage.png?raw=true)
![two-factor authentication config](https://cloud.githubusercontent.com/assets/6447444/16111111/467f2226-33db-11e6-926a-01b4d15035d2.png)
Create README.md 2015-12-13 11:46:24 +01:00			`# PowerDNS-Admin`
			`PowerDNS Web-GUI - Built by Flask`
added travis status 2017-11-02 02:41:26 +01:00			`[![Build Status](https://travis-ci.org/thomasDOTde/PowerDNS-Admin.svg?branch=master)](https://travis-ci.org/thomasDOTde/PowerDNS-Admin)`
Create README.md 2015-12-13 11:46:24 +01:00
Update README.md 2015-12-13 12:07:10 +01:00			`#### Features:`
Update README.md 2015-12-13 12:07:59 +01:00			`- Multiple domain management`
Update README.md 2015-12-13 12:07:10 +01:00			`- Local / LDAP user authentication`
Update README for new feature. 2016-06-16 11:02:34 +02:00			`- Support Two-factor authentication (TOTP)`
updated documentation and config-template 2017-10-31 23:45:24 +01:00			`- Support SAML authentication`
updated documentation 2017-11-01 22:36:42 +01:00			`- Google oauth authentication`
			`- Github oauth authentication`
Update README.md 2015-12-13 12:07:10 +01:00			`- User management`
Fix some spelling mistakes in README. Add supported version information. 2016-05-27 08:03:59 +02:00			`- User access management based on domain`
Update README.md 2015-12-13 12:07:10 +01:00			`- User activity logging`
			`- Dashboard and pdns service statistics`
Updated README to mention DynDNS 2 support 2016-06-22 00:22:02 +02:00			`- DynDNS 2 protocol support`
Add 'pretty IPv6 PTR' as a feature. 2016-08-20 01:28:59 +02:00			`- Edit IPv6 PTRs using IPv6 addresses directly (no more editing of literal addresses!)`
Update README.md 2015-12-13 12:07:10 +01:00
Create README.md 2015-12-13 11:46:24 +01:00			`## Setup`

Fix some spelling mistakes in README. Add supported version information. 2016-05-27 08:03:59 +02:00			`### PowerDNS Version Support:`
Updated README to include added support for pdns >= 4.0.0 2016-06-09 01:49:50 +02:00			`PowerDNS-Admin supports PowerDNS autoritative server versions 3.4.2 and higher.`
Fix some spelling mistakes in README. Add supported version information. 2016-05-27 08:03:59 +02:00
Create README.md 2015-12-13 11:46:24 +01:00			`### pdns Service`
			I assume that you have already installed powerdns service. Make sure that your `/etc/pdns/pdns.conf` has these contents
Updated README to include added support for pdns >= 4.0.0 2016-06-09 01:49:50 +02:00
			`PowerDNS 4.0.0 and later`
			```
			`api=yes`
			`api-key=your-powerdns-api-key`
			`webserver=yes`
			```

			`PowerDNS before 4.0.0`
Create README.md 2015-12-13 11:46:24 +01:00			```
			`experimental-json-interface=yes`
			`experimental-api-key=your-powerdns-api-key`
			`webserver=yes`
			```
Updated README to include added support for pdns >= 4.0.0 2016-06-09 01:49:50 +02:00
			`This will enable API access in PowerDNS so PowerDNS-Admin can intergrate with PowerDNS.`
Create README.md 2015-12-13 11:46:24 +01:00
			`### Create Database`
			`We will create a database which used by this web application. Please note that this database is difference from pdns database itself.`
Users could use SQLite instead of MySQL 2016-08-12 10:15:38 +02:00
			You could use any database that SQLAlchemy supports. For example MySQL (you will need to `pip install MySQL-python` to use MySQL backend):
Create README.md 2015-12-13 11:46:24 +01:00			```
			`MariaDB [(none)]> CREATE DATABASE powerdnsadmin;`

Fix typo on readme `PRIVILEGES` not `PRIVIELGES` 2016-02-14 07:51:42 +01:00			`MariaDB [(none)]> GRANT ALL PRIVILEGES ON powerdnsadmin.* TO powerdnsadmin@'%' IDENTIFIED BY 'your-password';`
Create README.md 2015-12-13 11:46:24 +01:00			```
Users could use SQLite instead of MySQL 2016-08-12 10:15:38 +02:00			For testing purpose, you could also use SQLite as backend. This way you do not have to install `MySQL-python` dependency.

Create README.md 2015-12-13 11:46:24 +01:00
			`### PowerDNS-Admin`

Fix some spelling mistakes in README. Add supported version information. 2016-05-27 08:03:59 +02:00			`In this installation guide, I am using CentOS 7 and run my python stuffs with virtualenv. If you don't have it, lets install it:`
Create README.md 2015-12-13 11:46:24 +01:00			```
			`$ sudo yum install python-pip`
			`$ sudo pip install virtualenv`
			```

			In your python web app directory, create a `flask` directory via `virtualenv`
			```
			`$ virtualenv flask`
			```

			`Enable virtualenv and install python 3rd libraries`
			```
			`$ source ./flask/bin/activate`
			`(flask)$ pip install -r requirements.txt`
			```

			Web application configuration is stored in `config.py` file. Let's clone it from `config_template.py` file and then edit it
			```
Fix 'config_template.py' copy snippet in README. 2016-04-13 18:11:10 +02:00			`(flask)$ cp config_template.py config.py`
Create README.md 2015-12-13 11:46:24 +01:00			`(flask)$ vim config.py`
			```

Initial support for LDAP group based security. 2016-04-11 14:11:02 +02:00			You can configure group based security by tweaking the below parameters in `config.py`. Groups membership comes from LDAP.
			Setting `LDAP_GROUP_SECURITY` to True enables group-based security. With this enabled only members of the two groups listed below are allowed to login. Members of `LDAP_ADMIN_GROUP` will get the Administrator role and members of `LDAP_USER_GROUP` will get the User role. Sample config below:
			```
			`LDAP_GROUP_SECURITY = True`
			`LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'`
			`LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'`
			```

Create README.md 2015-12-13 11:46:24 +01:00			`Create database after having proper configs`
Update README.md 2015-12-13 12:10:10 +01:00			```
Fix some spelling mistakes in README. Add supported version information. 2016-05-27 08:03:59 +02:00			`(flask)% ./create_db.py`
Update README.md 2015-12-13 12:10:10 +01:00			```
Create README.md 2015-12-13 11:46:24 +01:00

			`Run the application and enjoy!`
			```
			`(flask)$ ./run.py`
			```
Update README.md 2015-12-13 11:58:26 +01:00
updated documentation and config-template 2017-10-31 23:45:24 +01:00			`### SAML Authentication`
updated documentation 2017-11-01 22:36:42 +01:00			`SAML authentication is supported. Setting are retrieved from Metdata-XML.`
			`Metadata URL is configured in config.py as well as caching interval.`
updated documentation and config-template 2017-10-31 23:45:24 +01:00			`Following Assertions are supported and used by this application:`
			`- nameidentifier in form of email address as user login`
			`- email used as user email address`
			`- givenname used as firstname`
			`- surname used as lastname`

			`### ADFS claim rules as example`
			`Microsoft Active Directory Federation Services can be used as Identity Provider for SAML login.`
			`The Following rules should be configured to send all attribute information to PowerDNS-Admin.`
			`The nameidentifier should be something stable from the idp side. All other attributes are update when singing in.`

			`#### sending the nameidentifier`
			`Name-Identifiers Type is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"`
			```
			`c:[Type == "<here goes your source claim>"]`
			`=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");`
			```

			`#### sending the firstname`
			`Name-Identifiers Type is "givenname"`
			```
			`c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]`
			`=> issue(Type = "givenname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");`
			```

			`#### sending the lastname`
			`Name-Identifiers Type is "surname"`
			```
			`c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]`
			`=> issue(Type = "surname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");`
			```

			`#### sending the email`
			`Name-Identifiers Type is "email"`
			```
			`c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]`
			`=> issue(Type = "email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");`
			```

Add screnshots to show new UI. 2016-05-14 03:42:39 +02:00			`### Screenshots`
			`![login page](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-login.png?raw=true)`
			`![dashboard](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-dashboard.png?raw=true)`
			`![create domain page](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-domaincreate.png?raw=true)`
			`![manage domain page](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/images/readme_screenshots/fullscreen-domainmanage.png?raw=true)`
Update README for new feature. 2016-06-16 11:02:34 +02:00			`![two-factor authentication config](https://cloud.githubusercontent.com/assets/6447444/16111111/467f2226-33db-11e6-926a-01b4d15035d2.png)`
Add screnshots to show new UI. 2016-05-14 03:42:39 +02:00