In Progress [CPANEL-26332] API Tokens and WHM Function list-zones

[bellwood]

When generating API tokens, I am looking for the privilege specific to the `list-zones` function and do not see it on the page nor do I see an authentication level specified in the documentation:

WHM API 1 Functions - listzones - Developer Documentation - cPanel Documentation

Can anyone chime in as to the token permissions required to use this function?

Thank you.

 

[cPanelMichael]

Hello @bellwood,

listzones is controlled with the Manage DNS Records privilege. It's found under the "Initial Privileges" section in WHM >> Manage API Tokens.

Thank you.

 

[bellwood]

This is incomplete - I have to allow "Everything - All Features `all`" to get a list of every zone on the server.

Seems horribly insecure to need a "god" token to simply get a list of zones.

 

[cPanelMichael]

This is incomplete - I have to allow "Everything - All Features `all`" to get a list of every domain on the server.

Hi @bellwood,

I've reproduced this behavior and opened case CPANEL-26332 to report the issue. I'll monitor this case and update this thread with more information as it becomes available. Note that an additional case (CPANEL-24676) is open to correct this behavior for the listaccts WHM API 1 function. That case is planned for publication with cPanel & WHM version 80.

Thank you.

Post Edit History:
1. Corrected the first case ID to reflect CPANEL-26332.

 

[bellwood]

@cPanelMichael thanks for the stellar customer service. Will keep an eye out for this in v80.

 

[bellwood]

@cPanelMichael I see CPANEL-24676 was remediated 03-21-2019 however as of v80.0.11 I'm still unable to see all zones on a server with just the list-zones token permission.

Interesting as well, the resolution for the case mentions listaccts, not listzones:

• Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

Could you clarify?

 

[cPanelMichael]

Hello @bellwood,

It looks like CPANEL-26332 was utilized in this thread's title, but incorrectly entered as "CPANEL-24676" in my previous response. Apologies for the confusion. I've edited my previous response to correct this. I'll continue to monitor CPANEL-26332 internally and report back here more information on it's status as it becomes available.

In summary, there are two cases associated with this thread, CPANEL-24676 and CPANEL-26332.

CPANEL-24676 is fixed in version 80: Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

CPANEL-26332 was opened on March 18th, 2019 to request that the listzones WHM API 1 call returns all DNS zones on the system instead of just the zones owned by the "root" user when the 'manage-dns-records' API token privilege is enabled.

Thank you.

 

[bellwood]

@cPanelMichael any progress on this one by chance? Thanks =)

 

[philb]

Having just tried to switch from using the root credential to API keys (so that password changes don't clobber our script) I have discovered that this appears to still be broken in 11.84; if you authenticate using the root password, you get all zones.

If on the other hand you use an API key issued by root with "Manage DNS Zones" privilege, you only get zones owned by root.

Seems particularly odd that the behaviour differs between the two.