[Openstack] Fine-grained control of designate domain policy
Andrew Bogott
abogott at wikimedia.org
Wed Mar 9 03:48:50 UTC 2016
Due to the weird public/private hybrid nature of my cloud, I'm
frequently needing to abuse policy.conf files in unexpected ways.
Today's challenge is the designate policy. Right now we're running a
custom solution that maintains all public dns entries under a single
domain: wmflabs.org. Here are the current access rules:
Members of any project can:
1) Create any subdomains of wmflabs.org
2) Create records under those subdomains
3) Create records under wmflabs.org
Project members cannot:
4) Alter/delete wmflabs.org
5) Create any domains that are not subdomains of wmflabs.org
6) Alter records or domains managed by other tenants
I see that I can get most of the way there by allowing users the
create/get/update/delete record policies, and restricting the
create/get/update/delete domain policies. That gets me 3, 4, 5 and 6.
I've no idea how/if I can set up a 'special' domain to support 1 and 2.
Does anyone have any suggestions? (Since this is a one-off, I've no
objection to hacking the db directly if that's what it takes to provide
the kind of half-universal ownership I need for wmflabs.org.)
Thank you!
-Andrew
More information about the Openstack
mailing list