On 20/06/17 12:37, Lawrence J. Albinson wrote: > I am trying to find pointers to how I might limit non-privileged users > to a single domain when adding hosts to Designate. > > It is a private OpenStack cloud and each user will have a personal > sub-domain of a common organisational domain, like so: > fred.organisation.com. and will be able to add hosts such as: > www.fred.organisation.com. <http://www.fred.organisation.com.> . > > (The designate back-end is Bind9.) > > Any pointers about how to do this would be very gratefully received. > > Kind regards, Lawrence > > Lawrence J Albinson Sure - there are a few ways to do this, but the simplest would be the following: (I am assuming the zone is pre-created by the admin when provisioning the project) In the policy.json file we have controls for what users can do to zones [1] I would suggest changing `create_zone`, `delete_zone`, and `update_zone` to `rule:admin` then the admin can create the zone by running `openstack zone create --sudo-project-id <project-id> --email test at example.com subdomain.example.com.` And the zone should be created in the project, and they will have full control of the recordsets inside that zone. If that does not work, we support "zone transfers"[2] (its a terrible name) where the admin can create the new sub zone in the admin project and then transfer ownership to the new project. 1 - https://github.com/openstack/designate/blob/master/etc/designate/policy.json#L43-L56 2 - https://docs.openstack.org/developer/python-designateclient/shell-v2-examples.html#working-with-zone-transfer > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x23BA8E2E.asc Type: application/pgp-keys Size: 22955 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170620/88a6c768/attachment.key> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170620/88a6c768/attachment.sig>