[openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain

Lawrence J. Albinson lawrence at ljalbinson.com
Wed Jun 21 12:26:51 UTC 2017 

Hi Graham,

Many thank for your prompt reply; your suggestion is spot on for my current use case. Again, thanks.

On another note, I see that designate has zone blacklisting that could be used to limit the names of newly created zones using a negative regex. But there is no zone whitelisting. Is there a reason for this?

Kind regards, Lawrence

Lawrence J Albinson
________________________________________
From: Graham Hayes
Sent: 20 June 2017 13:01
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain

On 20/06/17 12:37, Lawrence J. Albinson wrote:
> I am trying to find pointers to how I might limit non-privileged users
> to a single domain when adding hosts to Designate.
>
> It is a private OpenStack cloud and each user will have a personal
> sub-domain of a common organisational domain, like so:
> fred.organisation.com. and will be able to add hosts such as:
> www.fred.organisation.com. <http://www.fred.organisation.com.> .
>
> (The designate back-end is Bind9.)
>
> Any pointers about how to do this would be very gratefully received.
>
> Kind regards, Lawrence
>
> Lawrence J Albinson

Sure - there are a few ways to do this, but the simplest would be the
following:

(I am assuming the zone is pre-created by the admin when provisioning
the project)

In the policy.json file we have controls for what users can do to zones
[1]

I would suggest changing

`create_zone`, `delete_zone`, and `update_zone` to `rule:admin`

then the admin can create the zone by running

`openstack zone create --sudo-project-id <project-id> --email
test at example.com subdomain.example.com.`

And the zone should be created in the project, and they will have full
control of the recordsets inside that zone.

If that does not work, we support "zone transfers"[2] (its a terrible
name) where the admin can create the new sub zone in the admin project
and then transfer ownership to the new project.

1 -
https://github.com/openstack/designate/blob/master/etc/designate/policy.json#L43-L56

2 -
https://docs.openstack.org/developer/python-designateclient/shell-v2-examples.html#working-with-zone-transfer
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list