[openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain
Lawrence J. Albinson
lawrence at ljalbinson.com
Wed Jun 21 12:26:51 UTC 2017
Many thank for your prompt reply; your suggestion is spot on for my current use case. Again, thanks.
On another note, I see that designate has zone blacklisting that could be used to limit the names of newly created zones using a negative regex. But there is no zone whitelisting. Is there a reason for this?
Kind regards, Lawrence
Lawrence J Albinson
From: Graham Hayes
Sent: 20 June 2017 13:01
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain
On 20/06/17 12:37, Lawrence J. Albinson wrote:
> I am trying to find pointers to how I might limit non-privileged users
> to a single domain when adding hosts to Designate.
> It is a private OpenStack cloud and each user will have a personal
> sub-domain of a common organisational domain, like so:
> fred.organisation.com. and will be able to add hosts such as:
> www.fred.organisation.com. <http://www.fred.organisation.com.> .
> (The designate back-end is Bind9.)
> Any pointers about how to do this would be very gratefully received.
> Kind regards, Lawrence
> Lawrence J Albinson
Sure - there are a few ways to do this, but the simplest would be the
(I am assuming the zone is pre-created by the admin when provisioning
In the policy.json file we have controls for what users can do to zones
I would suggest changing
`create_zone`, `delete_zone`, and `update_zone` to `rule:admin`
then the admin can create the zone by running
`openstack zone create --sudo-project-id <project-id> --email
test at example.com subdomain.example.com.`
And the zone should be created in the project, and they will have full
control of the recordsets inside that zone.
If that does not work, we support "zone transfers" (its a terrible
name) where the admin can create the new sub zone in the admin project
and then transfer ownership to the new project.
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
More information about the OpenStack-dev