[Openstack] Fine-grained control of designate domain policy

Andrew Bogott abogott at wikimedia.org
Wed Mar 9 03:48:50 UTC 2016


     Due to the weird public/private hybrid nature of my cloud, I'm 
frequently needing to abuse policy.conf files in unexpected ways. 
Today's challenge is the designate policy.  Right now we're running a 
custom solution that maintains all public dns entries under a single 
domain:  wmflabs.org.  Here are the current access rules:

Members of any project can:

1) Create any subdomains of wmflabs.org
2) Create records under those subdomains
3) Create records under wmflabs.org

Project members cannot:

4) Alter/delete wmflabs.org
5) Create any domains that are not subdomains of wmflabs.org
6) Alter records or domains managed by other tenants

     I see that I can get most of the way there by allowing users the 
create/get/update/delete record policies, and restricting  the 
create/get/update/delete domain policies.  That gets me 3, 4, 5 and 6. 
I've no idea how/if I can set up a 'special' domain to support 1 and 2. 
  Does anyone have any suggestions?  (Since this is a one-off, I've no 
objection to hacking the db directly if that's what it takes to provide 
the kind of half-universal ownership I need for wmflabs.org.)

Thank you!

-Andrew





More information about the Openstack mailing list