Open Stack

On 09/03/16 03:48, Andrew Bogott wrote:
>     Due to the weird public/private hybrid nature of my cloud, I'm
> frequently needing to abuse policy.conf files in unexpected ways.
> Today's challenge is the designate policy.  Right now we're running a
> custom solution that maintains all public dns entries under a single
> domain:  wmflabs.org.  Here are the current access rules:
>
> Members of any project can:
>
> 1) Create any subdomains of wmflabs.org
> 2) Create records under those subdomains
> 3) Create records under wmflabs.org

For #3 - The zone won't be visible to users who's auth token doesn't
belong to the project within which this (DNS) domain exists.. Though, it
sounds like you found something that works for you? The notion of a
"shared" domain is something we've talked about, but never settled on a
good solution.

>
> Project members cannot:
>
> 4) Alter/delete wmflabs.org
> 5) Create any domains that are not subdomains of wmflabs.org
> 6) Alter records or domains managed by other tenants
>
>     I see that I can get most of the way there by allowing users the
> create/get/update/delete record policies, and restricting  the
> create/get/update/delete domain policies.  That gets me 3, 4, 5 and 6.
> I've no idea how/if I can set up a 'special' domain to support 1 and
> 2.  Does anyone have any suggestions?  (Since this is a one-off, I've
> no objection to hacking the db directly if that's what it takes to
> provide the kind of half-universal ownership I need for wmflabs.org.)
>

To get #1 and #2 going, you can create the subdomain under the same
project as wmflabs.org, and then use the "Zone Transfer" APIs[1] to
transfer ownership to another project.

Thanks,
Kiall

[1]:
http://docs.openstack.org/developer/designate/rest/v2/zones.html#transfer-zone