On 3/9/16 10:24 AM, Andrew Bogott wrote:
Merlijn has just pointed out that my scheme will not work AT ALL for
http proxies. I think there's a work-around for that, so feel free to
mentally insert 'except for proxies which will stay the same' whenever
necessary while reading this.
To follow up on this last comment... this means that my change should
only affect domain names bound to public IPs that are assigned within
your project. You can check the complete list of such addresses by
visiting https://wikitech.wikimedia.org/wiki/Special:NovaAddress for
your project.
-A
On 3/9/16 9:46 AM, Andrew Bogott wrote:
We're in the process of moving our DNS manipulation web UI out of
wikitech/OpenStackManager and adopting the upstream OpenStack tools
and APIs. As usual, though, our current security/user model is weird
and not especially supported by the upstream models.
Rather than hacking away at Openstack, I'm considering just adopting
their model.
Right now on wikitech, any project admin can:
1) Create records under wmflabs.org
2) Create records under any pre-existing subdomain of wmflabs.org
3) Bind a floating IP to any of the above records
4) Associate an http proxy with any of the above records
5) Ask an admin to create a new subdomain of wmflabs.org for use in
option 2.
The thing that's hard to do with the OpenStack tools is item 1 and 2
-- there's no real conception of a 'global' domain that's shared and
editable among multiple projects. So, I propose a new model where
users can...
1) Create records under <projectname>.wmflabs.org
2) Create records under pre-existing subdomains of wmflabs.org that
belong to the project in question
3) Bind a floating IP to any of the above records
4) Associate an http proxy with any of the above records
5) Ask an admin to create a new project-specific subdomain of
wmflabs.org for use in option 2 (not necessarily a subdomain of
<projectname>.wmflabs.org)
How is that different?
a) there will no longer be any foo.wmflabs.org records, only
foo.<project>.wmflabs.org records.
b) Existing records using the foo.wmflabs.org scheme will have to be
migrated to a project-specific domain, or remain in a weird
in-between state where only admins can see and edit them.
c) If there are any existing subdomains that are shared between
projects, they'll need to be untangled.
So, tell me: How much will this change hurt you, and how much will
it hurt your users? Please be as detailed as possible so that I have
what I need to come up with compromise solutions.
Thank you!
-Andrew
_______________________________________________
Labs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/labs-l
