On 21/06/17 13:26, Lawrence J. Albinson wrote: > Hi Graham, > > Many thank for your prompt reply; your suggestion is spot on for my current > use case. Again, thanks. > > On another note, I see that designate has zone blacklisting that could be > used to limit the names of newly created zones using a negative regex. But > there is no zone whitelisting. Is there a reason for this?
No particular reason - the use case for blacklists was when we were running it in a public cloud - we wanted to stop users from creating zones that could be interpreted as "offical". We have a "tld" feature which could be used as a sudo whitelist - as long as you want to restrict users to subdomains of a few pre-decided zones. e.g. setting tlds of "cloud.example.com." and "internal.example.com." will mean that users can only create *.(cloud|internal).example.com. Thanks, - Graham > Kind regards, Lawrence > > Lawrence J Albinson > ________________________________________ > From: Graham Hayes > Sent: 20 June 2017 13:01 > To: [email protected] > Subject: Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking > for ways to limit users to adding hosts within fixed personal domain > > On 20/06/17 12:37, Lawrence J. Albinson wrote: >> I am trying to find pointers to how I might limit non-privileged users >> to a single domain when adding hosts to Designate. >> >> It is a private OpenStack cloud and each user will have a personal >> sub-domain of a common organisational domain, like so: >> fred.organisation.com. and will be able to add hosts such as: >> www.fred.organisation.com. <http://www.fred.organisation.com.> . >> >> (The designate back-end is Bind9.) >> >> Any pointers about how to do this would be very gratefully received. >> >> Kind regards, Lawrence >> >> Lawrence J Albinson > > Sure - there are a few ways to do this, but the simplest would be the > following: > > (I am assuming the zone is pre-created by the admin when provisioning > the project) > > In the policy.json file we have controls for what users can do to zones > [1] > > I would suggest changing > > `create_zone`, `delete_zone`, and `update_zone` to `rule:admin` > > then the admin can create the zone by running > > `openstack zone create --sudo-project-id <project-id> --email > [email protected] subdomain.example.com.` > > And the zone should be created in the project, and they will have full > control of the recordsets inside that zone. > > If that does not work, we support "zone transfers"[2] (its a terrible > name) where the admin can create the new sub zone in the admin project > and then transfer ownership to the new project. > > 1 - > https://github.com/openstack/designate/blob/master/etc/designate/policy.json#L43-L56 > > 2 - > https://docs.openstack.org/developer/python-designateclient/shell-v2-examples.html#working-with-zone-transfer >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
0x23BA8E2E.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
