Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain

2017-06-21 Thread Graham Hayes 
On 21/06/17 13:26, Lawrence J. Albinson wrote:
> Hi Graham,
> 
> Many thank for your prompt reply; your suggestion is spot on for my current 
> use case. Again, thanks.
> 
> On another note, I see that designate has zone blacklisting that could be 
> used to limit the names of newly created zones using a negative regex. But 
> there is no zone whitelisting. Is there a reason for this?

No particular reason - the use case for blacklists was when we were
running it in a public cloud - we wanted to stop users from creating
zones that could be interpreted as "offical".

We have a "tld" feature which could be used as a sudo whitelist - as
long as you want to restrict users to subdomains of a few pre-decided
zones.

e.g. setting tlds of "cloud.example.com." and "internal.example.com."
will mean that users can only create *.(cloud|internal).example.com.

Thanks,

- Graham


> Kind regards, Lawrence
> 
> Lawrence J Albinson
> 
> From: Graham Hayes
> Sent: 20 June 2017 13:01
> To: openstack-dev@lists.openstack.org
> Subject: Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking 
> for ways to limit users to adding hosts within fixed personal domain
> 
> On 20/06/17 12:37, Lawrence J. Albinson wrote:
>> I am trying to find pointers to how I might limit non-privileged users
>> to a single domain when adding hosts to Designate.
>>
>> It is a private OpenStack cloud and each user will have a personal
>> sub-domain of a common organisational domain, like so:
>> fred.organisation.com. and will be able to add hosts such as:
>> www.fred.organisation.com. <http://www.fred.organisation.com.> .
>>
>> (The designate back-end is Bind9.)
>>
>> Any pointers about how to do this would be very gratefully received.
>>
>> Kind regards, Lawrence
>>
>> Lawrence J Albinson
> 
> Sure - there are a few ways to do this, but the simplest would be the
> following:
> 
> (I am assuming the zone is pre-created by the admin when provisioning
> the project)
> 
> In the policy.json file we have controls for what users can do to zones
> [1]
> 
> I would suggest changing
> 
> `create_zone`, `delete_zone`, and `update_zone` to `rule:admin`
> 
> then the admin can create the zone by running
> 
> `openstack zone create --sudo-project-id  --email
> t...@example.com subdomain.example.com.`
> 
> And the zone should be created in the project, and they will have full
> control of the recordsets inside that zone.
> 
> If that does not work, we support "zone transfers"[2] (its a terrible
> name) where the admin can create the new sub zone in the admin project
> and then transfer ownership to the new project.
> 
> 1 -
> https://github.com/openstack/designate/blob/master/etc/designate/policy.json#L43-L56
> 
> 2 -
> https://docs.openstack.org/developer/python-designateclient/shell-v2-examples.html#working-with-zone-transfer
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



0x23BA8E2E.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain

2017-06-21 Thread Lawrence J. Albinson 
Hi Graham,

Many thank for your prompt reply; your suggestion is spot on for my current use 
case. Again, thanks.

On another note, I see that designate has zone blacklisting that could be used 
to limit the names of newly created zones using a negative regex. But there is 
no zone whitelisting. Is there a reason for this?

Kind regards, Lawrence

Lawrence J Albinson

From: Graham Hayes
Sent: 20 June 2017 13:01
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking for 
ways to limit users to adding hosts within fixed personal domain

On 20/06/17 12:37, Lawrence J. Albinson wrote:
> I am trying to find pointers to how I might limit non-privileged users
> to a single domain when adding hosts to Designate.
>
> It is a private OpenStack cloud and each user will have a personal
> sub-domain of a common organisational domain, like so:
> fred.organisation.com. and will be able to add hosts such as:
> www.fred.organisation.com. <http://www.fred.organisation.com.> .
>
> (The designate back-end is Bind9.)
>
> Any pointers about how to do this would be very gratefully received.
>
> Kind regards, Lawrence
>
> Lawrence J Albinson

Sure - there are a few ways to do this, but the simplest would be the
following:

(I am assuming the zone is pre-created by the admin when provisioning
the project)

In the policy.json file we have controls for what users can do to zones
[1]

I would suggest changing

`create_zone`, `delete_zone`, and `update_zone` to `rule:admin`

then the admin can create the zone by running

`openstack zone create --sudo-project-id  --email
t...@example.com subdomain.example.com.`

And the zone should be created in the project, and they will have full
control of the recordsets inside that zone.

If that does not work, we support "zone transfers"[2] (its a terrible
name) where the admin can create the new sub zone in the admin project
and then transfer ownership to the new project.

1 -
https://github.com/openstack/designate/blob/master/etc/designate/policy.json#L43-L56

2 -
https://docs.openstack.org/developer/python-designateclient/shell-v2-examples.html#working-with-zone-transfer
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain

2017-06-20 Thread Graham Hayes 
On 20/06/17 12:37, Lawrence J. Albinson wrote:
> I am trying to find pointers to how I might limit non-privileged users
> to a single domain when adding hosts to Designate.
> 
> It is a private OpenStack cloud and each user will have a personal
> sub-domain of a common organisational domain, like so:
> fred.organisation.com. and will be able to add hosts such as:
> www.fred.organisation.com.  .
> 
> (The designate back-end is Bind9.)
> 
> Any pointers about how to do this would be very gratefully received.
> 
> Kind regards, Lawrence
> 
> Lawrence J Albinson

Sure - there are a few ways to do this, but the simplest would be the
following:

(I am assuming the zone is pre-created by the admin when provisioning
the project)

In the policy.json file we have controls for what users can do to zones
[1]

I would suggest changing

`create_zone`, `delete_zone`, and `update_zone` to `rule:admin`

then the admin can create the zone by running

`openstack zone create --sudo-project-id  --email
t...@example.com subdomain.example.com.`

And the zone should be created in the project, and they will have full
control of the recordsets inside that zone.

If that does not work, we support "zone transfers"[2] (its a terrible
name) where the admin can create the new sub zone in the admin project
and then transfer ownership to the new project.

1 -
https://github.com/openstack/designate/blob/master/etc/designate/policy.json#L43-L56

2 -
https://docs.openstack.org/developer/python-designateclient/shell-v2-examples.html#working-with-zone-transfer
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



0x23BA8E2E.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [openstack-ansible][designate][bind9] Looking for ways to limit users to adding hosts within fixed personal domain

2017-06-20 Thread Lawrence J. Albinson 
I am trying to find pointers to how I might limit non-privileged users to a 
single domain when adding hosts to Designate.

It is a private OpenStack cloud and each user will have a personal sub-domain 
of a common organisational domain, like so: fred.organisation.com. and will be 
able to add hosts such as: 
www.fred.organisation.com. .

(The designate back-end is Bind9.)

Any pointers about how to do this would be very gratefully received.

Kind regards, Lawrence

Lawrence J Albinson

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev