Designate does not allow a zone to be shared across domains and projects

Bug #1808590 reported by Pedro Guimarães on 2018-12-14
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Designate Charm
High
Unassigned

Bug Description

Openstack: xenial-queens

I need to share a single zone across multiple projects and domains.
When working on a multi-domain scheme, domain A cannot create/delete/update zones from domain B and vice-versa.

summary: - Designate does not allow a zone to be shared accross domains
+ Designate does not allow a zone to be shared across domains

We will need to check policy.json with users in two different domains:

Create auth_v3_token_admin.json based on https://github.com/openstack/oslo.policy/blob/master/sample_data/auth_v3_token_admin.json.

Generate the policy file from defaults in code:
oslopolicy-policy-generator --config-dir /etc/designate/ --output-file policy.json --namespace designate
Check what passes and what does not.
oslopolicy-checker --access ./auth_v3_token_admin.json --policy ./policy.json

Changed in charm-designate:
status: New → Confirmed
importance: Undecided → High
milestone: none → 19.04
description: updated
summary: - Designate does not allow a zone to be shared across domains
+ Designate does not allow a zone to be shared across domains and projects
David Ames (thedac) on 2019-04-17
Changed in charm-designate:
milestone: 19.04 → 19.07
David Ames (thedac) on 2019-08-12
Changed in charm-designate:
milestone: 19.07 → 19.10
David Ames (thedac) on 2019-10-24
Changed in charm-designate:
milestone: 19.10 → 20.01
Alex Kavanagh (ajkavanagh) wrote :

This is probably better done (now) with the policy.d overrides options in the designate charm. Note that they are in a 'preview' state (on designate) as the functional tests haven't been done as designate charm tests have not yet been migrated to zaza: https://bugs.launchpad.net/charm-designate/+bug/1845639

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers