No ability to create zones shared across tenants

Bug #1714088 reported by Arjun Baindur
88
This bug affects 15 people
Affects Status Importance Assigned to Milestone
Designate
Undecided
Erik Olof Gunnar Andersson
OpenStack Designate Charm
Wishlist
Unassigned

Bug Description

We have provider networks and external networks shared across tenants. Additionally, regardless of networks or tenants, we might just have a few subdomains that a user in whatever tenant wants to put VMs on, depending on the use case - dev.example.com, infra.example.com, test.example.com - perhaps a developer VM in one subdomain, certain infra applications in another, testbeds in another

How do we do this?

In the documentation (which is severaly lacking): https://docs.openstack.org/python-designateclient/latest/user/shell-v2.html

There doesnt appear to be a way to make it shared, as you can with a neutron network. In fact there appears to be a zone transfer API which implies a subdomain/zone is tied to a specific tenant.

This might be dealbreaker for using Designate.

Revision history for this message
Graham Hayes (grahamhayes) wrote :

Designate does not currently have an RBAC mechanism per zone.

We have talked about it, but we have not found a performant way of storing the data, and it has not been a priority for us.

We are open to suggestions, and designs / code for features though.

I am closing this, as it is not bug, but we can create a blueprint if we need to.

Changed in designate:
status: New → Invalid
Revision history for this message
Albert Mikaelyan (tahvok) wrote :

In previous versions, like Mitaka, when a polling mechanism was used for integrating dns with neutron,
we had a shared network configured with only one zone under 'admin' project, and it was used by all projects when creating instances. So all instances would be reachable by their domain name, no matter what project they were created in.

However, after upgrading to Ocata we found that the new mechanism (that neutron notifies designate of new machines), does not notify if the zone is not present in the project the instance is created in.

I'm reopening this as a bug, as it is a deterioration of a previous mechanism that worked, and now doesn't.

Changed in designate:
status: Invalid → New
Revision history for this message
Graham Hayes (grahamhayes) wrote :

I think this needs to be converted to a spec, and shared zones / RBAC work started.

Changed in designate:
status: New → Opinion
Revision history for this message
Egle (ushnishtha) wrote :

The ability to share zones across tenants also affects us. Would love to see this implemented.

Revision history for this message
Kevin Stevens (kstev) wrote :

I was going to submit a new bug report but this this seems directly related to my issue.

How to reproduce my specific issue:
User has privileges in Project1 and Project2 projects
1. User creates a shared network "SharedNet" in Project1 with dns_domain "dev.example.com"
2. User creates a zone in Project1 for "dev.example.com"
3. User creates an instance in Project1 attached to "SharedNet". Neutron creates PTR zone/record in the "service" project. Neutron then looks for and finds the associated "dev.example.com" Zone in Project1 and creates an A record there appropriately. (All good so far)
4. User creates an instance in Project2 attached to "SharedNet". Neutron creates the PTR record in the "service" project. Neutron then looks for the associated "dev.example.com" Zone in Project2 but cannot find it and so A record creation fails.

Sharing Neutron networks between projects is a very common use case. As such, Zones should have a similar functionality or Neutron needs to look across projects for the matching domain.

Thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate (master)

Fix proposed to branch: master
Review: https://review.opendev.org/726334

Changed in designate:
assignee: nobody → Igor Malinovskiy (imalinovskiy)
status: Opinion → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate-tempest-plugin (master)

Fix proposed to branch: master
Review: https://review.opendev.org/730370

Changed in designate:
assignee: Igor Malinovskiy (imalinovskiy) → Erik Olof Gunnar Andersson (eandersson)
Changed in designate:
assignee: Erik Olof Gunnar Andersson (eandersson) → Igor Malinovskiy (imalinovskiy)
Revision history for this message
Igor Malinovskiy (imalinovskiy) wrote :

@eandersson @grahamhayes Could you please review the proposed fix for this issue https://review.opendev.org/#/c/726334/?

Changed in designate:
assignee: Igor Malinovskiy (imalinovskiy) → Erik Olof Gunnar Andersson (eandersson)
Changed in designate:
assignee: Erik Olof Gunnar Andersson (eandersson) → Igor Malinovskiy (imalinovskiy)
Changed in designate:
assignee: Igor Malinovskiy (imalinovskiy) → Nicolas Bock (nicolasbock)
Revision history for this message
Rafał Radziejewski (rafrad1994) wrote :

In which versions of designate we can share zones already between many projects ? Because i have the same problem on 9.0.0 designate

Revision history for this message
Rafał Radziejewski (rafrad1994) wrote :

Anybody can answer me if i can find this change in Ussuri release ? Or in which release can i find it ?

Revision history for this message
Andre Ruiz (andre-ruiz) wrote :

As this is being proposed on master branch, at this date, it probably means that Ussuri is not an option anymore and this will land on Victoria. But I would love to be wrong because this also affects me in a big way.

Changed in designate:
assignee: Nicolas Bock (nicolasbock) → Igor Malinovskiy (imalinovskiy)
Revision history for this message
Drew Freiberger (afreiberger) wrote :

I am adding the project charm-designate to this bug for the product team to investigate if this can be backported to LTS cloud releases once merged and to integrate any policy/config changes necessary into the charm.

Revision history for this message
Adam Dyess (addyess) wrote :

Tagging as field-medium to triage some possibilities for workarounds or guidance

Changed in designate:
assignee: Igor Malinovskiy (imalinovskiy) → Erik Olof Gunnar Andersson (eandersson)
Revision history for this message
Billy Olsen (billy-olsen) wrote :

Unsubscribing field-medium as this is not eligible due to being a feature request that is not yet available in upstream designate.

Changed in charm-designate:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Paul Goins (vultaire) wrote :

The upstream review has stagnated as a later reviewer -1'd the MR with a lot of feedback regarding things that ought to change.

The original submitter of this MR appears to have not touched it since 2020-10-15. To meet the requirements of the recent review, we likely need someone willing to either take this MR over and address the shortcomings, or to propose an alternate solution.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers