No ability to create zones shared across tenants

Designate does not currently have an RBAC mechanism per zone.

We have talked about it, but we have not found a performant way of storing the data, and it has not been a priority for us.

We are open to suggestions, and designs / code for features though.

I am closing this, as it is not bug, but we can create a blueprint if we need to.

In previous versions, like Mitaka, when a polling mechanism was used for integrating dns with neutron,
we had a shared network configured with only one zone under 'admin' project, and it was used by all projects when creating instances. So all instances would be reachable by their domain name, no matter what project they were created in.

However, after upgrading to Ocata we found that the new mechanism (that neutron notifies designate of new machines), does not notify if the zone is not present in the project the instance is created in.

I'm reopening this as a bug, as it is a deterioration of a previous mechanism that worked, and now doesn't.

I think this needs to be converted to a spec, and shared zones / RBAC work started.

The ability to share zones across tenants also affects us. Would love to see this implemented.

I was going to submit a new bug report but this this seems directly related to my issue.

How to reproduce my specific issue:
User has privileges in Project1 and Project2 projects
1. User creates a shared network "SharedNet" in Project1 with dns_domain "dev.example.com"
2. User creates a zone in Project1 for "dev.example.com"
3. User creates an instance in Project1 attached to "SharedNet". Neutron creates PTR zone/record in the "service" project. Neutron then looks for and finds the associated "dev.example.com" Zone in Project1 and creates an A record there appropriately. (All good so far)
4. User creates an instance in Project2 attached to "SharedNet". Neutron creates the PTR record in the "service" project. Neutron then looks for the associated "dev.example.com" Zone in Project2 but cannot find it and so A record creation fails.

Sharing Neutron networks between projects is a very common use case. As such, Zones should have a similar functionality or Neutron needs to look across projects for the matching domain.

Thanks!

Fix proposed to branch: master
Review: https://review.opendev.org/726334

Fix proposed to branch: master
Review: https://review.opendev.org/730370

@eandersson @grahamhayes Could you please review the proposed fix for this issue https://review.opendev.org/#/c/726334/?

In which versions of designate we can share zones already between many projects ? Because i have the same problem on 9.0.0 designate

Anybody can answer me if i can find this change in Ussuri release ? Or in which release can i find it ?

As this is being proposed on master branch, at this date, it probably means that Ussuri is not an option anymore and this will land on Victoria. But I would love to be wrong because this also affects me in a big way.

I am adding the project charm-designate to this bug for the product team to investigate if this can be backported to LTS cloud releases once merged and to integrate any policy/config changes necessary into the charm.

Tagging as field-medium to triage some possibilities for workarounds or guidance

Unsubscribing field-medium as this is not eligible due to being a feature request that is not yet available in upstream designate.

The upstream review has stagnated as a later reviewer -1'd the MR with a lot of feedback regarding things that ought to change.

The original submitter of this MR appears to have not touched it since 2020-10-15. To meet the requirements of the recent review, we likely need someone willing to either take this MR over and address the shortcomings, or to propose an alternate solution.

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/designate-tempest-plugin/+/858525

Change abandoned by "Sergey Drozdov <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/designate-tempest-plugin/+/858525
Reason: Duplicate

Change abandoned by "Erik Olof Gunnar Andersson <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/designate/+/726334

Reviewed: https://review.opendev.org/c/openstack/designate/+/726334
Committed: https://opendev.org/openstack/designate/commit/f39704dcd813ac26349faf1dd4b563d55e713c09
Submitter: "Zuul (22348)"
Branch: master

commit f39704dcd813ac26349faf1dd4b563d55e713c09
Author: Igor Malinovskiy <email address hidden>
Date: Sun Apr 26 18:04:03 2020 +0300

    Implement sharing of zones

    Author: Igor Malinovskiy <email address hidden>
    Co-Authored-By: Sergey Drozdov <<email address hidden>, <email address hidden>>
    Co-Authored-By: Michael Johnson <email address hidden>

    Change-Id: Ibd780f3c695a95be00ff97d7736d5a0bebea79b9
    Closes-Bug: #1714088
    Depends-On: https://review.opendev.org/c/openstack/designate-tempest-plugin/+/872069

Reviewed: https://review.opendev.org/c/openstack/designate-tempest-plugin/+/730370
Committed: https://opendev.org/openstack/designate-tempest-plugin/commit/a84e3194adf72fb2eb87f0c563065bb089b0d192
Submitter: "Zuul (22348)"
Branch: master

commit a84e3194adf72fb2eb87f0c563065bb089b0d192
Author: Igor Malinovskiy <email address hidden>
Date: Fri May 22 19:10:50 2020 +0300

    Add tempest tests for shared zones

    This patch adds API and scenario test coverage for the shard zones
    feature.

    Author: Igor Malinovskiy <email address hidden>
    Co-Authored-By: Sergey Drozdov <<email address hidden>, <email address hidden>>
    Co-Authored-By: Michael Johnson <email address hidden>

    Change-Id: I53a1e4676c5bbb63bee0c4bb91eac03c95dd3a3c
    Partial-Bug: #1714088
    Depends-On: https://review.opendev.org/726334

This issue was fixed in the openstack/designate 16.0.0.0rc1 release candidate.