Designate Policies¶

Warning

JSON formatted policy file is deprecated since Designate 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Designate, like most OpenStack services, supports Role Based Access Control (RBAC) using oslo policy to define default RBAC policies in the Designate code. These default policies can be overridden by operators using a yaml policy file. For a sample policy file, refer to policy.yaml.

Currently Designate defaults to the OpenStack legacy “admin or owner” scheme, but Designate also supports a newer RBAC model using Keystone Default Roles and Keystone Scoped Tokens via configuration settings.

Enabling Keystone Default Roles and Scoped Tokens¶

Starting with the Xena release of Designate, Keystone token scopes and default roles can be enforced. By default, in the Xena release, oslo policy will not be enforcing these new roles and scopes. However, at some point in the future they may become the default. You may want to enable them now to be ready for the later transition. This section will describe those settings.

The Oslo Policy project defines two configuration settings, among others, that can be set in the Designate configuration file to influence how policies are handled by Designate. Those two settings are enforce_scope and enforce_new_defaults.

When you enable Keystone Default Roles and Keystone Scoped Tokens the Designate policy honors the following roles:

System scoped - Admin
System scoped - Reader
Project scoped - Reader
Project scoped - Member

[oslo_policy] enforce_scope¶

Keystone has introduced the concept of token scopes. To ensure backward compatibility, Oslo Policy does not enforce scope validation of tokens by default.

In the Xena release, Designate supports enforcing Keystone token scopes. To enable Keystone token scoping, add the following to your Designate configuration file:

[oslo_policy]
enforce_scope = True

The primary effect of this setting is to allow a system scoped admin token when performing administrative API calls to the Designate API. The Designate API already enforces the project scoping in Keystone tokens.

[oslo_policy] enforce_new_defaults¶

The Designate Xena release added support for Keystone Default Roles in the default policies. To be backward compatible, Oslo Policy currently uses deprecated policies that do not require the new Keystone Default Roles by default.

Designate supports requiring these new Keystone Default Roles as of the Xena release. To start requiring these roles in Designate, enable the new policies by adding the following setting to your Designate configuration file:

[oslo_policy]
enforce_new_defaults = True

Example OpenStack Client Command¶

After you have enabled enforce_new_defaults and enforce_scope, administrative commands require a system scoped admin token. An example OpenStack Client command to create a Top Level Domain (TLD) would look like:

openstack --os-system-scope all --os-auth-url <identity endpoint URL> --os-password <admin password> --os-username admin --os-user-domain-name default create tld --name example.org

Oslo Tools For Policy Management¶

This section describes how to use Oslo Policy tools to managing Designate policies.

Sample File Generation¶

To generate a sample policy.yaml file from the Designate defaults, run the oslo policy generation script:

oslopolicy-sample-generator
--config-file etc/designate/designate-policy-generator.conf
--output-file policy.yaml.sample

Merged File Generation¶

To generate a policy file which shows the effective policy in use by the project, including all registered policy defaults and the policy overrides included in a policy.yaml file, run this command:

oslopolicy-policy-generator
--config-file etc/designate/designate-policy-generator.conf

This tool uses the output_file path from the config-file.

List Redundant Configurations¶

To generate a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule, run this command:

oslopolicy-list-redundant
--config-file etc/designate/designate-policy-generator.conf

These are rules that can be removed from the policy file with no change in effective policy.

Designate Default Policy Overview¶

The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.

designate¶

admin

Default:: role:admin or is_admin:True

(no description provided)

owner

Default:: project_id:%(tenant_id)s

(no description provided)

admin_or_owner

Default:: rule:admin or rule:owner

(no description provided)

default

Default:: (role:admin) or (role:member and project_id:%(project_id)s)

(no description provided)

create_blacklist

Default:

role:admin

Operations:

POST /v2/blacklists

Scope Types:

project

Create blacklist.

find_blacklists

Default:

role:admin

Operations:

GET /v2/blacklists

Scope Types:

project

Find blacklists.

get_blacklist

Default:

role:admin

Operations:

GET /v2/blacklists/{blacklist_id}

Scope Types:

project

Get blacklist.

update_blacklist

Default:

role:admin

Operations:

PATCH /v2/blacklists/{blacklist_id}

Scope Types:

project

Update blacklist.

delete_blacklist

Default:

role:admin

Operations:

DELETE /v2/blacklists/{blacklist_id}

Scope Types:

project

Delete blacklist.

use_blacklisted_zone

Default:

role:admin

Operations:

POST /v2/zones

Scope Types:

project

Allowed bypass the blacklist.

all_tenants

Default:

role:admin

Scope Types:

project

Action on all tenants.

edit_managed_records

Default:

role:admin

Scope Types:

project

Edit managed records.

use_low_ttl

Default:

role:admin

Scope Types:

project

Use low TTL.

use_sudo

Default:

role:admin

Scope Types:

project

Accept sudo from user to tenant.

hard_delete

Default:

role:admin

Scope Types:

project

Clean backend resources associated with zone

create_pool

Default:

role:admin

Scope Types:

project

Create pool.

find_pools

Default:

role:admin

Operations:

GET /v2/pools

Scope Types:

project

Find pool.

find_pool

Default:

role:admin

Operations:

GET /v2/pools

Scope Types:

project

Find pools.

get_pool

Default:

role:admin

Operations:

GET /v2/pools/{pool_id}

Scope Types:

project

Get pool.

update_pool

Default:

role:admin

Scope Types:

project

Update pool.

delete_pool

Default:

role:admin

Scope Types:

project

Delete pool.

zone_create_forced_pool

Default:

role:admin

Operations:

POST /v2/zones

Scope Types:

project

load and set the pool to the one provided in the Zone attributes.

get_quotas

Default:

(role:admin) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)

Operations:

GET /v2/quotas

Scope Types:

project

View Current Project’s Quotas.

set_quota

Default:

role:admin

Operations:

PATCH /v2/quotas/{project_id}

Scope Types:

project

Set Quotas.

reset_quotas

Default:

role:admin

Operations:

DELETE /v2/quotas/{project_id}

Scope Types:

project

Reset Quotas.

find_records

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/reverse/floatingips/{region}:{floatingip_id}
GET /v2/reverse/floatingips

Scope Types:

project

Find records.

count_records

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

(no description provided)

create_recordset

Default:

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or ("True":%(zone_shared)s) and ('PRIMARY':%(zone_type)s)

Operations:

POST /v2/zones/{zone_id}/recordsets

Scope Types:

project

Create Recordset

get_recordsets

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

(no description provided)

get_recordset

Default:

(role:admin) or (role:reader and project_id:%(project_id)s) or ("True":%(zone_shared)s)

Operations:

GET /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types:

project

Get recordset

find_recordset

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

List a Recordset in a Zone

find_recordsets

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones/{zone_id}/recordsets

Scope Types:

project

List Recordsets in a Zone

update_recordset

Default:

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)

Operations:

PUT /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types:

project

Update recordset

delete_recordset

Default:

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)

Operations:

DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types:

project

Delete RecordSet

count_recordset

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

Count recordsets

find_service_status

Default:

role:admin

Operations:

GET /v2/service_status/{service_id}

Scope Types:

project

Find a single Service Status

find_service_statuses

Default:

role:admin

Operations:

GET /v2/service_status

Scope Types:

project

List service statuses.

update_service_status

Default:

role:admin

Scope Types:

project

(no description provided)

get_zone_share

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

GET /v2/zones/{zone_id}/shares/{zone_share_id}

Scope Types:

project

Get a Zone Share

share_zone

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones/{zone_id}/shares

Scope Types:

project

Share a Zone

find_zone_shares

Default:

@

Operations:

GET /v2/zones/{zone_id}/shares

List Shared Zones

find_project_zone_share

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Scope Types:

project

Check the can query for a specific projects shares.

unshare_zone

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /v2/zones/{zone_id}/shares/{shared_zone_id}

Scope Types:

project

Unshare Zone

find_tenants

Default:

role:admin

Scope Types:

project

Find all Tenants.

get_tenant

Default:

role:admin

Scope Types:

project

Get all Tenants.

count_tenants

Default:

role:admin

Scope Types:

project

Count tenants

create_tld

Default:

role:admin

Operations:

POST /v2/tlds

Scope Types:

project

Create Tld

find_tlds

Default:

role:admin

Operations:

GET /v2/tlds

Scope Types:

project

List Tlds

get_tld

Default:

role:admin

Operations:

GET /v2/tlds/{tld_id}

Scope Types:

project

Show Tld

update_tld

Default:

role:admin

Operations:

PATCH /v2/tlds/{tld_id}

Scope Types:

project

Update Tld

delete_tld

Default:

role:admin

Operations:

DELETE /v2/tlds/{tld_id}

Scope Types:

project

Delete Tld

create_tsigkey

Default:

role:admin

Operations:

POST /v2/tsigkeys

Scope Types:

project

Create Tsigkey

find_tsigkeys

Default:

role:admin

Operations:

GET /v2/tsigkeys

Scope Types:

project

List Tsigkeys

get_tsigkey

Default:

role:admin

Operations:

GET /v2/tsigkeys/{tsigkey_id}

Scope Types:

project

Show a Tsigkey

update_tsigkey

Default:

role:admin

Operations:

PATCH /v2/tsigkeys/{tsigkey_id}

Scope Types:

project

Update Tsigkey

delete_tsigkey

Default:

role:admin

Operations:

DELETE /v2/tsigkeys/{tsigkey_id}

Scope Types:

project

Delete a Tsigkey

create_zone

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones

Scope Types:

project

Create Zone

get_zones

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

(no description provided)

get_zone

Default:

(role:admin) or (role:reader and project_id:%(project_id)s) or ("True":%(zone_shared)s)

Operations:

GET /v2/zones/{zone_id}

Scope Types:

project

Get Zone

get_zone_servers

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

(no description provided)

get_zone_ns_records

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones/{zone_id}/nameservers

Scope Types:

project

Get the Name Servers for a Zone

find_zones

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones

Scope Types:

project

List existing zones

update_zone

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

PATCH /v2/zones/{zone_id}

Scope Types:

project

Update Zone

delete_zone

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /v2/zones/{zone_id}

Scope Types:

project

Delete Zone

xfr_zone

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones/{zone_id}/tasks/xfr

Scope Types:

project

Manually Trigger an Update of a Secondary Zone

abandon_zone

Default:

role:admin

Operations:

POST /v2/zones/{zone_id}/tasks/abandon

Scope Types:

project

Abandon Zone

count_zones

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

(no description provided)

count_zones_pending_notify

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

(no description provided)

purge_zones

Default:

role:admin

Scope Types:

project

(no description provided)

pool_move_zone

Default:

role:admin

Operations:

POST /v2/zones/{zone_id}/tasks/pool_move

Scope Types:

project

Pool Move Zone

zone_export

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

GET /v2/zones/tasks/exports/{zone_export_id}/export

Scope Types:

project

Retrive a Zone Export from the Designate Datastore

create_zone_export

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones/{zone_id}/tasks/export

Scope Types:

project

Create Zone Export

find_zone_exports

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones/tasks/exports

Scope Types:

project

List Zone Exports

get_zone_export

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones/tasks/exports/{zone_export_id}

Scope Types:

project

Get Zone Exports

update_zone_export

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones/{zone_id}/tasks/export

Scope Types:

project

Update Zone Exports

delete_zone_export

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /v2/zones/tasks/exports/{zone_export_id}

Scope Types:

project

Delete a zone export

create_zone_import

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones/tasks/imports

Scope Types:

project

Create Zone Import

find_zone_imports

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones/tasks/imports

Scope Types:

project

List all Zone Imports

get_zone_import

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones/tasks/imports/{zone_import_id}

Scope Types:

project

Get Zone Imports

update_zone_import

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones/tasks/imports

Scope Types:

project

Update Zone Imports

delete_zone_import

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /v2/zones/tasks/imports/{zone_import_id}

Scope Types:

project

Delete a Zone Import

create_zone_transfer_accept

Default:

((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations:

POST /v2/zones/tasks/transfer_accepts

Scope Types:

project

Create Zone Transfer Accept

get_zone_transfer_accept

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}

Scope Types:

project

Get Zone Transfer Accept

find_zone_transfer_accepts

Default:

role:admin

Operations:

GET /v2/zones/tasks/transfer_accepts

Scope Types:

project

List Zone Transfer Accepts

create_zone_transfer_request

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/zones/{zone_id}/tasks/transfer_requests

Scope Types:

project

Create Zone Transfer Accept

get_zone_transfer_request

Default:

((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations:

GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types:

project

Show a Zone Transfer Request

get_zone_transfer_request_detailed

Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

(no description provided)

find_zone_transfer_requests

Default:

@

Operations:

GET /v2/zones/tasks/transfer_requests

List Zone Transfer Requests

update_zone_transfer_request

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types:

project

Update a Zone Transfer Request

delete_zone_transfer_request

Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types:

project

Delete a Zone Transfer Request

Designate Policies

Designate Policies¶

Enabling Keystone Default Roles and Scoped Tokens¶

[oslo_policy] enforce_scope¶

[oslo_policy] enforce_new_defaults¶

Example OpenStack Client Command¶

Oslo Tools For Policy Management¶

Sample File Generation¶

Merged File Generation¶

List Redundant Configurations¶

Designate Default Policy Overview¶

designate¶

designate 18.0.1.dev4

Page Contents