Designate Policies¶
Warning
JSON formatted policy file is deprecated since Designate 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Designate, like most OpenStack services, supports Role Based Access Control (RBAC) using oslo policy to define default RBAC policies in the Designate code. These default policies can be overridden by operators using a yaml policy file. For a sample policy file, refer to policy.yaml.
Currently Designate defaults to the OpenStack legacy “admin or owner” scheme, but Designate also supports a newer RBAC model using Keystone Default Roles and Keystone Scoped Tokens via configuration settings.
Enabling Keystone Default Roles and Scoped Tokens¶
Starting with the Xena release of Designate, Keystone token scopes and default roles can be enforced. By default, in the Xena release, oslo policy will not be enforcing these new roles and scopes. However, at some point in the future they may become the default. You may want to enable them now to be ready for the later transition. This section will describe those settings.
The Oslo Policy project defines two configuration settings, among others, that can be set in the Designate configuration file to influence how policies are handled by Designate. Those two settings are enforce_scope and enforce_new_defaults.
When you enable Keystone Default Roles and Keystone Scoped Tokens the Designate policy honors the following roles:
System scoped - Admin
System scoped - Reader
Project scoped - Reader
Project scoped - Member
[oslo_policy] enforce_scope¶
Keystone has introduced the concept of token scopes. To ensure backward compatibility, Oslo Policy does not enforce scope validation of tokens by default.
In the Xena release, Designate supports enforcing Keystone token scopes. To enable Keystone token scoping, add the following to your Designate configuration file:
[oslo_policy]
enforce_scope = True
The primary effect of this setting is to allow a system scoped admin token when performing administrative API calls to the Designate API. The Designate API already enforces the project scoping in Keystone tokens.
[oslo_policy] enforce_new_defaults¶
The Designate Xena release added support for Keystone Default Roles in the default policies. To be backward compatible, Oslo Policy currently uses deprecated policies that do not require the new Keystone Default Roles by default.
Designate supports requiring these new Keystone Default Roles as of the Xena release. To start requiring these roles in Designate, enable the new policies by adding the following setting to your Designate configuration file:
[oslo_policy]
enforce_new_defaults = True
Example OpenStack Client Command¶
After you have enabled enforce_new_defaults and enforce_scope, administrative commands require a system scoped admin token. An example OpenStack Client command to create a Top Level Domain (TLD) would look like:
openstack --os-system-scope all --os-auth-url <identity endpoint URL> --os-password <admin password> --os-username admin --os-user-domain-name default create tld --name example.org
Oslo Tools For Policy Management¶
This section describes how to use Oslo Policy tools to managing Designate policies.
Sample File Generation¶
To generate a sample policy.yaml file from the Designate defaults, run the oslo policy generation script:
oslopolicy-sample-generator
--config-file etc/designate/designate-policy-generator.conf
--output-file policy.yaml.sample
Merged File Generation¶
To generate a policy file which shows the effective policy in use by the project, including all registered policy defaults and the policy overrides included in a policy.yaml file, run this command:
oslopolicy-policy-generator
--config-file etc/designate/designate-policy-generator.conf
This tool uses the output_file path from the config-file.
List Redundant Configurations¶
To generate a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule, run this command:
oslopolicy-list-redundant
--config-file etc/designate/designate-policy-generator.conf
These are rules that can be removed from the policy file with no change in effective policy.
Designate Default Policy Overview¶
The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.
designate¶
admin
- Default:
role:admin or is_admin:True
(no description provided)
owner
- Default:
project_id:%(tenant_id)s
(no description provided)
admin_or_owner
- Default:
rule:admin or rule:owner
(no description provided)
default
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
(no description provided)
create_blacklist
- Default:
role:admin
- Operations:
POST
/v2/blacklists
- Scope Types:
project
Create blacklist.
find_blacklists
- Default:
role:admin
- Operations:
GET
/v2/blacklists
- Scope Types:
project
Find blacklists.
get_blacklist
- Default:
role:admin
- Operations:
GET
/v2/blacklists/{blacklist_id}
- Scope Types:
project
Get blacklist.
update_blacklist
- Default:
role:admin
- Operations:
PATCH
/v2/blacklists/{blacklist_id}
- Scope Types:
project
Update blacklist.
delete_blacklist
- Default:
role:admin
- Operations:
DELETE
/v2/blacklists/{blacklist_id}
- Scope Types:
project
Delete blacklist.
use_blacklisted_zone
- Default:
role:admin
- Operations:
POST
/v2/zones
- Scope Types:
project
Allowed bypass the blacklist.
all_tenants
- Default:
role:admin
- Scope Types:
project
Action on all tenants.
edit_managed_records
- Default:
role:admin
- Scope Types:
project
Edit managed records.
use_low_ttl
- Default:
role:admin
- Scope Types:
project
Use low TTL.
use_sudo
- Default:
role:admin
- Scope Types:
project
Accept sudo from user to tenant.
hard_delete
- Default:
role:admin
- Scope Types:
project
Clean backend resources associated with zone
create_pool
- Default:
role:admin
- Scope Types:
project
Create pool.
find_pools
- Default:
role:admin
- Operations:
GET
/v2/pools
- Scope Types:
project
Find pool.
find_pool
- Default:
role:admin
- Operations:
GET
/v2/pools
- Scope Types:
project
Find pools.
get_pool
- Default:
role:admin
- Operations:
GET
/v2/pools/{pool_id}
- Scope Types:
project
Get pool.
update_pool
- Default:
role:admin
- Scope Types:
project
Update pool.
delete_pool
- Default:
role:admin
- Scope Types:
project
Delete pool.
zone_create_forced_pool
- Default:
role:admin
- Operations:
POST
/v2/zones
- Scope Types:
project
load and set the pool to the one provided in the Zone attributes.
get_quotas
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)
- Operations:
GET
/v2/quotas
- Scope Types:
project
View Current Project’s Quotas.
set_quota
- Default:
role:admin
- Operations:
PATCH
/v2/quotas/{project_id}
- Scope Types:
project
Set Quotas.
reset_quotas
- Default:
role:admin
- Operations:
DELETE
/v2/quotas/{project_id}
- Scope Types:
project
Reset Quotas.
find_records
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/reverse/floatingips/{region}:{floatingip_id}
GET
/v2/reverse/floatingips
- Scope Types:
project
Find records.
count_records
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
(no description provided)
create_recordset
- Default:
(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or ('True':%(zone_shared)s) and ('PRIMARY':%(zone_type)s)
- Operations:
POST
/v2/zones/{zone_id}/recordsets
- Scope Types:
project
Create Recordset
get_recordsets
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
(no description provided)
get_recordset
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s) or ('True':%(zone_shared)s)
- Operations:
GET
/v2/zones/{zone_id}/recordsets/{recordset_id}
- Scope Types:
project
Get recordset
find_recordset
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
List a Recordset in a Zone
find_recordsets
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/{zone_id}/recordsets
- Scope Types:
project
List Recordsets in a Zone
update_recordset
- Default:
(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)
- Operations:
PUT
/v2/zones/{zone_id}/recordsets/{recordset_id}
- Scope Types:
project
Update recordset
delete_recordset
- Default:
(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)
- Operations:
DELETE
/v2/zones/{zone_id}/recordsets/{recordset_id}
- Scope Types:
project
Delete RecordSet
count_recordset
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
Count recordsets
find_service_status
- Default:
role:admin
- Operations:
GET
/v2/service_status/{service_id}
- Scope Types:
project
Find a single Service Status
find_service_statuses
- Default:
role:admin
- Operations:
GET
/v2/service_status
- Scope Types:
project
List service statuses.
update_service_status
- Default:
role:admin
- Scope Types:
project
(no description provided)
get_zone_share
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/{zone_id}/shares/{zone_share_id}
- Scope Types:
project
Get a Zone Share
share_zone
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones/{zone_id}/shares
- Scope Types:
project
Share a Zone
find_zone_shares
- Default:
@
- Operations:
GET
/v2/zones/{zone_id}/shares
List Shared Zones
find_project_zone_share
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Scope Types:
project
Check the can query for a specific projects shares.
unshare_zone
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/v2/zones/{zone_id}/shares/{shared_zone_id}
- Scope Types:
project
Unshare Zone
find_tenants
- Default:
role:admin
- Scope Types:
project
Find all Tenants.
get_tenant
- Default:
role:admin
- Scope Types:
project
Get all Tenants.
count_tenants
- Default:
role:admin
- Scope Types:
project
Count tenants
create_tld
- Default:
role:admin
- Operations:
POST
/v2/tlds
- Scope Types:
project
Create Tld
find_tlds
- Default:
role:admin
- Operations:
GET
/v2/tlds
- Scope Types:
project
List Tlds
get_tld
- Default:
role:admin
- Operations:
GET
/v2/tlds/{tld_id}
- Scope Types:
project
Show Tld
update_tld
- Default:
role:admin
- Operations:
PATCH
/v2/tlds/{tld_id}
- Scope Types:
project
Update Tld
delete_tld
- Default:
role:admin
- Operations:
DELETE
/v2/tlds/{tld_id}
- Scope Types:
project
Delete Tld
create_tsigkey
- Default:
role:admin
- Operations:
POST
/v2/tsigkeys
- Scope Types:
project
Create Tsigkey
find_tsigkeys
- Default:
role:admin
- Operations:
GET
/v2/tsigkeys
- Scope Types:
project
List Tsigkeys
get_tsigkey
- Default:
role:admin
- Operations:
GET
/v2/tsigkeys/{tsigkey_id}
- Scope Types:
project
Show a Tsigkey
update_tsigkey
- Default:
role:admin
- Operations:
PATCH
/v2/tsigkeys/{tsigkey_id}
- Scope Types:
project
Update Tsigkey
delete_tsigkey
- Default:
role:admin
- Operations:
DELETE
/v2/tsigkeys/{tsigkey_id}
- Scope Types:
project
Delete a Tsigkey
create_zone
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones
- Scope Types:
project
Create Zone
get_zones
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
(no description provided)
get_zone
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s) or ('True':%(zone_shared)s)
- Operations:
GET
/v2/zones/{zone_id}
- Scope Types:
project
Get Zone
get_zone_servers
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
(no description provided)
get_zone_ns_records
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/{zone_id}/nameservers
- Scope Types:
project
Get the Name Servers for a Zone
find_zones
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones
- Scope Types:
project
List existing zones
update_zone
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
PATCH
/v2/zones/{zone_id}
- Scope Types:
project
Update Zone
delete_zone
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/v2/zones/{zone_id}
- Scope Types:
project
Delete Zone
xfr_zone
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones/{zone_id}/tasks/xfr
- Scope Types:
project
Manually Trigger an Update of a Secondary Zone
abandon_zone
- Default:
role:admin
- Operations:
POST
/v2/zones/{zone_id}/tasks/abandon
- Scope Types:
project
Abandon Zone
count_zones
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
(no description provided)
count_zones_pending_notify
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
(no description provided)
purge_zones
- Default:
role:admin
- Scope Types:
project
(no description provided)
pool_move_zone
- Default:
role:admin
- Operations:
POST
/v2/zones/{zone_id}/tasks/pool_move
- Scope Types:
project
Pool Move Zone
zone_export
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/tasks/exports/{zone_export_id}/export
- Scope Types:
project
Retrive a Zone Export from the Designate Datastore
create_zone_export
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones/{zone_id}/tasks/export
- Scope Types:
project
Create Zone Export
find_zone_exports
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/tasks/exports
- Scope Types:
project
List Zone Exports
get_zone_export
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/tasks/exports/{zone_export_id}
- Scope Types:
project
Get Zone Exports
update_zone_export
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones/{zone_id}/tasks/export
- Scope Types:
project
Update Zone Exports
delete_zone_export
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/v2/zones/tasks/exports/{zone_export_id}
- Scope Types:
project
Delete a zone export
create_zone_import
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones/tasks/imports
- Scope Types:
project
Create Zone Import
find_zone_imports
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/tasks/imports
- Scope Types:
project
List all Zone Imports
get_zone_import
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/tasks/imports/{zone_import_id}
- Scope Types:
project
Get Zone Imports
update_zone_import
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones/tasks/imports
- Scope Types:
project
Update Zone Imports
delete_zone_import
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/v2/zones/tasks/imports/{zone_import_id}
- Scope Types:
project
Delete a Zone Import
create_zone_transfer_accept
- Default:
((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s
- Operations:
POST
/v2/zones/tasks/transfer_accepts
- Scope Types:
project
Create Zone Transfer Accept
get_zone_transfer_accept
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}
- Scope Types:
project
Get Zone Transfer Accept
find_zone_transfer_accepts
- Default:
role:admin
- Operations:
GET
/v2/zones/tasks/transfer_accepts
- Scope Types:
project
List Zone Transfer Accepts
create_zone_transfer_request
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/v2/zones/{zone_id}/tasks/transfer_requests
- Scope Types:
project
Create Zone Transfer Accept
get_zone_transfer_request
- Default:
((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s
- Operations:
GET
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
- Scope Types:
project
Show a Zone Transfer Request
get_zone_transfer_request_detailed
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
(no description provided)
find_zone_transfer_requests
- Default:
@
- Operations:
GET
/v2/zones/tasks/transfer_requests
List Zone Transfer Requests
update_zone_transfer_request
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
PATCH
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
- Scope Types:
project
Update a Zone Transfer Request
delete_zone_transfer_request
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
- Scope Types:
project
Delete a Zone Transfer Request