Designate Policies

Warning

JSON formatted policy file is deprecated since Designate 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Designate, like most OpenStack services, supports Role Based Access Control (RBAC) using oslo policy to define default RBAC policies in the Designate code. These default policies can be overridden by operators using a yaml policy file. For a sample policy file, refer to policy.yaml.

Currently Designate defaults to the OpenStack legacy “admin or owner” scheme, but Designate also supports a newer RBAC model using Keystone Default Roles and Keystone Scoped Tokens via configuration settings.

Enabling Keystone Default Roles and Scoped Tokens

Starting with the Xena release of Designate, Keystone token scopes and default roles can be enforced. By default, in the Xena release, oslo policy will not be enforcing these new roles and scopes. However, at some point in the future they may become the default. You may want to enable them now to be ready for the later transition. This section will describe those settings.

The Oslo Policy project defines two configuration settings, among others, that can be set in the Designate configuration file to influence how policies are handled by Designate. Those two settings are enforce_scope and enforce_new_defaults.

When you enable Keystone Default Roles and Keystone Scoped Tokens the Designate policy honors the following roles:

  • System scoped - Admin

  • System scoped - Reader

  • Project scoped - Reader

  • Project scoped - Member

[oslo_policy] enforce_scope

Keystone has introduced the concept of token scopes. To ensure backward compatibility, Oslo Policy does not enforce scope validation of tokens by default.

In the Xena release, Designate supports enforcing Keystone token scopes. To enable Keystone token scoping, add the following to your Designate configuration file:

[oslo_policy]
enforce_scope = True

The primary effect of this setting is to allow a system scoped admin token when performing administrative API calls to the Designate API. The Designate API already enforces the project scoping in Keystone tokens.

[oslo_policy] enforce_new_defaults

The Designate Xena release added support for Keystone Default Roles in the default policies. To be backward compatible, Oslo Policy currently uses deprecated policies that do not require the new Keystone Default Roles by default.

Designate supports requiring these new Keystone Default Roles as of the Xena release. To start requiring these roles in Designate, enable the new policies by adding the following setting to your Designate configuration file:

[oslo_policy]
enforce_new_defaults = True

Example OpenStack Client Command

After you have enabled enforce_new_defaults and enforce_scope, administrative commands require a system scoped admin token. An example OpenStack Client command to create a Top Level Domain (TLD) would look like:

openstack --os-system-scope all --os-auth-url <identity endpoint URL> --os-password <admin password> --os-username admin --os-user-domain-name default create tld --name example.org

Oslo Tools For Policy Management

This section describes how to use Oslo Policy tools to managing Designate policies.

Sample File Generation

To generate a sample policy.yaml file from the Designate defaults, run the oslo policy generation script:

oslopolicy-sample-generator
--config-file etc/designate/designate-policy-generator.conf
--output-file policy.yaml.sample

Merged File Generation

To generate a policy file which shows the effective policy in use by the project, including all registered policy defaults and the policy overrides included in a policy.yaml file, run this command:

oslopolicy-policy-generator
--config-file etc/designate/designate-policy-generator.conf

This tool uses the output_file path from the config-file.

List Redundant Configurations

To generate a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule, run this command:

oslopolicy-list-redundant
--config-file etc/designate/designate-policy-generator.conf

These are rules that can be removed from the policy file with no change in effective policy.

Designate Default Policy Overview

The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.

designate

admin
Default

role:admin or is_admin:True

(no description provided)

owner
Default

project_id:%(tenant_id)s

(no description provided)

admin_or_owner
Default

rule:admin or rule:owner

(no description provided)

default
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

(no description provided)

create_blacklist
Default

role:admin and system_scope:all

Operations
  • POST /v2/blacklists

Scope Types
  • system

Create blacklist.

find_blacklists
Default

role:reader and system_scope:all

Operations
  • GET /v2/blacklists

Scope Types
  • system

Find blacklists.

get_blacklist
Default

role:reader and system_scope:all

Operations
  • GET /v2/blacklists/{blacklist_id}

Scope Types
  • system

Get blacklist.

update_blacklist
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/blacklists/{blacklist_id}

Scope Types
  • system

Update blacklist.

delete_blacklist
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/blacklists/{blacklist_id}

Scope Types
  • system

Delete blacklist.

use_blacklisted_zone
Default

role:admin and system_scope:all

Operations
  • POST /v2/zones

Scope Types
  • system

Allowed bypass the blacklist.

all_tenants
Default

role:admin and system_scope:all

Scope Types
  • system

Action on all tenants.

edit_managed_records
Default

role:admin and system_scope:all

Scope Types
  • system

Edit managed records.

use_low_ttl
Default

role:admin and system_scope:all

Scope Types
  • system

Use low TTL.

use_sudo
Default

role:admin and system_scope:all

Scope Types
  • system

Accept sudo from user to tenant.

hard_delete
Default

role:admin and system_scope:all

Scope Types
  • system

Clean backend resources associated with zone

create_pool
Default

role:admin and system_scope:all

Scope Types
  • system

Create pool.

find_pools
Default

role:reader and system_scope:all

Operations
  • GET /v2/pools

Scope Types
  • system

Find pool.

find_pool
Default

role:reader and system_scope:all

Operations
  • GET /v2/pools

Scope Types
  • system

Find pools.

get_pool
Default

role:reader and system_scope:all

Operations
  • GET /v2/pools/{pool_id}

Scope Types
  • system

Get pool.

update_pool
Default

role:admin and system_scope:all

Scope Types
  • system

Update pool.

delete_pool
Default

role:admin and system_scope:all

Scope Types
  • system

Delete pool.

zone_create_forced_pool
Default

role:admin and system_scope:all

Operations
  • POST /v2/zones

Scope Types
  • system

load and set the pool to the one provided in the Zone attributes.

get_quotas
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)

Operations
  • GET /v2/quotas

Scope Types
  • system

  • project

View Current Project’s Quotas.

set_quota
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/quotas/{project_id}

Scope Types
  • system

Set Quotas.

reset_quotas
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/quotas/{project_id}

Scope Types
  • system

Reset Quotas.

find_records
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/reverse/floatingips/{region}:{floatingip_id}

  • GET /v2/reverse/floatingips

Scope Types
  • system

  • project

Find records.

count_records
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

create_recordset
Default

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)

Operations
  • POST /v2/zones/{zone_id}/recordsets

Scope Types
  • system

  • project

Create Recordset

get_recordsets
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

get_recordset
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types
  • system

  • project

Get recordset

find_recordset
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

List a Recordset in a Zone

find_recordsets
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}/recordsets

Scope Types
  • system

  • project

List Recordsets in a Zone

update_recordset
Default

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)

Operations
  • PUT /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types
  • system

  • project

Update recordset

delete_recordset
Default

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)

Operations
  • DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types
  • system

  • project

Delete RecordSet

count_recordset
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

Count recordsets

find_service_status
Default

role:reader and system_scope:all

Operations
  • GET /v2/service_status/{service_id}

Scope Types
  • system

Find a single Service Status

find_service_statuses
Default

role:reader and system_scope:all

Operations
  • GET /v2/service_status

Scope Types
  • system

List service statuses.

update_service_status
Default

role:admin and system_scope:all

Scope Types
  • system

(no description provided)

find_tenants
Default

role:reader and system_scope:all

Scope Types
  • system

Find all Tenants.

get_tenant
Default

role:reader and system_scope:all

Scope Types
  • system

Get all Tenants.

count_tenants
Default

role:reader and system_scope:all

Scope Types
  • system

Count tenants

create_tld
Default

role:admin and system_scope:all

Operations
  • POST /v2/tlds

Scope Types
  • system

Create Tld

find_tlds
Default

role:reader and system_scope:all

Operations
  • GET /v2/tlds

Scope Types
  • system

List Tlds

get_tld
Default

role:reader and system_scope:all

Operations
  • GET /v2/tlds/{tld_id}

Scope Types
  • system

Show Tld

update_tld
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/tlds/{tld_id}

Scope Types
  • system

Update Tld

delete_tld
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/tlds/{tld_id}

Scope Types
  • system

Delete Tld

create_tsigkey
Default

role:admin and system_scope:all

Operations
  • POST /v2/tsigkeys

Scope Types
  • system

Create Tsigkey

find_tsigkeys
Default

role:reader and system_scope:all

Operations
  • GET /v2/tsigkeys

Scope Types
  • system

List Tsigkeys

get_tsigkey
Default

role:reader and system_scope:all

Operations
  • GET /v2/tsigkeys/{tsigkey_id}

Scope Types
  • system

Show a Tsigkey

update_tsigkey
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/tsigkeys/{tsigkey_id}

Scope Types
  • system

Update Tsigkey

delete_tsigkey
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/tsigkeys/{tsigkey_id}

Scope Types
  • system

Delete a Tsigkey

create_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones

Scope Types
  • system

  • project

Create Zone

get_zones
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

get_zone
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}

Scope Types
  • system

  • project

Get Zone

get_zone_servers
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

get_zone_ns_records
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}/nameservers

Scope Types
  • system

  • project

Get the Name Servers for a Zone

find_zones
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones

Scope Types
  • system

  • project

List existing zones

update_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • PATCH /v2/zones/{zone_id}

Scope Types
  • system

  • project

Update Zone

delete_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/{zone_id}

Scope Types
  • system

  • project

Delete Zone

xfr_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/xfr

Scope Types
  • system

  • project

Manually Trigger an Update of a Secondary Zone

abandon_zone
Default

role:admin and system_scope:all

Operations
  • POST /v2/zones/{zone_id}/tasks/abandon

Scope Types
  • system

Abandon Zone

count_zones
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

count_zones_pending_notify
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

purge_zones
Default

role:admin and system_scope:all

Scope Types
  • system

(no description provided)

zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/exports/{zone_export_id}/export

Scope Types
  • system

  • project

Retrive a Zone Export from the Designate Datastore

create_zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/export

Scope Types
  • system

  • project

Create Zone Export

find_zone_exports
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/exports

Scope Types
  • system

  • project

List Zone Exports

get_zone_export
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/exports/{zone_export_id}

Scope Types
  • system

  • project

Get Zone Exports

update_zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/export

Scope Types
  • system

  • project

Update Zone Exports

delete_zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/tasks/exports/{zone_export_id}

Scope Types
  • system

  • project

Delete a zone export

create_zone_import
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/tasks/imports

Scope Types
  • system

  • project

Create Zone Import

find_zone_imports
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/imports

Scope Types
  • system

  • project

List all Zone Imports

get_zone_import
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/imports/{zone_import_id}

Scope Types
  • system

  • project

Get Zone Imports

update_zone_import
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/tasks/imports

Scope Types
  • system

  • project

Update Zone Imports

delete_zone_import
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/tasks/imports/{zone_import_id}

Scope Types
  • system

  • project

Delete a Zone Import

create_zone_transfer_accept
Default

((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations
  • POST /v2/zones/tasks/transfer_accepts

Scope Types
  • system

  • project

Create Zone Transfer Accept

get_zone_transfer_accept
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}

Scope Types
  • system

  • project

Get Zone Transfer Accept

find_zone_transfer_accepts
Default

role:reader and system_scope:all

Operations
  • GET /v2/zones/tasks/transfer_accepts

Scope Types
  • system

List Zone Transfer Accepts

create_zone_transfer_request
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/transfer_requests

Scope Types
  • system

  • project

Create Zone Transfer Accept

get_zone_transfer_request
Default

((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types
  • system

  • project

Show a Zone Transfer Request

get_zone_transfer_request_detailed
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

find_zone_transfer_requests
Default

@

Operations
  • GET /v2/zones/tasks/transfer_requests

List Zone Transfer Requests

update_zone_transfer_request
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types
  • system

  • project

Update a Zone Transfer Request

delete_zone_transfer_request
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types
  • system

  • project

Delete a Zone Transfer Request