Designate Policies

Warning

JSON formatted policy file is deprecated since Designate 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Designate, like most OpenStack services, supports Role Based Access Control (RBAC) using oslo policy to define default RBAC policies in the Designate code. These default policies can be overridden by operators using a yaml policy file. For a sample policy file, refer to policy.yaml.

Currently Designate defaults to the OpenStack legacy “admin or owner” scheme, but Designate also supports a newer RBAC model using Keystone Default Roles and Keystone Scoped Tokens via configuration settings.

Enabling Keystone Default Roles and Scoped Tokens

Starting with the Xena release of Designate, Keystone token scopes and default roles can be enforced. By default, in the Xena release, oslo policy will not be enforcing these new roles and scopes. However, at some point in the future they may become the default. You may want to enable them now to be ready for the later transition. This section will describe those settings.

The Oslo Policy project defines two configuration settings, among others, that can be set in the Designate configuration file to influence how policies are handled by Designate. Those two settings are enforce_scope and enforce_new_defaults.

When you enable Keystone Default Roles and Keystone Scoped Tokens the Designate policy honors the following roles:

  • System scoped - Admin

  • System scoped - Reader

  • Project scoped - Reader

  • Project scoped - Member

[oslo_policy] enforce_scope

Keystone has introduced the concept of token scopes. To ensure backward compatibility, Oslo Policy does not enforce scope validation of tokens by default.

In the Xena release, Designate supports enforcing Keystone token scopes. To enable Keystone token scoping, add the following to your Designate configuration file:

[oslo_policy]
enforce_scope = True

The primary effect of this setting is to allow a system scoped admin token when performing administrative API calls to the Designate API. The Designate API already enforces the project scoping in Keystone tokens.

[oslo_policy] enforce_new_defaults

The Designate Xena release added support for Keystone Default Roles in the default policies. To be backward compatible, Oslo Policy currently uses deprecated policies that do not require the new Keystone Default Roles by default.

Designate supports requiring these new Keystone Default Roles as of the Xena release. To start requiring these roles in Designate, enable the new policies by adding the following setting to your Designate configuration file:

[oslo_policy]
enforce_new_defaults = True

Example OpenStack Client Command

After you have enabled enforce_new_defaults and enforce_scope, administrative commands require a system scoped admin token. An example OpenStack Client command to create a Top Level Domain (TLD) would look like:

openstack --os-system-scope all --os-auth-url <identity endpoint URL> --os-password <admin password> --os-username admin --os-user-domain-name default create tld --name example.org

Oslo Tools For Policy Management

This section describes how to use Oslo Policy tools to managing Designate policies.

Sample File Generation

To generate a sample policy.yaml file from the Designate defaults, run the oslo policy generation script:

oslopolicy-sample-generator
--config-file etc/designate/designate-policy-generator.conf
--output-file policy.yaml.sample

Merged File Generation

To generate a policy file which shows the effective policy in use by the project, including all registered policy defaults and the policy overrides included in a policy.yaml file, run this command:

oslopolicy-policy-generator
--config-file etc/designate/designate-policy-generator.conf

This tool uses the output_file path from the config-file.

List Redundant Configurations

To generate a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule, run this command:

oslopolicy-list-redundant
--config-file etc/designate/designate-policy-generator.conf

These are rules that can be removed from the policy file with no change in effective policy.

Designate Default Policy Overview

The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.

designate

admin
Default:

role:admin or is_admin:True

(no description provided)

owner
Default:

project_id:%(tenant_id)s

(no description provided)

admin_or_owner
Default:

rule:admin or rule:owner

(no description provided)

default
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

(no description provided)

create_blacklist
Default:

role:admin

Operations:
  • POST /v2/blacklists

Scope Types:
  • project

Create blacklist.

find_blacklists
Default:

role:admin

Operations:
  • GET /v2/blacklists

Scope Types:
  • project

Find blacklists.

get_blacklist
Default:

role:admin

Operations:
  • GET /v2/blacklists/{blacklist_id}

Scope Types:
  • project

Get blacklist.

update_blacklist
Default:

role:admin

Operations:
  • PATCH /v2/blacklists/{blacklist_id}

Scope Types:
  • project

Update blacklist.

delete_blacklist
Default:

role:admin

Operations:
  • DELETE /v2/blacklists/{blacklist_id}

Scope Types:
  • project

Delete blacklist.

use_blacklisted_zone
Default:

role:admin

Operations:
  • POST /v2/zones

Scope Types:
  • project

Allowed bypass the blacklist.

all_tenants
Default:

role:admin

Scope Types:
  • project

Action on all tenants.

edit_managed_records
Default:

role:admin

Scope Types:
  • project

Edit managed records.

use_low_ttl
Default:

role:admin

Scope Types:
  • project

Use low TTL.

use_sudo
Default:

role:admin

Scope Types:
  • project

Accept sudo from user to tenant.

hard_delete
Default:

role:admin

Scope Types:
  • project

Clean backend resources associated with zone

create_pool
Default:

role:admin

Scope Types:
  • project

Create pool.

find_pools
Default:

role:admin

Operations:
  • GET /v2/pools

Scope Types:
  • project

Find pool.

find_pool
Default:

role:admin

Operations:
  • GET /v2/pools

Scope Types:
  • project

Find pools.

get_pool
Default:

role:admin

Operations:
  • GET /v2/pools/{pool_id}

Scope Types:
  • project

Get pool.

update_pool
Default:

role:admin

Scope Types:
  • project

Update pool.

delete_pool
Default:

role:admin

Scope Types:
  • project

Delete pool.

zone_create_forced_pool
Default:

role:admin

Operations:
  • POST /v2/zones

Scope Types:
  • project

load and set the pool to the one provided in the Zone attributes.

get_quotas
Default:

(role:admin) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)

Operations:
  • GET /v2/quotas

Scope Types:
  • project

View Current Project’s Quotas.

set_quota
Default:

role:admin

Operations:
  • PATCH /v2/quotas/{project_id}

Scope Types:
  • project

Set Quotas.

reset_quotas
Default:

role:admin

Operations:
  • DELETE /v2/quotas/{project_id}

Scope Types:
  • project

Reset Quotas.

find_records
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/reverse/floatingips/{region}:{floatingip_id}

  • GET /v2/reverse/floatingips

Scope Types:
  • project

Find records.

count_records
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

(no description provided)

create_recordset
Default:

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or ("True":%(zone_shared)s) and ('PRIMARY':%(zone_type)s)

Operations:
  • POST /v2/zones/{zone_id}/recordsets

Scope Types:
  • project

Create Recordset

get_recordsets
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

(no description provided)

get_recordset
Default:

(role:admin) or (role:reader and project_id:%(project_id)s) or ("True":%(zone_shared)s)

Operations:
  • GET /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types:
  • project

Get recordset

find_recordset
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

List a Recordset in a Zone

find_recordsets
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/{zone_id}/recordsets

Scope Types:
  • project

List Recordsets in a Zone

update_recordset
Default:

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)

Operations:
  • PUT /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types:
  • project

Update recordset

delete_recordset
Default:

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)

Operations:
  • DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types:
  • project

Delete RecordSet

count_recordset
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

Count recordsets

find_service_status
Default:

role:admin

Operations:
  • GET /v2/service_status/{service_id}

Scope Types:
  • project

Find a single Service Status

find_service_statuses
Default:

role:admin

Operations:
  • GET /v2/service_status

Scope Types:
  • project

List service statuses.

update_service_status
Default:

role:admin

Scope Types:
  • project

(no description provided)

get_zone_share
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/{zone_id}/shares/{zone_share_id}

Scope Types:
  • project

Get a Zone Share

share_zone
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones/{zone_id}/shares

Scope Types:
  • project

Share a Zone

find_zone_shares
Default:

@

Operations:
  • GET /v2/zones/{zone_id}/shares

List Shared Zones

find_project_zone_share
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Scope Types:
  • project

Check the can query for a specific projects shares.

unshare_zone
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /v2/zones/{zone_id}/shares/{shared_zone_id}

Scope Types:
  • project

Unshare Zone

find_tenants
Default:

role:admin

Scope Types:
  • project

Find all Tenants.

get_tenant
Default:

role:admin

Scope Types:
  • project

Get all Tenants.

count_tenants
Default:

role:admin

Scope Types:
  • project

Count tenants

create_tld
Default:

role:admin

Operations:
  • POST /v2/tlds

Scope Types:
  • project

Create Tld

find_tlds
Default:

role:admin

Operations:
  • GET /v2/tlds

Scope Types:
  • project

List Tlds

get_tld
Default:

role:admin

Operations:
  • GET /v2/tlds/{tld_id}

Scope Types:
  • project

Show Tld

update_tld
Default:

role:admin

Operations:
  • PATCH /v2/tlds/{tld_id}

Scope Types:
  • project

Update Tld

delete_tld
Default:

role:admin

Operations:
  • DELETE /v2/tlds/{tld_id}

Scope Types:
  • project

Delete Tld

create_tsigkey
Default:

role:admin

Operations:
  • POST /v2/tsigkeys

Scope Types:
  • project

Create Tsigkey

find_tsigkeys
Default:

role:admin

Operations:
  • GET /v2/tsigkeys

Scope Types:
  • project

List Tsigkeys

get_tsigkey
Default:

role:admin

Operations:
  • GET /v2/tsigkeys/{tsigkey_id}

Scope Types:
  • project

Show a Tsigkey

update_tsigkey
Default:

role:admin

Operations:
  • PATCH /v2/tsigkeys/{tsigkey_id}

Scope Types:
  • project

Update Tsigkey

delete_tsigkey
Default:

role:admin

Operations:
  • DELETE /v2/tsigkeys/{tsigkey_id}

Scope Types:
  • project

Delete a Tsigkey

create_zone
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones

Scope Types:
  • project

Create Zone

get_zones
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

(no description provided)

get_zone
Default:

(role:admin) or (role:reader and project_id:%(project_id)s) or ("True":%(zone_shared)s)

Operations:
  • GET /v2/zones/{zone_id}

Scope Types:
  • project

Get Zone

get_zone_servers
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

(no description provided)

get_zone_ns_records
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/{zone_id}/nameservers

Scope Types:
  • project

Get the Name Servers for a Zone

find_zones
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones

Scope Types:
  • project

List existing zones

update_zone
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • PATCH /v2/zones/{zone_id}

Scope Types:
  • project

Update Zone

delete_zone
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /v2/zones/{zone_id}

Scope Types:
  • project

Delete Zone

xfr_zone
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones/{zone_id}/tasks/xfr

Scope Types:
  • project

Manually Trigger an Update of a Secondary Zone

abandon_zone
Default:

role:admin

Operations:
  • POST /v2/zones/{zone_id}/tasks/abandon

Scope Types:
  • project

Abandon Zone

count_zones
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

(no description provided)

count_zones_pending_notify
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

(no description provided)

purge_zones
Default:

role:admin

Scope Types:
  • project

(no description provided)

pool_move_zone
Default:

role:admin

Operations:
  • POST /v2/zones/{zone_id}/tasks/pool_move

Scope Types:
  • project

Pool Move Zone

zone_export
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/tasks/exports/{zone_export_id}/export

Scope Types:
  • project

Retrive a Zone Export from the Designate Datastore

create_zone_export
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones/{zone_id}/tasks/export

Scope Types:
  • project

Create Zone Export

find_zone_exports
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/tasks/exports

Scope Types:
  • project

List Zone Exports

get_zone_export
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/tasks/exports/{zone_export_id}

Scope Types:
  • project

Get Zone Exports

update_zone_export
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones/{zone_id}/tasks/export

Scope Types:
  • project

Update Zone Exports

delete_zone_export
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /v2/zones/tasks/exports/{zone_export_id}

Scope Types:
  • project

Delete a zone export

create_zone_import
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones/tasks/imports

Scope Types:
  • project

Create Zone Import

find_zone_imports
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/tasks/imports

Scope Types:
  • project

List all Zone Imports

get_zone_import
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/tasks/imports/{zone_import_id}

Scope Types:
  • project

Get Zone Imports

update_zone_import
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones/tasks/imports

Scope Types:
  • project

Update Zone Imports

delete_zone_import
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /v2/zones/tasks/imports/{zone_import_id}

Scope Types:
  • project

Delete a Zone Import

create_zone_transfer_accept
Default:

((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations:
  • POST /v2/zones/tasks/transfer_accepts

Scope Types:
  • project

Create Zone Transfer Accept

get_zone_transfer_accept
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}

Scope Types:
  • project

Get Zone Transfer Accept

find_zone_transfer_accepts
Default:

role:admin

Operations:
  • GET /v2/zones/tasks/transfer_accepts

Scope Types:
  • project

List Zone Transfer Accepts

create_zone_transfer_request
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /v2/zones/{zone_id}/tasks/transfer_requests

Scope Types:
  • project

Create Zone Transfer Accept

get_zone_transfer_request
Default:

((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations:
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types:
  • project

Show a Zone Transfer Request

get_zone_transfer_request_detailed
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

(no description provided)

find_zone_transfer_requests
Default:

@

Operations:
  • GET /v2/zones/tasks/transfer_requests

List Zone Transfer Requests

update_zone_transfer_request
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types:
  • project

Update a Zone Transfer Request

delete_zone_transfer_request
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types:
  • project

Delete a Zone Transfer Request