| ozzzo_work | I need to setup a non-admin user that can use "openstack recordset list" and I think I need to change policy for that. I'm reading here: https://docs.openstack.org/designate/train/admin/policy.html and here: https://docs.openstack.org/designate/train/admin/samples/policy-yaml.html but I'm still not clear on how it works. Is there a document that explains how to setup a new policy? | 14:45 |
|---|---|---|
| ozzzo_work | How can I find out the existing policies? if I do "openstack policy list" as admin, I get a blank output | 14:47 |
| JayF | ozzzo_work: are you actually running the 'train' version of openstacck? | 14:48 |
| JayF | I am going AFK for a couple of hours; but if you're not running train make sure to look at newer documentation. How that works in openstack has been changed recently (I'm not sure if/when designate made the change) | 14:49 |
| johnsom | Recordset list is non-admin for the zone owner. Are you trying to setup a global reader for recordset list? | 14:58 |
| ozzzo_work | JayF: : Yes we're running Train | 15:24 |
| ozzzo_work | johnsom: It appears to be restricted to the network owner, and the networks are owned by admin | 15:25 |
| ozzzo_work | I have automation that creates VMs, tests various things, and then deletes them, and times it for graphing and alerting. I need for that user to be able to look at DNS records of VMs that it created | 15:26 |
| ozzzo_work | as a non-admin user, if I do "openstack zone list" I get an empty list | 15:26 |
| ozzzo_work | if I do "openstack recordset list <zone>" I get "Name <zone> didn't resolve" | 15:27 |
| johnsom | Yeah, that means the project you are using doesn’t own the zone you are creating records in | 15:30 |
| ozzzo_work | It looks like the zones are owned by the network owner | 15:31 |
| ozzzo_work | if I show a zone, the project_id is admin | 15:32 |
| johnsom | Yeah, that could be how you have it setup. You could create the port/vm under a zone your project owns | 15:33 |
| ozzzo_work | we don't allow users to setup their own networks | 15:34 |
| johnsom | That should not matter depending on how you have neutron setup. | 15:35 |
| johnsom | Port settings override network settings | 15:37 |
| ozzzo_work | that seems to work; I can create a test zone as an end-user, but that would't duplicate what our users are doing | 15:38 |
| ozzzo_work | I need to create a role that I can add to a non-admin user, that will allow that user to view zones owned by admin | 15:39 |
| johnsom | Well, you want to restrict it as much as possible | 15:40 |
| ozzzo_work | When I look at the sample policy file, I see a bunch of stuff commented out. Are those the defaults? Can I create a policy with only the things that I want to change? | 15:40 |
| johnsom | You can create a policy.yaml, configure oslo.policy to use it, and override a command policy | 15:41 |
| johnsom | Yes, comments are the defaults. Yes, the overrive can have one line | 15:41 |
| ozzzo_work | I think I need to do something like: "find_zones": "rule:admin_or_owner or role:zonereader" | 15:42 |
| johnsom | I would run the sample generator on your system as the policy hchanges have made a mess. Instead of relying on the docs site version | 15:42 |
| ozzzo_work | the sample generator will pull my existing policies? | 15:43 |
| johnsom | Yes | 15:43 |
| ozzzo_work | ok I'll try that, ty! | 15:43 |
| johnsom | Sorry I am on pto and mobile, so I can’t help you craft the line | 15:44 |
| johnsom | Feel free to send me your proposal and I will try to review/comment | 15:44 |
| ozzzo_work | ok ty | 15:44 |
| *** JayF is now known as Guest12444 | 18:27 | |
| *** JasonF is now known as JayF | 18:27 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!