Page MenuHomePhabricator

Cloud: designate: missing or misconfigured API policy for creating new domains
Closed, ResolvedPublic

Description

I just found this:

aborrero@cloudcontrol1005:~$ sudo wmcs-openstack zone create --os-project-id cloudinfra --type PRIMARY --email root@wmflabs.org mx-out03.wmcloud.org.
forbidden

Backend logs are like:

Policy check failed for rule 'create_zone' on target {'tenant_id': 'cloudinfra', 'zone_name': 'mx-out03.wmcloud.org.'}

Event Timeline

aborrero triaged this task as High priority.May 4 2021, 3:54 PM
aborrero moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.

Mentioned in SAL (#wikimedia-cloud) [2021-05-07T13:51:41Z] <andrewbogott> add inherited 'admin' right to novaadmin user throughout eqiad1. I was trying to narrow down the rights here but lack of admin breaks some workflows, e.g. T281894 and T282235

This should be fixed by the above policy change (zone creation is restricted to 'admin').

Note that typically you would want to create a new zone via wmcs-makedomain which handles the weirdness involved in creating a subdomain in tenant A when the parent domain is owned by tenant B:

# wmcs-makedomain --orig-project cloudinfra --project cloudinfra --domain mx-testexample.wmcloud.org.