Page MenuHomePhabricator
Create Task
Maniphest T281894

Cloud: designate: missing or misconfigured API policy for creating new domains
Closed, ResolvedPublic
Actions

Description

I just found this:

aborrero@cloudcontrol1005:~$ sudo wmcs-openstack zone create --os-project-id cloudinfra --type PRIMARY --email root@wmflabs.org mx-out03.wmcloud.org.
forbidden

Backend logs are like:

Policy check failed for rule 'create_zone' on target {'tenant_id': 'cloudinfra', 'zone_name': 'mx-out03.wmcloud.org.'}

Related Objects

Event Timeline

aborrero created this task.May 4 2021, 3:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 4 2021, 3:53 PM
aborrero triaged this task as High priority.May 4 2021, 3:54 PM
aborrero moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
RhinosF1 subscribed.May 4 2021, 4:43 PM
Stashbot added a comment.May 7 2021, 1:51 PM

Mentioned in SAL (#wikimedia-cloud) [2021-05-07T13:51:41Z] <andrewbogott> add inherited 'admin' right to novaadmin user throughout eqiad1. I was trying to narrow down the rights here but lack of admin breaks some workflows, e.g. T281894 and T282235

Stashbot mentioned this in T282235: Configure Neutron VIP ports for tools and toolsbeta k8s haproxies.May 7 2021, 1:51 PM
Andrew closed this task as Resolved.May 7 2021, 1:53 PM

This should be fixed by the above policy change (zone creation is restricted to 'admin').

Note that typically you would want to create a new zone via wmcs-makedomain which handles the weirdness involved in creating a subdomain in tenant A when the parent domain is owned by tenant B:

# wmcs-makedomain --orig-project cloudinfra --project cloudinfra --domain mx-testexample.wmcloud.org.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits