[Labs-l] Potential new public DNS/proxy naming policies

[Andrew Bogott]

We're in the process of moving our DNS manipulation web UI out of 
wikitech/OpenStackManager and adopting the upstream OpenStack tools and 
APIs.  As usual, though, our current security/user model is weird and 
not especially supported by the upstream models.

Rather than hacking away at Openstack, I'm considering just adopting 
their model.

Right now on wikitech, any project admin can:

1) Create records under wmflabs.org
2) Create records under any pre-existing subdomain of wmflabs.org
3) Bind a floating IP to any of the above records
4) Associate an http proxy with any of the above records
5) Ask an admin to create a new subdomain of wmflabs.org for use in 
option 2.

The thing that's hard to do with the OpenStack tools is item 1 and 2 -- 
there's no real conception of a 'global' domain that's shared and 
editable among multiple projects.  So, I propose a new model where users 
can...

1) Create records under <projectname>.wmflabs.org
2) Create records under pre-existing subdomains of wmflabs.org that 
belong to the project in question
3) Bind a floating IP to any of the above records
4) Associate an http proxy with any of the above records
5) Ask an admin to create a new project-specific subdomain of 
wmflabs.org for use in option 2 (not necessarily a subdomain of 
<projectname>.wmflabs.org)

How is that different?

a) there will no longer be any foo.wmflabs.org records, only 
foo.<project>.wmflabs.org records.
b) Existing records using the foo.wmflabs.org scheme will have to be 
migrated to a project-specific domain, or remain in a weird in-between 
state where only admins can see and edit them.
c) If there are any existing subdomains that are shared between 
projects, they'll need to be untangled.


So, tell me:  How much will this change hurt you, and how much will it 
hurt your users?  Please be as detailed as possible so that I have what 
I need to come up with compromise solutions.

Thank you!

-Andrew