[Labs-l] Potential new public DNS/proxy naming policies

Andrew Bogott abogott at wikimedia.org
Wed Mar 9 16:24:02 UTC 2016 

Merlijn has just pointed out that my scheme will not work AT ALL for 
http proxies.  I think there's a work-around for that, so feel free to 
mentally insert 'except for proxies which will stay the same' whenever 
necessary while reading this.

-A




On 3/9/16 9:46 AM, Andrew Bogott wrote:
> We're in the process of moving our DNS manipulation web UI out of 
> wikitech/OpenStackManager and adopting the upstream OpenStack tools 
> and APIs.  As usual, though, our current security/user model is weird 
> and not especially supported by the upstream models.
>
> Rather than hacking away at Openstack, I'm considering just adopting 
> their model.
>
> Right now on wikitech, any project admin can:
>
> 1) Create records under wmflabs.org
> 2) Create records under any pre-existing subdomain of wmflabs.org
> 3) Bind a floating IP to any of the above records
> 4) Associate an http proxy with any of the above records
> 5) Ask an admin to create a new subdomain of wmflabs.org for use in 
> option 2.
>
> The thing that's hard to do with the OpenStack tools is item 1 and 2 
> -- there's no real conception of a 'global' domain that's shared and 
> editable among multiple projects.  So, I propose a new model where 
> users can...
>
> 1) Create records under <projectname>.wmflabs.org
> 2) Create records under pre-existing subdomains of wmflabs.org that 
> belong to the project in question
> 3) Bind a floating IP to any of the above records
> 4) Associate an http proxy with any of the above records
> 5) Ask an admin to create a new project-specific subdomain of 
> wmflabs.org for use in option 2 (not necessarily a subdomain of 
> <projectname>.wmflabs.org)
>
> How is that different?
>
> a) there will no longer be any foo.wmflabs.org records, only 
> foo.<project>.wmflabs.org records.
> b) Existing records using the foo.wmflabs.org scheme will have to be 
> migrated to a project-specific domain, or remain in a weird in-between 
> state where only admins can see and edit them.
> c) If there are any existing subdomains that are shared between 
> projects, they'll need to be untangled.
>
>
> So, tell me:  How much will this change hurt you, and how much will it 
> hurt your users?  Please be as detailed as possible so that I have 
> what I need to come up with compromise solutions.
>
> Thank you!
>
> -Andrew

More information about the Labs-l mailing list