[Labs-l] Potential new public DNS/proxy naming policies

Andrew Bogott abogott at wikimedia.org
Thu Mar 10 19:11:55 UTC 2016 

On 3/9/16 10:24 AM, Andrew Bogott wrote:
> Merlijn has just pointed out that my scheme will not work AT ALL for 
> http proxies.  I think there's a work-around for that, so feel free to 
> mentally insert 'except for proxies which will stay the same' whenever 
> necessary while reading this.
To follow up on this last comment... this means that my change should 
only affect domain names bound to public IPs that are assigned within 
your project.  You can check the complete list of such addresses by 
visiting https://wikitech.wikimedia.org/wiki/Special:NovaAddress for 
your project.

> -A
>
>
>
>
> On 3/9/16 9:46 AM, Andrew Bogott wrote:
>> We're in the process of moving our DNS manipulation web UI out of 
>> wikitech/OpenStackManager and adopting the upstream OpenStack tools 
>> and APIs.  As usual, though, our current security/user model is weird 
>> and not especially supported by the upstream models.
>>
>> Rather than hacking away at Openstack, I'm considering just adopting 
>> their model.
>>
>> Right now on wikitech, any project admin can:
>>
>> 1) Create records under wmflabs.org
>> 2) Create records under any pre-existing subdomain of wmflabs.org
>> 3) Bind a floating IP to any of the above records
>> 4) Associate an http proxy with any of the above records
>> 5) Ask an admin to create a new subdomain of wmflabs.org for use in 
>> option 2.
>>
>> The thing that's hard to do with the OpenStack tools is item 1 and 2 
>> -- there's no real conception of a 'global' domain that's shared and 
>> editable among multiple projects.  So, I propose a new model where 
>> users can...
>>
>> 1) Create records under <projectname>.wmflabs.org
>> 2) Create records under pre-existing subdomains of wmflabs.org that 
>> belong to the project in question
>> 3) Bind a floating IP to any of the above records
>> 4) Associate an http proxy with any of the above records
>> 5) Ask an admin to create a new project-specific subdomain of 
>> wmflabs.org for use in option 2 (not necessarily a subdomain of 
>> <projectname>.wmflabs.org)
>>
>> How is that different?
>>
>> a) there will no longer be any foo.wmflabs.org records, only 
>> foo.<project>.wmflabs.org records.
>> b) Existing records using the foo.wmflabs.org scheme will have to be 
>> migrated to a project-specific domain, or remain in a weird 
>> in-between state where only admins can see and edit them.
>> c) If there are any existing subdomains that are shared between 
>> projects, they'll need to be untangled.
>>
>>
>> So, tell me:  How much will this change hurt you, and how much will 
>> it hurt your users?  Please be as detailed as possible so that I have 
>> what I need to come up with compromise solutions.
>>
>> Thank you!
>>
>> -Andrew
>

More information about the Labs-l mailing list