Designate Policies

Introduction

This document presents the permissions available for reader and member roles on the Designate service (DNS management) of Infomaniak Public Cloud, based on OpenStack default policies.

Context

Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role for DNS operations.

Legend

Symbol	Meaning
	Allowed - The policy explicitly permits this action
	Forbidden - The policy explicitly denies this action
	Conditional - Allowed based on project membership or zone ownership

Zone Management

Basic Zone Operations

Operation	Endpoint	Policy	Conditions
List zones	`GET /v2/zones`	`find_zones`	Project zones
Show zone	`GET /v2/zones/{zone_id}`	`get_zone`	Project ownership
Create zone	`POST /v2/zones`	`create_zone`
Update zone	`PATCH /v2/zones/{zone_id}`	`update_zone`	Project ownership
Delete zone	`DELETE /v2/zones/{zone_id}`	`delete_zone`	Project ownership

Zone Statistics

Operation	Endpoint	Policy	Reader	Member	Conditions
Count zones	`GET /v2/zones`	`count_zones`			Project statistics
Count pending notify	`GET /v2/zones`	`count_zones_pending_notify`			Project statistics

Recordset Management

Basic Recordset Operations

Operation	Endpoint	Policy	Conditions
List recordsets	`GET /v2/zones/{zone_id}/recordsets`	`find_recordsets`	Project zone ownership
Show recordset	`GET /v2/zones/{zone_id}/recordsets/{recordset_id}`	`get_recordset`	Project ownership
Create recordset	`POST /v2/zones/{zone_id}/recordsets`	`create_recordset`	PRIMARY zones only*
Update recordset	`PUT /v2/zones/{zone_id}/recordsets/{recordset_id}`	`update_recordset`	PRIMARY zones only*
Delete recordset	`DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}`	`delete_recordset`	PRIMARY zones only*

*PRIMARY zones: User-managed zones where records can be modified

Recordset Statistics

Operation	Endpoint	Policy	Reader	Member	Conditions
Count recordsets	`GET /v2/zones/{zone_id}/recordsets`	`count_recordset`			Project statistics

Zone Transfer Management

Zone Transfer Requests

Operation	Endpoint	Policy	Conditions
List transfer requests	`GET /v2/zones/tasks/transfer_requests`	`find_zone_transfer_requests`	All visible requests
Show transfer request	`GET /v2/zones/tasks/transfer_requests/{request_id}`	`get_zone_transfer_request`	Owner or target project
Create transfer request	`POST /v2/zones/{zone_id}/tasks/transfer_requests`	`create_zone_transfer_request`	Project zone ownership
Update transfer request	`PATCH /v2/zones/tasks/transfer_requests/{request_id}`	`update_zone_transfer_request`	Project ownership
Delete transfer request	`DELETE /v2/zones/tasks/transfer_requests/{request_id}`	`delete_zone_transfer_request`	Project ownership

Zone Transfer Accepts

Operation	Endpoint	Policy	Reader	Member	Conditions
Create transfer accept	`POST /v2/zones/tasks/transfer_accepts`	`create_zone_transfer_accept`			Accept incoming transfer
Show transfer accept	`GET /v2/zones/tasks/transfer_accepts/{accept_id}`	`get_zone_transfer_accept`			Project ownership

Zone Import/Export

Zone Export Operations

Operation	Endpoint	Policy	Conditions
List zone exports	`GET /v2/zones/tasks/exports`	`find_zone_exports`	Project exports
Show zone export	`GET /v2/zones/tasks/exports/{export_id}`	`get_zone_export`	Project ownership
Create zone export	`POST /v2/zones/{zone_id}/tasks/export`	`create_zone_export`	Project zone ownership
Download export	`GET /v2/zones/tasks/exports/{export_id}/export`	`zone_export`	Project ownership

Zone Import Operations

Operation	Endpoint	Policy	Conditions
List zone imports	`GET /v2/zones/tasks/imports`	`find_zone_imports`	Project imports
Show zone import	`GET /v2/zones/tasks/imports/{import_id}`	`get_zone_import`	Project ownership
Create zone import	`POST /v2/zones/tasks/imports`	`create_zone_import`

Quota Management

Operation	Endpoint	Policy	Reader	Member	Conditions
Show project quotas	`GET /v2/quotas`	`get_quotas`			Project quotas
Show specific quotas	`GET /v2/quotas/{project_id}`	`get_quotas`			If same project

Reverse DNS (PTR Records)

Operation	Endpoint	Policy	Conditions
List PTR records	`GET /v2/reverse/floatingips`	`find_records`	Project floating IPs
Show PTR record	`GET /v2/reverse/floatingips/{region}:{floatingip_id}`	`get_record`	Project floating IP
Update PTR record	`PATCH /v2/reverse/floatingips/{region}:{floatingip_id}`	`update_record`	Project floating IP

PTR Record Statistics

Operation	Endpoint	Policy	Reader	Member	Conditions
Count PTR records	`GET /v2/reverse/floatingips`	`count_records`			Project statistics

Capabilities Summary by Role

ReaderMember

Granted permissions:

View all project zones and recordsets
Access zone and recordset statistics
Monitor zone transfers and import/export tasks
View PTR records for project floating IPs
Check project quotas and limits
View zone export and import status

Limitations:

No creation or modification of DNS records
No zone management operations
No zone transfer initiation
No import/export creation

Granted permissions:

All Reader capabilities
Create and manage DNS zones
Full recordset management (A, AAAA, CNAME, MX, etc.)
Initiate and manage zone transfers
Create zone exports and imports
Manage PTR records for floating IPs
Accept incoming zone transfers

Limitations:

Cannot modify SECONDARY zones (read-only replicas)
Limited to project-scoped operations
Cannot manage managed records (system-controlled)

Usage Examples

DNS Monitoring Application

Use case: DNS monitoring, health checks, reporting

Recommended role: reader

# Application Credential
role: reader

# Possible actions
- openstack zone list
- openstack zone show <zone-id>
- openstack recordset list <zone-id>
- openstack ptr record list
- openstack quota show --service dns

DNS Management Application

Use case: Domain management, automated DNS updates

Recommended role: member

# Application Credential
role: member

# Possible actions
- openstack zone create --email admin@example.com example.com.
- openstack recordset create --type A --records 192.168.1.10 <zone-id> www
- openstack recordset set --records 192.168.1.20 <zone-id> <recordset-id>
- openstack zone export create <zone-id>
- openstack zone transfer request create <zone-id>

CI/CD DNS Automation

Use case: Automated deployment with DNS updates

Recommended role: member

# Application Credential
role: member

# Deployment automation
- openstack recordset create --type A --records ${NEW_SERVER_IP} <zone-id> ${SERVICE_NAME}
- openstack recordset create --type CNAME --records ${SERVICE_NAME}.example.com. <zone-id> ${ENVIRONMENT}
- openstack ptr record set --ptrdname ${SERVICE_NAME}.example.com. <region>:<floating-ip-id>
- openstack zone export create <zone-id>  # Backup before changes

Context Variables

Policies use the following variables to determine authorizations:

Variable	Description
`%(project_id)s`	Current user's project ID
`%(zone_id)s`	Target zone ID
`%(zone_type)s`	Zone type (PRIMARY or SECONDARY)
`%(recordset_id)s`	Target recordset ID
`%(recordset_project_id)s`	Recordset owner project ID
`%(target_project_id)s`	Target project for zone transfers

Important Notes

Best Practices

Principle of least privilege: Use the reader role for monitoring and read-only DNS operations
Zone types: Only PRIMARY zones allow recordset modifications; SECONDARY zones are read-only replicas
Project isolation: Members can only manage zones within their project
Zone transfers: Useful for moving zones between projects with proper authorization
PTR records: Manage reverse DNS for project floating IPs
Quotas: Monitor DNS resource usage and limits per project

DNS Specifics

Managed records: System-controlled records (like NS, SOA) cannot be modified by project members
SECONDARY zones: Automatically synchronized from external masters, records cannot be directly modified
Zone transfers: Require both source and target project cooperation
TTL limitations: Some TTL values may require administrative privileges