Previously projects that had a zone shared with them were unable to view the
shared zone. This patch corrects that issue.
Change-Id: Ia3ede57ac2249a1bcd49512aa36452b2b9ffd827
When trying to write unit tests I found that when updating a zone
with recordsets there are scenarios where it would throw an sql
error.
> sqlalchemy.exc.CompileError: Unconsumed column names: zone_name
This fixes up the code path and adds some basic test coverage.
Change-Id: Ia12b530730921db5235fd35f4cabf80b916c216f
Previously the zone export create API relied on the zone lookup to fail if the
project did not have permission to export the zone. Because of this the RBAC
test was simply if the project_id was valid.
With shared zones, administrators may not want to allow exports of a zone that
is shared with a project. This patch corrects the RBAC to check for zone
ownership before creating the zone export. This way a policy can be created to
allow zone exports for projects that have a zone share.
Change-Id: I2ef28eeb285462dc12b13de80cdab06b5cfb929b
We have a lot of abstraction that isn't really needed. This patch
removes some of that abstraction and reorganizes the code accordingly.
- Merged storage and sqlalchemy folders.
- Deprecated [central].storage_driver.
- Minor cleanup to SQL code.
- Cleaned up comments and unit tests.
Change-Id: I8f0508aedcc028b1a6e74c790c5d757a0d6c98d7
We have two almost identical code paths for sink and ptr
records. This patch unifies the two paths and should drastically
lower the overhead of each of these requests.
Change-Id: Iadeaefe361638ec092eab1757f3b89e3020631af
Previously if you tried to create a zone share with a scoped token that
does not have a project ID, you would receive a 500 error. This patch
corrects that to return a proper error describing that a project ID is
required when creating zone shares.
Change-Id: Ibeb7154a4c300f59dfa25737736f59609b938bcc
If the record status changes during the removal process,
the current implementation will fail.
Closes-Bug: 2015762
Change-Id: Iebe609e5f365d03e99f2a4580671175b4642763c
When we create a secondary zone, AXFR transfer loops indefinitely.
Normally, only one xfr should be performed.
Due to AXFR loop the zone changes status from active to pending all the time.
Co-Authored-By: ZhouHeng <zhouhenglc@inspur.com>
Closes-Bug: 1856442
Change-Id: I0e0d138049e6d4c31dea3cc6768cc15e59a5942c
This patch moves the responsibility of incrementing the
serial on a zone from central to the producer. This also
means that NOTIFY is triggered by the producer after the
serial has been incremented. The advantage of this approach
is that we can now batch requests which means less work
for the DNS servers, and it removes the risk of
race-conditions when updating the serial. Finally, the
producer is sharded and is easy to scale which means that
this approach should scale well with many zones.
The disadvantage is that it may take up to 5 seconds longer
for the DNS record to be updated on the DNS server. This
can be lowered by increasing the frequency of the task
that is responsible for incrementing the serial.
Depends-On: https://review.opendev.org/#/c/871266/
Change-Id: I5e9733abaaa40c874e1d80d7b57e563df0f12cee
There was a bug that allowed users to create a zone share with the zone
owner. This would then cause issues deleting the zone share as the zone
owner owns the NS and SOA recordsets in the zone.
This patch raises a BadRequest if the user attempts to create a zone
share for the zone owner.
Closes-Bug: #2011585
Change-Id: I1b56c492436821f650d1ba669614d92595d2f476
The python-neutronclient has been deprecated for the CLI since Ocata and
the python bindings "neutronclient" has been deprecated for removal as
of the 2023.1 (Antelope) release[1] in favor of using openstacksdk.
This patch migrates Designate from using the neutronclient to using the
openstacksdk for communicating with neutron.
[1] https://docs.openstack.org/releasenotes/python-neutronclient/2023.1.html
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I0198f38afe3d5c32ea06d9e674ab0ff849f360e6
Related-Bug: #1999774
During a grenade upgrade the Designate grenade plugin updates the
python-designateclient. This can cause the installation location to change
to under the /opt/stack/new path.
This patch makes sure we restart neutron q-svc after this update to make sure
it can still find the client.
Change-Id: I5ce96268cb39ae4a4a8d82a75ac192b2310455a1
The backend_url option can sometimes contain secrets.
For example when redis coordination backend is used and authentication
is enabled in redis, the plain redis password is put as an URL element.
[coordination]
backend_url=redis://:password@127.0.0.1:6379
Closes-Bug: #2012246
Change-Id: I0ee95fc56130e51bf5c799d252e79a469492b7db