Investigate whether policy can be updated so an owner has limited API actions over a leased node

CCI-MOC / esi

Elastic Secure Infrastructure project

6 stars 12 forks source link

Investigate whether policy can be updated so an owner has limited API actions over a leased node #502

Closed tzumainn closed 4 months ago

tzumainn commented 5 months ago

The specific scenario is:

a) node has owner b) node is leased c) now both owner and lessee can control power state of node

There's some curiosity whether a policy file can make it so that an owner can only control the power state if their node is not leased.

tzumainn commented 4 months ago

After some experimentation and research, there's no easy way to do this. The problem is that the way policy rules are enabled in OpenStack, there's no good way to check if an attribute is empty string.

Based on a comment by Orran, it also sounds like this is nowhere near a high priority, as node owners always have the ability to cancel a lease anyway.