Closed tzumainn closed 1 month ago
Proposed solution:
In ironic/api/controllers/v1/node.py, create a new field called restricted_node_owner
that has restricted capabilities when a lessee leases a node. Something that looks like this
if owner and lessee: target_dict['node.restricted_owner'] = True
Then in the policy files, targets that need this restriction could have lines similar to
"is_restricted_node_owner": "True:$(node.restricted_node_owner)s and rule:is_node_owner"
<target>: "not rule:is_restricted_node_owner and rule:is_node_owner"
That looks reasonable to me. I don't think we'll be implementing this any time soon, but it's good to have this knowledge in our back pocket. Thanks!
From Emmanuel: "I'd like to follow up on this and see if we could limit the operations an owner can do to just revoking a lease while a node is leased. The main concern is a script running under the owner privileges not properly checking the lease status and doing maintenance operation on nodes that are actively used by the lessee."
Took a quick look at this earlier, and didn't find an easy solution through policy files; we should take another look, and explore possibilities if the policy file solution doesn't work.
For reference, here is a sample policy file for ESI:
Here's the oslo.policy documentation explaining rule syntax, and a link to the oslo.policy repository:
An example of code that exposes the
node.owner
andnode.lessee
can be found here: