Review methods of restricting owners from running certain commands on a leased node

[tzumainn]

From Emmanuel: "I'd like to follow up on this and see if we could limit the operations an owner can do to just revoking a lease while a node is leased. The main concern is a script running under the owner privileges not properly checking the lease status and doing maintenance operation on nodes that are actively used by the lessee."

Took a quick look at this earlier, and didn't find an easy solution through policy files; we should take another look, and explore possibilities if the policy file solution doesn't work.

For reference, here is a sample policy file for ESI:

• https://github.com/CCI-MOC/esi/blob/master/etc/ironic/policy.yaml.sample

Here's the oslo.policy documentation explaining rule syntax, and a link to the oslo.policy repository:

• https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html
• https://opendev.org/openstack/oslo.policy

An example of code that exposes the node.owner and node.lessee can be found here:

• https://opendev.org/openstack/ironic/src/branch/master/ironic/api/controllers/v1/node.py#L1678-L1685

[ajamias]

Proposed solution:

In ironic/api/controllers/v1/node.py, create a new field called restricted_node_owner that has restricted capabilities when a lessee leases a node. Something that looks like this if owner and lessee: target_dict['node.restricted_owner'] = True

Then in the policy files, targets that need this restriction could have lines similar to "is_restricted_node_owner": "True:$(node.restricted_node_owner)s and rule:is_node_owner" <target>: "not rule:is_restricted_node_owner and rule:is_node_owner"

[tzumainn]

That looks reasonable to me. I don't think we'll be implementing this any time soon, but it's good to have this knowledge in our back pocket. Thanks!