[nova][ironic] Changing an owner of a provisioned node
Tzu-Mainn Chen
tzumainn at redhat.com
Wed Dec 4 19:56:37 UTC 2019
On Wed, Dec 4, 2019 at 2:55 PM Dmitry Tantsur <dtantsur at redhat.com> wrote:
> Hi,
>
> On Wed, Dec 4, 2019 at 7:58 PM Matt Riedemann <mriedemos at gmail.com> wrote:
>
>> The 1.50 microversion [1] in the ironic API added the "owner" field to
>> the node and I'm trying to use that to add some scheduler filtering in
>> nova [2]. It's my understanding that the owner field on a provisioned
>> node (instance_uuid on the node is set) can be changed, but I'm
>> surprised that is allowed. Was that an oversight in developing that
>> feature?
>>
>
> I think so.. we have also uncovered it while discussing
> https://review.opendev.org/#/c/696707/ which can make this issue worse.
>
>
>>
>> The use case for the scheduler filter is baremetal nodes are owned by
>> different (non-admin) projects in a deployment. When a non-admin project
>> creates a baremetal server via nova, nova will filter out nodes that are
>> not owned by the project (based on the node.owner field). If a node
>> isn't owned by any project, only admins can use it. Admins also have
>> access to all nodes regardless of owner.
>>
>> Given that, let's say user 1 from project A creates a server on nova X
>> that is owned by project A (node.owner=A). Then the node.owner is
>> changed to project B. What should happen? Should nova detect that
>> ownership change and stop the node or something?
>>
>> Note that with other resources that can transfer ownership, like
>> volumes, that can only be done when they aren't in use. So why don't we
>> have the same rules for nodes?
>>
>> Assuming we do want to enforce this in the API (a 409 response when
>> trying to change the owner on a provisioned node), how would that be
>> done given this is a problem since 1.50 which was added in Stein? Would
>> a policy rule be added to ironic to determine if someone can change the
>> owner on a provisioned node and if so, what would be the default rule?
>> The same as "baremetal:node:update" (rule:is_admin)?
>>
>
> I like the idea of something like baremetal:node:update_owner defaulting
> to rule:is_admin (NOT to baremetal:node:update). I can work on a patch
> tomorrow if nobody beats me to it.
>
I'm happy to take this on. Thanks!
Mainn
> Dmitry
>
>
>>
>> [1]
>>
>> https://docs.openstack.org/ironic/latest/contributor/webapi-version-history.html#id7
>> [2] https://blueprints.launchpad.net/nova/+spec/ironic-tenant-filter
>>
>> --
>>
>> Thanks,
>>
>> Matt
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191204/e6a98991/attachment.html>
More information about the openstack-discuss
mailing list