The 1.50 microversion [1] in the ironic API added the "owner" field to
the node and I'm trying to use that to add some scheduler filtering in
nova [2]. It's my understanding that the owner field on a provisioned
node (instance_uuid on the node is set) can be changed, but I'm
surprised that is allowed. Was that an oversight in developing that feature?
The use case for the scheduler filter is baremetal nodes are owned by
different (non-admin) projects in a deployment. When a non-admin project
creates a baremetal server via nova, nova will filter out nodes that are
not owned by the project (based on the node.owner field). If a node
isn't owned by any project, only admins can use it. Admins also have
access to all nodes regardless of owner.
Given that, let's say user 1 from project A creates a server on nova X
that is owned by project A (node.owner=A). Then the node.owner is
changed to project B. What should happen? Should nova detect that
ownership change and stop the node or something?
Note that with other resources that can transfer ownership, like
volumes, that can only be done when they aren't in use. So why don't we
have the same rules for nodes?
Assuming we do want to enforce this in the API (a 409 response when
trying to change the owner on a provisioned node), how would that be
done given this is a problem since 1.50 which was added in Stein? Would
a policy rule be added to ironic to determine if someone can change the
owner on a provisioned node and if so, what would be the default rule?
The same as "baremetal:node:update" (rule:is_admin)?
I like the idea of something like baremetal:node:update_owner defaulting to rule:is_admin (NOT to baremetal:node:update). I can work on a patch tomorrow if nobody beats me to it.