[nova][ironic] Changing an owner of a provisioned node
The 1.50 microversion [1] in the ironic API added the "owner" field to the node and I'm trying to use that to add some scheduler filtering in nova [2]. It's my understanding that the owner field on a provisioned node (instance_uuid on the node is set) can be changed, but I'm surprised that is allowed. Was that an oversight in developing that feature? The use case for the scheduler filter is baremetal nodes are owned by different (non-admin) projects in a deployment. When a non-admin project creates a baremetal server via nova, nova will filter out nodes that are not owned by the project (based on the node.owner field). If a node isn't owned by any project, only admins can use it. Admins also have access to all nodes regardless of owner. Given that, let's say user 1 from project A creates a server on nova X that is owned by project A (node.owner=A). Then the node.owner is changed to project B. What should happen? Should nova detect that ownership change and stop the node or something? Note that with other resources that can transfer ownership, like volumes, that can only be done when they aren't in use. So why don't we have the same rules for nodes? Assuming we do want to enforce this in the API (a 409 response when trying to change the owner on a provisioned node), how would that be done given this is a problem since 1.50 which was added in Stein? Would a policy rule be added to ironic to determine if someone can change the owner on a provisioned node and if so, what would be the default rule? The same as "baremetal:node:update" (rule:is_admin)? [1] https://docs.openstack.org/ironic/latest/contributor/webapi-version-history.... [2] https://blueprints.launchpad.net/nova/+spec/ironic-tenant-filter -- Thanks, Matt
Hi, On Wed, Dec 4, 2019 at 7:58 PM Matt Riedemann <mriedemos@gmail.com> wrote:
The 1.50 microversion [1] in the ironic API added the "owner" field to the node and I'm trying to use that to add some scheduler filtering in nova [2]. It's my understanding that the owner field on a provisioned node (instance_uuid on the node is set) can be changed, but I'm surprised that is allowed. Was that an oversight in developing that feature?
I think so.. we have also uncovered it while discussing https://review.opendev.org/#/c/696707/ which can make this issue worse.
The use case for the scheduler filter is baremetal nodes are owned by different (non-admin) projects in a deployment. When a non-admin project creates a baremetal server via nova, nova will filter out nodes that are not owned by the project (based on the node.owner field). If a node isn't owned by any project, only admins can use it. Admins also have access to all nodes regardless of owner.
Given that, let's say user 1 from project A creates a server on nova X that is owned by project A (node.owner=A). Then the node.owner is changed to project B. What should happen? Should nova detect that ownership change and stop the node or something?
Note that with other resources that can transfer ownership, like volumes, that can only be done when they aren't in use. So why don't we have the same rules for nodes?
Assuming we do want to enforce this in the API (a 409 response when trying to change the owner on a provisioned node), how would that be done given this is a problem since 1.50 which was added in Stein? Would a policy rule be added to ironic to determine if someone can change the owner on a provisioned node and if so, what would be the default rule? The same as "baremetal:node:update" (rule:is_admin)?
I like the idea of something like baremetal:node:update_owner defaulting to rule:is_admin (NOT to baremetal:node:update). I can work on a patch tomorrow if nobody beats me to it. Dmitry
[1]
https://docs.openstack.org/ironic/latest/contributor/webapi-version-history.... [2] https://blueprints.launchpad.net/nova/+spec/ironic-tenant-filter
--
Thanks,
Matt
On Wed, Dec 4, 2019 at 2:55 PM Dmitry Tantsur <dtantsur@redhat.com> wrote:
Hi,
On Wed, Dec 4, 2019 at 7:58 PM Matt Riedemann <mriedemos@gmail.com> wrote:
The 1.50 microversion [1] in the ironic API added the "owner" field to the node and I'm trying to use that to add some scheduler filtering in nova [2]. It's my understanding that the owner field on a provisioned node (instance_uuid on the node is set) can be changed, but I'm surprised that is allowed. Was that an oversight in developing that feature?
I think so.. we have also uncovered it while discussing https://review.opendev.org/#/c/696707/ which can make this issue worse.
The use case for the scheduler filter is baremetal nodes are owned by different (non-admin) projects in a deployment. When a non-admin project creates a baremetal server via nova, nova will filter out nodes that are not owned by the project (based on the node.owner field). If a node isn't owned by any project, only admins can use it. Admins also have access to all nodes regardless of owner.
Given that, let's say user 1 from project A creates a server on nova X that is owned by project A (node.owner=A). Then the node.owner is changed to project B. What should happen? Should nova detect that ownership change and stop the node or something?
Note that with other resources that can transfer ownership, like volumes, that can only be done when they aren't in use. So why don't we have the same rules for nodes?
Assuming we do want to enforce this in the API (a 409 response when trying to change the owner on a provisioned node), how would that be done given this is a problem since 1.50 which was added in Stein? Would a policy rule be added to ironic to determine if someone can change the owner on a provisioned node and if so, what would be the default rule? The same as "baremetal:node:update" (rule:is_admin)?
I like the idea of something like baremetal:node:update_owner defaulting to rule:is_admin (NOT to baremetal:node:update). I can work on a patch tomorrow if nobody beats me to it.
I'm happy to take this on. Thanks! Mainn
Dmitry
[1]
https://docs.openstack.org/ironic/latest/contributor/webapi-version-history.... [2] https://blueprints.launchpad.net/nova/+spec/ironic-tenant-filter
--
Thanks,
Matt
On 12/4/2019 1:56 PM, Tzu-Mainn Chen wrote:
I like the idea of something like baremetal:node:update_owner defaulting to rule:is_admin (NOT to baremetal:node:update). I can work on a patch tomorrow if nobody beats me to it.
I'm happy to take this on. Thanks!
Thanks, I've created a story/bug report for tracking this: https://storyboard.openstack.org/#!/story/2006997 -- Thanks, Matt
participants (3)
-
Dmitry Tantsur
-
Matt Riedemann
-
Tzu-Mainn Chen