Open Stack

The 1.50 microversion [1] in the ironic API added the "owner" field to 
the node and I'm trying to use that to add some scheduler filtering in 
nova [2]. It's my understanding that the owner field on a provisioned 
node (instance_uuid on the node is set) can be changed, but I'm 
surprised that is allowed. Was that an oversight in developing that feature?

The use case for the scheduler filter is baremetal nodes are owned by 
different (non-admin) projects in a deployment. When a non-admin project 
creates a baremetal server via nova, nova will filter out nodes that are 
not owned by the project (based on the node.owner field). If a node 
isn't owned by any project, only admins can use it. Admins also have 
access to all nodes regardless of owner.

Given that, let's say user 1 from project A creates a server on nova X 
that is owned by project A (node.owner=A). Then the node.owner is 
changed to project B. What should happen? Should nova detect that 
ownership change and stop the node or something?

Note that with other resources that can transfer ownership, like 
volumes, that can only be done when they aren't in use. So why don't we 
have the same rules for nodes?

Assuming we do want to enforce this in the API (a 409 response when 
trying to change the owner on a provisioned node), how would that be 
done given this is a problem since 1.50 which was added in Stein? Would 
a policy rule be added to ironic to determine if someone can change the 
owner on a provisioned node and if so, what would be the default rule? 
The same as "baremetal:node:update" (rule:is_admin)?

[1] 
https://docs.openstack.org/ironic/latest/contributor/webapi-version-history.html#id7
[2] https://blueprints.launchpad.net/nova/+spec/ironic-tenant-filter

-- 

Thanks,

Matt