[nova][ironic] Changing an owner of a provisioned node

Dmitry Tantsur dtantsur at redhat.com
Wed Dec 4 19:49:11 UTC 2019


On Wed, Dec 4, 2019 at 7:58 PM Matt Riedemann <mriedemos at gmail.com> wrote:

> The 1.50 microversion [1] in the ironic API added the "owner" field to
> the node and I'm trying to use that to add some scheduler filtering in
> nova [2]. It's my understanding that the owner field on a provisioned
> node (instance_uuid on the node is set) can be changed, but I'm
> surprised that is allowed. Was that an oversight in developing that
> feature?

I think so.. we have also uncovered it while discussing
https://review.opendev.org/#/c/696707/ which can make this issue worse.

> The use case for the scheduler filter is baremetal nodes are owned by
> different (non-admin) projects in a deployment. When a non-admin project
> creates a baremetal server via nova, nova will filter out nodes that are
> not owned by the project (based on the node.owner field). If a node
> isn't owned by any project, only admins can use it. Admins also have
> access to all nodes regardless of owner.
> Given that, let's say user 1 from project A creates a server on nova X
> that is owned by project A (node.owner=A). Then the node.owner is
> changed to project B. What should happen? Should nova detect that
> ownership change and stop the node or something?
> Note that with other resources that can transfer ownership, like
> volumes, that can only be done when they aren't in use. So why don't we
> have the same rules for nodes?
> Assuming we do want to enforce this in the API (a 409 response when
> trying to change the owner on a provisioned node), how would that be
> done given this is a problem since 1.50 which was added in Stein? Would
> a policy rule be added to ironic to determine if someone can change the
> owner on a provisioned node and if so, what would be the default rule?
> The same as "baremetal:node:update" (rule:is_admin)?

I like the idea of something like baremetal:node:update_owner defaulting to
rule:is_admin (NOT to baremetal:node:update). I can work on a patch
tomorrow if nobody beats me to it.


> [1]
> https://docs.openstack.org/ironic/latest/contributor/webapi-version-history.html#id7
> [2] https://blueprints.launchpad.net/nova/+spec/ironic-tenant-filter
> --
> Thanks,
> Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191204/29189b5f/attachment-0001.html>

More information about the openstack-discuss mailing list