[nova][ironic] Changing an owner of a provisioned node
tzumainn at redhat.com
Wed Dec 4 19:56:37 UTC 2019
On Wed, Dec 4, 2019 at 2:55 PM Dmitry Tantsur <dtantsur at redhat.com> wrote:
> On Wed, Dec 4, 2019 at 7:58 PM Matt Riedemann <mriedemos at gmail.com> wrote:
>> The 1.50 microversion  in the ironic API added the "owner" field to
>> the node and I'm trying to use that to add some scheduler filtering in
>> nova . It's my understanding that the owner field on a provisioned
>> node (instance_uuid on the node is set) can be changed, but I'm
>> surprised that is allowed. Was that an oversight in developing that
> I think so.. we have also uncovered it while discussing
> https://review.opendev.org/#/c/696707/ which can make this issue worse.
>> The use case for the scheduler filter is baremetal nodes are owned by
>> different (non-admin) projects in a deployment. When a non-admin project
>> creates a baremetal server via nova, nova will filter out nodes that are
>> not owned by the project (based on the node.owner field). If a node
>> isn't owned by any project, only admins can use it. Admins also have
>> access to all nodes regardless of owner.
>> Given that, let's say user 1 from project A creates a server on nova X
>> that is owned by project A (node.owner=A). Then the node.owner is
>> changed to project B. What should happen? Should nova detect that
>> ownership change and stop the node or something?
>> Note that with other resources that can transfer ownership, like
>> volumes, that can only be done when they aren't in use. So why don't we
>> have the same rules for nodes?
>> Assuming we do want to enforce this in the API (a 409 response when
>> trying to change the owner on a provisioned node), how would that be
>> done given this is a problem since 1.50 which was added in Stein? Would
>> a policy rule be added to ironic to determine if someone can change the
>> owner on a provisioned node and if so, what would be the default rule?
>> The same as "baremetal:node:update" (rule:is_admin)?
> I like the idea of something like baremetal:node:update_owner defaulting
> to rule:is_admin (NOT to baremetal:node:update). I can work on a patch
> tomorrow if nobody beats me to it.
I'm happy to take this on. Thanks!
>>  https://blueprints.launchpad.net/nova/+spec/ironic-tenant-filter
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss