Review feedback follow-up on Node System Scoped RBAC

Changed permission defaults for changing the node owner of a node and disabling cleaning to be system administrator based privilges. This was review feedback in the very final review jam of the change, which was agreed upon. Change-Id: I5b0e609be1bfe90bbe76782e0544f7943b0c12a9
author: Julia Kreger <juliaashleykreger@gmail.com> 2021-02-22 14:31:35 -0800
committer: Julia Kreger <juliaashleykreger@gmail.com> 2021-02-22 14:31:35 -0800
commit: 20a4f4aadc94d4651312799d4914249586415181 (patch)
tree: 754ca1564c68d0335972bfa0b6f83e47d6eb8847
parent: b0d8d14065ba5495c5f5b6b811d55a99b5a11cb5 (diff)
download: ironic-20a4f4aadc94d4651312799d4914249586415181.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/ironic/common/policy.py b/ironic/common/policy.py
index 55e6bd2da..7ba2096bf 100644
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@@ -347,7 +347,7 @@ node_policies = [
     # TODO(TheJulia): Explicit RBAC testing needed for this.
     policy.DocumentedRuleDefault(
         name='baremetal:node:update_owner_provisioned',
-        check_str=SYSTEM_MEMBER,
+        check_str=SYSTEM_ADMIN,
         scope_types=['system'],
         description='Update Node owner even when Node is provisioned',
         operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
@@ -641,7 +641,7 @@ node_policies = [
     ),
     policy.DocumentedRuleDefault(
         name='baremetal:node:disable_cleaning',
-        check_str=SYSTEM_MEMBER,
+        check_str=SYSTEM_ADMIN,
         scope_types=['system'],
         description='Disable Node disk cleaning',
         operations=[
author	Julia Kreger <juliaashleykreger@gmail.com>	2021-02-22 14:31:35 -0800
committer	Julia Kreger <juliaashleykreger@gmail.com>	2021-02-22 14:31:35 -0800
commit	20a4f4aadc94d4651312799d4914249586415181 (patch)
tree	754ca1564c68d0335972bfa0b6f83e47d6eb8847
parent	b0d8d14065ba5495c5f5b6b811d55a99b5a11cb5 (diff)
download	ironic-20a4f4aadc94d4651312799d4914249586415181.tar.gz