diff options
author | Tzu-Mainn Chen <tzumainn@redhat.com> | 2020-02-12 16:00:11 +0000 |
---|---|---|
committer | Tzu-Mainn Chen <tzumainn@redhat.com> | 2020-03-09 16:27:04 +0000 |
commit | 16a2473b82565c5c2258f3a3b2674fca28bb8070 (patch) | |
tree | 1c18bc23544d0196beb02af4702c19a9cef201b6 /ironic/api/controllers/v1/utils.py | |
parent | 55a29c31fa5e5ec227b2e06564d6ab37afc2bb05 (diff) | |
download | ironic-16a2473b82565c5c2258f3a3b2674fca28bb8070.tar.gz |
Add separate policies for updating node instance_info and extra
In order to provision a node using standalone Ironic, a user must
be able to update a few additional node attributes. However, we
would not want a lessee user to be able to update every node
attribute. This change allows an Ironic administrator to provide
policy-based access to updating instance_info and extra.
Change-Id: I43c22027116da1e057972dbe853403c16e965fc9
Story: #2006506
Task: #38748
Diffstat (limited to 'ironic/api/controllers/v1/utils.py')
-rw-r--r-- | ironic/api/controllers/v1/utils.py | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/ironic/api/controllers/v1/utils.py b/ironic/api/controllers/v1/utils.py index 3c012ff42..5c3349b0f 100644 --- a/ironic/api/controllers/v1/utils.py +++ b/ironic/api/controllers/v1/utils.py @@ -1235,6 +1235,30 @@ def check_allocation_policy_and_retrieve(policy_name, allocation_ident): return rpc_allocation +def check_multiple_node_policies_and_retrieve(policy_names, + node_ident, + with_suffix=False): + """Check if the specified policies authorize this request on a node. + + :param: policy_names: List of policy names to check. + :param: node_ident: the UUID or logical name of a node. + :param: with_suffix: whether the RPC node should include the suffix + + :raises: HTTPForbidden if the policy forbids access. + :raises: NodeNotFound if the node is not found. + :return: RPC node identified by node_ident + """ + rpc_node = None + for policy_name in policy_names: + if rpc_node is None: + rpc_node = check_node_policy_and_retrieve(policy_names[0], + node_ident, + with_suffix) + else: + check_owner_policy('node', policy_name, rpc_node['owner']) + return rpc_node + + def check_list_policy(object_type, owner=None): """Check if the list policy authorizes this request on an object. |