diff options
author | Tzu-Mainn Chen <tzumainn@redhat.com> | 2020-01-07 22:25:08 +0000 |
---|---|---|
committer | Tzu-Mainn Chen <tzumainn@redhat.com> | 2020-04-07 15:33:42 +0000 |
commit | 602a467a04a0cae3a2d65ba45bfd70eabd4c105a (patch) | |
tree | 0ea7dc920b01415d1c2588ccdfcff6b1f8c8e89e /ironic/api/controllers/v1/utils.py | |
parent | b148cabdb2cc6810b09e8bfbc500d15969c0f164 (diff) | |
download | ironic-602a467a04a0cae3a2d65ba45bfd70eabd4c105a.tar.gz |
Add node lessee field
This change adds a `lessee` field to nodes, and exposes it
to policy. It also updates the non-admin node list API
to match for both owner and lessee; and updates the
allocation conductor to match owner allocations with nodes
with the appropriate lessee.
Change-Id: Ib31b49c7143ec8fd6cb486fc24038215b197c418
Story: 2006506
Task: 37930
Diffstat (limited to 'ironic/api/controllers/v1/utils.py')
-rw-r--r-- | ironic/api/controllers/v1/utils.py | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/ironic/api/controllers/v1/utils.py b/ironic/api/controllers/v1/utils.py index b840845c4..ebadb7107 100644 --- a/ironic/api/controllers/v1/utils.py +++ b/ironic/api/controllers/v1/utils.py @@ -490,6 +490,7 @@ VERSIONED_FIELDS = { 'events': versions.MINOR_54_EVENTS, 'retired': versions.MINOR_61_NODE_RETIRED, 'retired_reason': versions.MINOR_61_NODE_RETIRED, + 'lessee': versions.MINOR_65_NODE_LESSEE, } for field in V31_FIELDS: @@ -717,6 +718,20 @@ def check_allow_filter_by_owner(owner): 'opr': versions.MINOR_50_NODE_OWNER}) +def check_allow_filter_by_lessee(lessee): + """Check if filtering nodes by lessee is allowed. + + Version 1.62 of the API allows filtering nodes by lessee. + """ + if (lessee is not None and api.request.version.minor + < versions.MINOR_65_NODE_LESSEE): + raise exception.NotAcceptable(_( + "Request not acceptable. The minimal required API version " + "should be %(base)s.%(opr)s") % + {'base': versions.BASE_VERSION, + 'opr': versions.MINOR_65_NODE_LESSEE}) + + def initial_node_provision_state(): """Return node state to use by default when creating new nodes. @@ -1165,12 +1180,13 @@ def check_policy(policy_name): policy.authorize(policy_name, cdict, cdict) -def check_owner_policy(object_type, policy_name, owner): +def check_owner_policy(object_type, policy_name, owner, lessee=None): """Check if the policy authorizes this request on an object. :param: object_type: type of object being checked :param: policy_name: Name of the policy to check. :param: owner: the owner + :param: lessee: the lessee :raises: HTTPForbidden if the policy forbids access. """ @@ -1178,6 +1194,8 @@ def check_owner_policy(object_type, policy_name, owner): target_dict = dict(cdict) target_dict[object_type + '.owner'] = owner + if lessee: + target_dict[object_type + '.lessee'] = lessee policy.authorize(policy_name, target_dict, cdict) @@ -1205,7 +1223,8 @@ def check_node_policy_and_retrieve(policy_name, node_ident, policy.authorize(policy_name, cdict, cdict) raise - check_owner_policy('node', policy_name, rpc_node['owner']) + check_owner_policy('node', policy_name, + rpc_node['owner'], rpc_node['lessee']) return rpc_node @@ -1253,7 +1272,8 @@ def check_multiple_node_policies_and_retrieve(policy_names, node_ident, with_suffix) else: - check_owner_policy('node', policy_name, rpc_node['owner']) + check_owner_policy('node', policy_name, + rpc_node['owner'], rpc_node['lessee']) return rpc_node @@ -1303,6 +1323,7 @@ def check_port_policy_and_retrieve(policy_name, port_uuid): rpc_node = objects.Node.get_by_id(context, rpc_port.node_id) target_dict = dict(cdict) target_dict['node.owner'] = rpc_node['owner'] + target_dict['node.lessee'] = rpc_node['lessee'] policy.authorize(policy_name, target_dict, cdict) return rpc_port, rpc_node |