Restrict ability to change owner on provisioned or allocated node

Prevents a user from changing the owner of a provisioned node unless they pass the new policy rule 'baremetal:node:update_owner_provisioned'. In addition, always prevents a user from changing the owner of an allocated node, if the allocation specifies an owner. Story: 2006997 Task: 37766 Change-Id: I4e8559bd215f70fb895ed0d41b2154c648e03597
author: Tzu-Mainn Chen <tzumainn@redhat.com> 2019-12-05 17:21:45 +0000
committer: Tzu-Mainn Chen <tzumainn@redhat.com> 2019-12-13 21:06:13 +0000
commit: f22ab44888e4b9fd549a5da8e907f4b8fa01faed (patch)
tree: 12105ddbd6af98ada20b494c2ac51d3304a24212 /ironic/common/policy.py
parent: 4b28072d4b9994dfbc9896f6c32b966dd3c4c91a (diff)
download: ironic-f22ab44888e4b9fd549a5da8e907f4b8fa01faed.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/ironic/common/policy.py b/ironic/common/policy.py
index 2290cb917..9e019ccc0 100644
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@@ -102,6 +102,11 @@ node_policies = [
         'Update Node records',
         [{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
     policy.DocumentedRuleDefault(
+        'baremetal:node:update_owner_provisioned',
+        'rule:is_admin',
+        'Update Node owner even when Node is provisioned',
+        [{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
+    policy.DocumentedRuleDefault(
         'baremetal:node:delete',
         'rule:is_admin',
         'Delete Node records',
author	Tzu-Mainn Chen <tzumainn@redhat.com>	2019-12-05 17:21:45 +0000
committer	Tzu-Mainn Chen <tzumainn@redhat.com>	2019-12-13 21:06:13 +0000
commit	f22ab44888e4b9fd549a5da8e907f4b8fa01faed (patch)
tree	12105ddbd6af98ada20b494c2ac51d3304a24212 /ironic/common/policy.py
parent	4b28072d4b9994dfbc9896f6c32b966dd3c4c91a (diff)
download	ironic-f22ab44888e4b9fd549a5da8e907f4b8fa01faed.tar.gz