diff options
author | Tzu-Mainn Chen <tzumainn@redhat.com> | 2019-12-05 17:21:45 +0000 |
---|---|---|
committer | Tzu-Mainn Chen <tzumainn@redhat.com> | 2019-12-13 21:06:13 +0000 |
commit | f22ab44888e4b9fd549a5da8e907f4b8fa01faed (patch) | |
tree | 12105ddbd6af98ada20b494c2ac51d3304a24212 /ironic/common/policy.py | |
parent | 4b28072d4b9994dfbc9896f6c32b966dd3c4c91a (diff) | |
download | ironic-f22ab44888e4b9fd549a5da8e907f4b8fa01faed.tar.gz |
Restrict ability to change owner on provisioned or allocated node
Prevents a user from changing the owner of a provisioned node unless
they pass the new policy rule 'baremetal:node:update_owner_provisioned'.
In addition, always prevents a user from changing the owner of an
allocated node, if the allocation specifies an owner.
Story: 2006997
Task: 37766
Change-Id: I4e8559bd215f70fb895ed0d41b2154c648e03597
Diffstat (limited to 'ironic/common/policy.py')
-rw-r--r-- | ironic/common/policy.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ironic/common/policy.py b/ironic/common/policy.py index 2290cb917..9e019ccc0 100644 --- a/ironic/common/policy.py +++ b/ironic/common/policy.py @@ -102,6 +102,11 @@ node_policies = [ 'Update Node records', [{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]), policy.DocumentedRuleDefault( + 'baremetal:node:update_owner_provisioned', + 'rule:is_admin', + 'Update Node owner even when Node is provisioned', + [{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]), + policy.DocumentedRuleDefault( 'baremetal:node:delete', 'rule:is_admin', 'Delete Node records', |