From 9da6dfd73d3b4abe6acba01d9c8176c1581dc51f Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Mon, 8 May 2023 09:11:09 -0700 Subject: [PATCH] Fix self_owned_node policy check When enabling scope enforcement, the self_owned_node check could generate a failure because the check internally can be touched by both a project scoped and system scoped endpoint. This change changes the tag in the policy so it doesn't prematurely return an error to the API consumer. Change-Id: I49e2f7f29eb98e5bb4e18614cea0aca726703f55 --- ironic/common/policy.py | 4 ++-- .../notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml diff --git a/ironic/common/policy.py b/ironic/common/policy.py index b877611af6..d0b8c4a5ef 100644 --- a/ironic/common/policy.py +++ b/ironic/common/policy.py @@ -464,7 +464,7 @@ node_policies = [ policy.DocumentedRuleDefault( name='baremetal:node:create:self_owned_node', check_str=('(role:admin) or (role:service)'), - scope_types=['project'], + scope_types=['system', 'project'], description='Create node records which will be tracked ' 'as owned by the associated user project.', operations=[{'path': '/nodes', 'method': 'POST'}], @@ -693,7 +693,7 @@ node_policies = [ policy.DocumentedRuleDefault( name='baremetal:node:delete:self_owned_node', check_str=PROJECT_ADMIN, - scope_types=['project'], + scope_types=['system', 'project'], description='Delete node records which are associated with ' 'the requesting project.', operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}], diff --git a/releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml b/releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml new file mode 100644 index 0000000000..c89796380a --- /dev/null +++ b/releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes scope classification check with the "self_owned_node" policy + check where it was limited to check execution with only project + scoped, so system scoped users who ticked the policy endpoint would + basically get an incorrect error.