From 7e45d050f2efb0c45bcd9647a8529aa93098ca56 Mon Sep 17 00:00:00 2001 From: Claudia Watson Date: Fri, 26 Sep 2025 17:16:33 +0100 Subject: [PATCH 1/7] Updating policy to allow role: baremetaluser --- etc/kayobe/kolla/config/neutron/policy.yml | 2 ++ etc/kayobe/kolla/config/nova/policy.yml | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 etc/kayobe/kolla/config/neutron/policy.yml create mode 100644 etc/kayobe/kolla/config/nova/policy.yml diff --git a/etc/kayobe/kolla/config/neutron/policy.yml b/etc/kayobe/kolla/config/neutron/policy.yml new file mode 100644 index 0000000000..6cee340edc --- /dev/null +++ b/etc/kayobe/kolla/config/neutron/policy.yml @@ -0,0 +1,2 @@ +"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser" +"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser" diff --git a/etc/kayobe/kolla/config/nova/policy.yml b/etc/kayobe/kolla/config/nova/policy.yml new file mode 100644 index 0000000000..1b19845334 --- /dev/null +++ b/etc/kayobe/kolla/config/nova/policy.yml @@ -0,0 +1,2 @@ +"os_compute_api:servers:create:forced_host": "rule:context_is_admin or role:baremetaluser" +"compute:servers:create:requested_destination": "rule:context_is_admin or role:baremetaluser" From 3c85544723bd6f800f598c6f882816749e0c85e2 Mon Sep 17 00:00:00 2001 From: Claudia Watson Date: Wed, 8 Oct 2025 10:22:48 +0100 Subject: [PATCH 2/7] release note added --- ...emetaluser-neutron-and-nova-policy-321b73327546ceec.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml diff --git a/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml b/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml new file mode 100644 index 0000000000..758d77ea91 --- /dev/null +++ b/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Updated neutron and nova policy to allow role: + ``baremetaluser`` to map baremetal instances + to specific ironic nodes. From 53cb3d4fb4bd67248aaf39281861cc9cee51b26d Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Thu, 13 Nov 2025 10:18:17 +0000 Subject: [PATCH 3/7] Update neutron policy to include baremetaluser role --- etc/kayobe/kolla/config/neutron/policy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/kayobe/kolla/config/neutron/policy.yml b/etc/kayobe/kolla/config/neutron/policy.yml index 6cee340edc..2e694dffde 100644 --- a/etc/kayobe/kolla/config/neutron/policy.yml +++ b/etc/kayobe/kolla/config/neutron/policy.yml @@ -1,2 +1,4 @@ +#"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner" "create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser" +#"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner" "create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser" From a01878429074bf1a1415a5bdc58e310db830315f Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Thu, 13 Nov 2025 10:20:11 +0000 Subject: [PATCH 4/7] Add original nova policy as comments --- etc/kayobe/kolla/config/nova/policy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/kayobe/kolla/config/nova/policy.yml b/etc/kayobe/kolla/config/nova/policy.yml index 1b19845334..0355393eb1 100644 --- a/etc/kayobe/kolla/config/nova/policy.yml +++ b/etc/kayobe/kolla/config/nova/policy.yml @@ -1,2 +1,4 @@ +#"os_compute_api:servers:create:forced_host": "rule:context_is_admin" "os_compute_api:servers:create:forced_host": "rule:context_is_admin or role:baremetaluser" +#"compute:servers:create:requested_destination": "rule:context_is_admin" "compute:servers:create:requested_destination": "rule:context_is_admin or role:baremetaluser" From 304c763ea47cbe3607180bf9de1d625c09205bdd Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Thu, 13 Nov 2025 10:34:26 +0000 Subject: [PATCH 5/7] Move policy into a mixin --- .../environments/baremetal-policy/README.rst | 15 +++++++++++++++ .../kolla/config/neutron/policy.yml | 0 .../kolla/config/nova/policy.yml | 0 3 files changed, 15 insertions(+) create mode 100644 etc/kayobe/environments/baremetal-policy/README.rst rename etc/kayobe/{ => environments/baremetal-policy}/kolla/config/neutron/policy.yml (100%) rename etc/kayobe/{ => environments/baremetal-policy}/kolla/config/nova/policy.yml (100%) diff --git a/etc/kayobe/environments/baremetal-policy/README.rst b/etc/kayobe/environments/baremetal-policy/README.rst new file mode 100644 index 0000000000..faf38f35b9 --- /dev/null +++ b/etc/kayobe/environments/baremetal-policy/README.rst @@ -0,0 +1,15 @@ +Policy for a baremetaluser role +=============================== + +When deploying Slurm on baremetal nodes, +it is typical to select a specific baremetal node, +and give it the expected hostname. We allow this +via a tweak to Nova policy. + +Similarly, it is common that the IP address has +to match the expected one for the given node. +We tweak neutron policy to allow fixed IPs, +even when we do not own the network. + +We should never use the admin role to do these +operations, as it has far too much privilege. diff --git a/etc/kayobe/kolla/config/neutron/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml similarity index 100% rename from etc/kayobe/kolla/config/neutron/policy.yml rename to etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml diff --git a/etc/kayobe/kolla/config/nova/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml similarity index 100% rename from etc/kayobe/kolla/config/nova/policy.yml rename to etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml From 3b1be38f3938f14b881ad0ab4bfc0edbd3980e96 Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Thu, 13 Nov 2025 10:36:19 +0000 Subject: [PATCH 6/7] Update the release note. --- ...metaluser-neutron-and-nova-policy-321b73327546ceec.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml b/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml index 758d77ea91..6d24133418 100644 --- a/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml +++ b/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml @@ -1,6 +1,7 @@ --- features: - | - Updated neutron and nova policy to allow role: - ``baremetaluser`` to map baremetal instances - to specific ironic nodes. + Added a mixin environment that includes policy overrides + to enable a ``baremetaluser`` role, that is able to create + servers on specific baremetal nodes, with specific IP addresses + on a shared network. From 0897b0b8539456afae536ace1863487d310d17e8 Mon Sep 17 00:00:00 2001 From: Claudia Watson Date: Tue, 18 Nov 2025 14:14:22 +0000 Subject: [PATCH 7/7] adding comment to policy files to note commented out policy is default. --- .../baremetal-policy/kolla/config/neutron/policy.yml | 1 + .../environments/baremetal-policy/kolla/config/nova/policy.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml index 2e694dffde..f297eef740 100644 --- a/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml +++ b/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml @@ -1,3 +1,4 @@ +# Comments show default policy for neutron. #"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner" "create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser" #"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner" diff --git a/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml index 0355393eb1..3328f40ab8 100644 --- a/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml +++ b/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml @@ -1,3 +1,4 @@ +# Comments show default policy for nova. #"os_compute_api:servers:create:forced_host": "rule:context_is_admin" "os_compute_api:servers:create:forced_host": "rule:context_is_admin or role:baremetaluser" #"compute:servers:create:requested_destination": "rule:context_is_admin"