Fix self_owned_node policy check

When enabling scope enforcement, the self_owned_node check could generate a failure because the check internally can be touched by both a project scoped and system scoped endpoint. This change changes the tag in the policy so it doesn't prematurely return an error to the API consumer. Change-Id: I49e2f7f29eb98e5bb4e18614cea0aca726703f55 (cherry picked from commit 9da6dfd) (cherry picked from commit c973f20)
openstack · May 25, 2023 · 4fdf65c · 4fdf65c
1 parent 1d9c223
commit 4fdf65c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/ironic/common/policy.py b/ironic/common/policy.py
@@ -445,7 +445,7 @@
     policy.DocumentedRuleDefault(
         name='baremetal:node:create:self_owned_node',
         check_str=('role:admin'),
-        scope_types=['project'],
+        scope_types=['system', 'project'],
         description='Create node records which will be tracked '
                     'as owned by the associated user project.',
         operations=[{'path': '/nodes', 'method': 'POST'}],
@@ -674,7 +674,7 @@
     policy.DocumentedRuleDefault(
         name='baremetal:node:delete:self_owned_node',
         check_str=PROJECT_ADMIN,
-        scope_types=['project'],
+        scope_types=['system', 'project'],
         description='Delete node records which are associated with '
                     'the requesting project.',
         operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],

diff --git a/releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml b/releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes scope classification check with the "self_owned_node" policy
+    check where it was limited to check execution with only project
+    scoped, so system scoped users who ticked the policy endpoint would
+    basically get an incorrect error.