Merge "Allow project scoped admins to create/delete nodes"

doc/source/admin/secure-rbac.rst

@@ -267,3 +267,16 @@ restrictive and an ``owner`` may revoke access to ``lessee``.
 Access to the underlying baremetal node is not exclusive between the
 ``owner`` and ``lessee``, and this use model expects that some level of
 communication takes place between the appropriate parties.
+
+Can I, a project admin, create a node?
+--------------------------------------
+
+Starting in API version ``1.80``, the capability was added
+to allow users with an ``admin`` role to be able to create and
+delete their own nodes in Ironic.
+
+This functionality is enabled by default, and automatically
+imparts ``owner`` privileges to the created Bare Metal node.
+
+This functionality can be disabled by setting
+``[api]project_admin_can_manage_own_nodes`` to ``False``.

doc/source/contributor/webapi-version-history.rst

@@ -2,6 +2,12 @@
 REST API Version History
 ========================
 
+1.80 (Zed)
+----------
+
+This verison is a signifier of additional RBAC functionality allowing
+a project scoped ``admin`` to create or delete nodes in Ironic.
+
 1.79 (Zed, 21.0)
 ----------------------
 A node with the same name as the allocation ``name`` is moved to the
@@ -9,6 +15,7 @@ start of the derived candidate list.
 
 1.78 (Xena, 18.2)
 ----------------------
+
 Add endpoints to allow history events for nodes to be retrieved via
 the REST API.
 

ironic/api/controllers/v1/node.py

@@ -2462,6 +2462,14 @@ class NodesController(rest.RestController):
             raise exception.OperationNotPermitted()
 
         context = api.request.context
+        owned_node = False
+        if CONF.api.project_admin_can_manage_own_nodes:
+            owned_node = api_utils.check_policy_true(
+                'baremetal:node:create:self_owned_node')
+        else:
+            owned_node = False
+
+        if not owned_node:
             api_utils.check_policy('baremetal:node:create')
 
         reject_fields_in_newer_versions(node)
@@ -2486,6 +2494,28 @@ class NodesController(rest.RestController):
         if not node.get('resource_class'):
             node['resource_class'] = CONF.default_resource_class
 
+        cdict = context.to_policy_values()
+        if cdict.get('system_scope') != 'all' and owned_node:
+            # This only applies when the request is not system
+            # scoped.
+
+            # First identify what was requested, and if there is
+            # a project ID to use.
+            project_id = None
+            requested_owner = node.get('owner', None)
+            if cdict.get('project_id', False):
+                project_id = cdict.get('project_id')
+
+            if requested_owner and requested_owner != project_id:
+                # Translation: If project scoped, and an owner has been
+                # requested, and that owner does not match the requestor's
+                # project ID value.
+                msg = _("Cannot create a node as a project scoped admin "
+                        "with an owner other than your own project.")
+                raise exception.Invalid(msg)
+            # Finally, note the project ID
+            node['owner'] = project_id
+
         chassis = _replace_chassis_uuid_with_id(node)
         chassis_uuid = chassis and chassis.uuid or None
 
@@ -2739,8 +2769,16 @@ class NodesController(rest.RestController):
             raise exception.OperationNotPermitted()
 
         context = api.request.context
+        try:
             rpc_node = api_utils.check_node_policy_and_retrieve(
                 'baremetal:node:delete', node_ident, with_suffix=True)
+        except exception.HTTPForbidden:
+            if not CONF.api.project_admin_can_manage_own_nodes:
+                raise
+            else:
+                rpc_node = api_utils.check_node_policy_and_retrieve(
+                    'baremetal:node:delete:self_owned_node', node_ident,
+                    with_suffix=True)
 
         chassis_uuid = _get_chassis_uuid(rpc_node)
         notify.emit_start_notification(context, rpc_node, 'delete',

ironic/api/controllers/v1/versions.py

@@ -117,7 +117,7 @@ BASE_VERSION = 1
 # v1.77: Add fields selector to drivers list and driver detail.
 # v1.78: Add node history endpoint
 # v1.79: Change allocation behaviour to prefer node name match
-
+# v1.80: Marker to represent self service node creation/deletion
 MINOR_0_JUNO = 0
 MINOR_1_INITIAL_VERSION = 1
 MINOR_2_AVAILABLE_STATE = 2
@@ -198,6 +198,7 @@ MINOR_76_NODE_CHANGE_BOOT_MODE = 76
 MINOR_77_DRIVER_FIELDS_SELECTOR = 77
 MINOR_78_NODE_HISTORY = 78
 MINOR_79_ALLOCATION_NODE_NAME = 79
+MINOR_80_PROJECT_CREATE_DELETE_NODE = 80
 
 # When adding another version, update:
 # - MINOR_MAX_VERSION
@@ -205,7 +206,7 @@ MINOR_79_ALLOCATION_NODE_NAME = 79
 #   explanation of what changed in the new version
 # - common/release_mappings.py, RELEASE_MAPPING['master']['api']
 
-MINOR_MAX_VERSION = MINOR_79_ALLOCATION_NODE_NAME
+MINOR_MAX_VERSION = MINOR_80_PROJECT_CREATE_DELETE_NODE
 
 # String representations of the minor and maximum versions
 _MIN_VERSION_STRING = '{}.{}'.format(BASE_VERSION, MINOR_1_INITIAL_VERSION)

ironic/common/policy.py

@@ -437,11 +437,19 @@ node_policies = [
     policy.DocumentedRuleDefault(
         name='baremetal:node:create',
         check_str=SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=['system', 'project'],
         description='Create Node records',
         operations=[{'path': '/nodes', 'method': 'POST'}],
         deprecated_rule=deprecated_node_create
     ),
+    policy.DocumentedRuleDefault(
+        name='baremetal:node:create:self_owned_node',
+        check_str=('role:admin'),
+        scope_types=['project'],
+        description='Create node records which will be tracked '
+                    'as owned by the associated user project.',
+        operations=[{'path': '/nodes', 'method': 'POST'}],
+    ),
     policy.DocumentedRuleDefault(
         name='baremetal:node:list',
         check_str=API_READER,
@@ -663,7 +671,14 @@ node_policies = [
         operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],
         deprecated_rule=deprecated_node_delete
     ),
-
+    policy.DocumentedRuleDefault(
+        name='baremetal:node:delete:self_owned_node',
+        check_str=PROJECT_ADMIN,
+        scope_types=['project'],
+        description='Delete node records which are associated with '
+                    'the requesting project.',
+        operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],
+    ),
     policy.DocumentedRuleDefault(
         name='baremetal:node:validate',
         check_str=SYSTEM_OR_OWNER_MEMBER_AND_LESSEE_ADMIN,

ironic/common/release_mappings.py

@@ -491,7 +491,7 @@ RELEASE_MAPPING = {
         }
     },
     'master': {
-        'api': '1.79',
+        'api': '1.80',
         'rpc': '1.55',
         'objects': {
             'Allocation': ['1.1'],

ironic/conf/api.py

@@ -86,6 +86,11 @@ opts = [
         'network_data_schema',
         default='$pybasedir/api/controllers/v1/network-data-schema.json',
         help=_("Schema for network data used by this deployment.")),
+    cfg.BoolOpt('project_admin_can_manage_own_nodes',
+                default=True,
+                mutable=True,
+                help=_('If a project scoped administrative user is permitted '
+                       'to create/delte baremetal nodes in their project.')),
 ]
 
 opt_group = cfg.OptGroup(name='api',

ironic/tests/unit/api/controllers/v1/test_node.py

@@ -4898,13 +4898,39 @@ class TestPost(test_api_base.BaseApiTest):
         ndict = test_api_utils.post_get_test_node(owner='cowsay')
         response = self.post_json('/nodes', ndict,
                                   headers={api_base.Version.string:
-                                           str(api_v1.max_version())})
+                                           str(api_v1.max_version()),
+                                           'X-Project-Id': 'cowsay'})
         self.assertEqual(http_client.CREATED, response.status_int)
         result = self.get_json('/nodes/%s' % ndict['uuid'],
                                headers={api_base.Version.string:
                                         str(api_v1.max_version())})
         self.assertEqual('cowsay', result['owner'])
 
+    def test_create_node_owner_system_scope(self):
+        ndict = test_api_utils.post_get_test_node(owner='catsay')
+        response = self.post_json('/nodes', ndict,
+                                  headers={api_base.Version.string:
+                                           str(api_v1.max_version()),
+                                           'OpenStack-System-Scope': 'all',
+                                           'X-Roles': 'admin'})
+        self.assertEqual(http_client.CREATED, response.status_int)
+        result = self.get_json('/nodes/%s' % ndict['uuid'],
+                               headers={api_base.Version.string:
+                                        str(api_v1.max_version())})
+        self.assertEqual('catsay', result['owner'])
+
+    def test_create_node_owner_recorded_project_scope(self):
+        ndict = test_api_utils.post_get_test_node()
+        response = self.post_json('/nodes', ndict,
+                                  headers={api_base.Version.string:
+                                           str(api_v1.max_version()),
+                                           'X-Project-Id': 'ravensay'})
+        self.assertEqual(http_client.CREATED, response.status_int)
+        result = self.get_json('/nodes/%s' % ndict['uuid'],
+                               headers={api_base.Version.string:
+                                        str(api_v1.max_version())})
+        self.assertEqual('ravensay', result['owner'])
+
     def test_create_node_owner_old_api_version(self):
         headers = {api_base.Version.string: '1.32'}
         ndict = test_api_utils.post_get_test_node(owner='bob')

ironic/tests/unit/api/test_acl.py

@@ -81,10 +81,18 @@ class TestACLBase(base.BaseApiTest):
                       body=None, assert_status=None,
                       assert_dict_contains=None,
                       assert_list_length=None,
-                      deprecated=None):
+                      deprecated=None,
+                      self_manage_nodes=True):
         path = path.format(**self.format_data)
         self.mock_auth.side_effect = self._fake_process_request
 
+        # Set self management override
+        if not self_manage_nodes:
+            cfg.CONF.set_override(
+                'project_admin_can_manage_own_nodes',
+                False,
+                'api')
+
         # always request the latest api version
         version = api_versions.max_version_string()
         rheaders = {

ironic/tests/unit/api/test_rbac_project_scoped.yaml

@@ -89,35 +89,71 @@ owner_admin_cannot_post_nodes:
   body: &node_post_body
     name: node
     driver: fake-driverz
-  assert_status: 500
+  assert_status: 403
+  self_manage_nodes: False
+
+owner_admin_can_post_nodes:
+  path: '/v1/nodes'
+  method: post
+  headers: *owner_admin_headers
+  body: *node_post_body
+  assert_status: 503
+  self_manage_nodes: True
 
 owner_manager_cannot_post_nodes:
   path: '/v1/nodes'
   method: post
   headers: *owner_manager_headers
   body: *node_post_body
-  assert_status: 500
+  assert_status: 403
 
 lessee_admin_cannot_post_nodes:
   path: '/v1/nodes'
   method: post
   headers: *lessee_admin_headers
   body: *node_post_body
-  assert_status: 500
+  assert_status: 403
+  self_manage_nodes: False
+
+lessee_admin_can_post_nodes:
+  path: '/v1/nodes'
+  method: post
+  headers: *lessee_admin_headers
+  body: *node_post_body
+  assert_status: 403
+  self_manage_nodes: False
 
 lessee_manager_cannot_post_nodes:
   path: '/v1/nodes'
   method: post
   headers: *lessee_manager_headers
   body: *node_post_body
-  assert_status: 500
+  assert_status: 403
+  self_manage_nodes: False
+
+lessee_manager_can_post_nodes:
+  path: '/v1/nodes'
+  method: post
+  headers: *lessee_manager_headers
+  body: *node_post_body
+  assert_status: 403
+  self_manage_nodes: True
 
 third_party_admin_cannot_post_nodes:
   path: '/v1/nodes'
   method: post
   headers: *third_party_admin_headers
   body: *node_post_body
-  assert_status: 500
+  assert_status: 403
+  self_manage_nodes: False
+
+third_party_admin_can_post_nodes:
+  path: '/v1/nodes'
+  method: post
+  headers: *third_party_admin_headers
+  body: *node_post_body
+  assert_status: 503
+  self_manage_nodes: True
 
 # Based on nodes_post_member
 owner_member_cannot_post_nodes:
@@ -125,7 +161,7 @@ owner_member_cannot_post_nodes:
   method: post
   headers: *owner_member_headers
   body: *node_post_body
-  assert_status: 500
+  assert_status: 403
 
 # Based on nodes_post_reader
 owner_reader_cannot_post_reader:
@@ -133,7 +169,7 @@ owner_reader_cannot_post_reader:
   method: post
   headers: *owner_reader_headers
   body: *node_post_body
-  assert_status: 500
+  assert_status: 403
 
 # Based on nodes_get_admin
 # TODO: Create 3 nodes, 2 owned, 1 leased where it is also owned.
@@ -671,6 +707,14 @@ owner_admin_cannot_delete_nodes:
   method: delete
   headers: *owner_admin_headers
   assert_status: 403
+  self_manage_nodes: False
+
+owner_admin_can_delete_nodes:
+  path: '/v1/nodes/{owner_node_ident}'
+  method: delete
+  headers: *owner_admin_headers
+  assert_status: 503
+  self_manage_nodes: True
 
 owner_manager_cannot_delete_nodes:
   path: '/v1/nodes/{owner_node_ident}'

releasenotes/notes/node-creation-no-longer-scope-restricted-b455f66a751f10ec.yaml

@@ -0,0 +1,27 @@
+---
+features:
+  - |
+    Adds the capability for a project scoped ``admin`` user to be able to
+    create nodes in Ironic, which are then manageable by the project scoped
+    ``admin`` user. Effectively, this is self service Bare Metal as a Service,
+    however more advanced fields such as drivers, chassies, are not available
+    to these users. This is controlled through an auto-population of the
+    Node ``owner`` field, and can be controlled through the
+    ``[api]project_admin_can_manage_own_nodes`` setting, which defaults to
+    ``True``, and the new policy ``baremetal:node:create:self_owned_node``.
+  - |
+    Adds the capability for a project scoped ``admin`` user to be able to
+    delete nodes from Ironic which their `project` owns. This can be
+    contolled through the ``[api]project_admin_can_manage_own_nodes``
+    setting, which defaults to ``True``, as well as the
+    ``baremetal:node:delete:self_owned_node`` policy.
+security:
+  - |
+    This release contains an improvement which, by default, allows users to
+    create and delete baremetal nodes inside their own project. This can be
+    disabled using the ``[api]project_admin_can_manage_own_nodes`` setting.
+upgrades:
+  - |
+    The API version has been increased to ``1.80`` in order to signify
+    the addition of additoinal Role Based Access Controls capabilities
+    around node creation and deletion.