From 20a4f4aadc94d4651312799d4914249586415181 Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Mon, 22 Feb 2021 14:31:35 -0800
Subject: [PATCH] Review feedback follow-up on Node System Scoped RBAC

Changed permission defaults for changing the node owner of a node
and disabling cleaning to be system administrator based privilges.

This was review feedback in the very final review jam of the change,
which was agreed upon.

Change-Id: I5b0e609be1bfe90bbe76782e0544f7943b0c12a9
---
 ironic/common/policy.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ironic/common/policy.py b/ironic/common/policy.py
index 55e6bd2da4..7ba2096bf7 100644
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@@ -347,7 +347,7 @@ node_policies = [
     # TODO(TheJulia): Explicit RBAC testing needed for this.
     policy.DocumentedRuleDefault(
         name='baremetal:node:update_owner_provisioned',
-        check_str=SYSTEM_MEMBER,
+        check_str=SYSTEM_ADMIN,
         scope_types=['system'],
         description='Update Node owner even when Node is provisioned',
         operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
@@ -641,7 +641,7 @@ node_policies = [
     ),
     policy.DocumentedRuleDefault(
         name='baremetal:node:disable_cleaning',
-        check_str=SYSTEM_MEMBER,
+        check_str=SYSTEM_ADMIN,
         scope_types=['system'],
         description='Disable Node disk cleaning',
         operations=[