Merge pull request #1913 from stackhpc/claudia-baremetaluser

priteau · web-flow · commit 0a7d5b26bf27 · 2025-12-11T16:04:12.000+01:00
Updating policy for neutron and nova to include role: baremetaluser
diff --git a/etc/kayobe/environments/baremetal-policy/README.rst b/etc/kayobe/environments/baremetal-policy/README.rst
@@ -0,0 +1,13 @@
+Policy for a baremetaluser role
+===============================
+
+When deploying Slurm on baremetal nodes, it is typical to select a specific
+baremetal node, and give it the expected hostname. We allow this via a tweak to
+Nova policy.
+
+Similarly, it is common that the IP address has to match the expected one for
+the given node. We tweak neutron policy to allow fixed IPs, even when we do
+not own the network.
+
+We should never use the admin role to do these operations, as it has far too
+much privilege.
diff --git a/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml
@@ -0,0 +1,5 @@
+# Comments show default policy for neutron.
+#"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"
+"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser"
+#"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"
+"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser"
diff --git a/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml
@@ -0,0 +1,5 @@
+# Comments show default policy for nova.
+#"os_compute_api:servers:create:forced_host": "rule:context_is_admin"
+"os_compute_api:servers:create:forced_host": "rule:context_is_admin or role:baremetaluser"
+#"compute:servers:create:requested_destination": "rule:context_is_admin"
+"compute:servers:create:requested_destination": "rule:context_is_admin or role:baremetaluser"
diff --git a/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml b/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a mixin environment that includes policy overrides to enable a
+    ``baremetaluser`` role, that is able to create servers on specific
+    baremetal nodes, with specific IP addresses on a shared network.
