Merge "Fix self_owned_node policy check"

2023-05-19 22:23:36 +00:00 · 2023-05-19 22:23:36 +00:00 · fe8134ea28
commit fe8134ea28
parent 69b5dd0a73 9da6dfd73d
2 changed files with 9 additions and 2 deletions
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@ -464,7 +464,7 @@ node_policies = [
    policy.DocumentedRuleDefault(
        name='baremetal:node:create:self_owned_node',
        check_str=('(role:admin) or (role:service)'),
-        scope_types=['project'],
+        scope_types=['system', 'project'],
        description='Create node records which will be tracked '
                    'as owned by the associated user project.',
        operations=[{'path': '/nodes', 'method': 'POST'}],
@ -693,7 +693,7 @@ node_policies = [
    policy.DocumentedRuleDefault(
        name='baremetal:node:delete:self_owned_node',
        check_str=PROJECT_ADMIN,
-        scope_types=['project'],
+        scope_types=['system', 'project'],
        description='Delete node records which are associated with '
                    'the requesting project.',
        operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],
--- a/releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml
+++ b/releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes scope classification check with the "self_owned_node" policy
+    check where it was limited to check execution with only project
+    scoped, so system scoped users who ticked the policy endpoint would
+    basically get an incorrect error.