Skip to content

Updating policy for neutron and nova to include role: baremetaluser #1913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: stackhpc/2025.1
Choose a base branch
from
Open

Updating policy for neutron and nova to include role: baremetaluser #1913

wants to merge 1 commit into from

Conversation

claudia-lola
Copy link

Updating policy to allow role: baremetaluser to map baremetal instances to specific ironic nodes (this is desirable so that the instance name = ironic node name, making debugging less confusing)

@claudia-lola
Updating policy to allow role: baremetaluser to map baremetal instanc…
ac479a1 
…es to specific ironic nodes

(this is desirable so that the instance name = ironic node name, making debugging less confusing)
@claudia-lola claudia-lola self-assigned this Sep 26, 2025
@claudia-lola claudia-lola requested a review from a team as a code owner September 26, 2025 16:21
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 26, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates Neutron and Nova policies to grant the baremetaluser role additional permissions, aligning with the goal of simplifying baremetal instance management. The changes in the Nova policy file are clear and correct. For the Neutron policy file, I've suggested a minor improvement to enhance readability and prevent potential issues by explicitly grouping and conditions with parentheses. Overall, the changes look good and address the intended purpose.

etc/kayobe/kolla/config/neutron/policy.yml
Comment on lines +1 to +2
"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser"
"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser" No newline at end of file
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For improved readability and to avoid any ambiguity with operator precedence, it's a good practice to wrap and expressions in parentheses. While and has higher precedence than or in OpenStack policy rules, explicit grouping makes the policy easier to understand and maintain.

"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or (role:manager and project_id:%(project_id)s) or (role:member and rule:network_owner) or role:baremetaluser"
"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or (role:manager and project_id:%(project_id)s) or (role:member and rule:network_owner) or role:baremetaluser"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@claudia-lola claudia-lola

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@claudia-lola