Review feedback follow-up on Node System Scoped RBAC

Changed permission defaults for changing the node owner of a node and disabling cleaning to be system administrator based privilges. This was review feedback in the very final review jam of the change, which was agreed upon. Change-Id: I5b0e609be1bfe90bbe76782e0544f7943b0c12a9
2021-02-22 14:31:35 -08:00 · 2021-02-22 14:31:35 -08:00 · 20a4f4aadc
parent b0d8d14065
commit 20a4f4aadc
1 changed files with 2 additions and 2 deletions
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@ -347,7 +347,7 @@ node_policies = [
    # TODO(TheJulia): Explicit RBAC testing needed for this.
    policy.DocumentedRuleDefault(
        name='baremetal:node:update_owner_provisioned',
-        check_str=SYSTEM_MEMBER,
+        check_str=SYSTEM_ADMIN,
        scope_types=['system'],
        description='Update Node owner even when Node is provisioned',
        operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
@ -641,7 +641,7 @@ node_policies = [
    ),
    policy.DocumentedRuleDefault(
        name='baremetal:node:disable_cleaning',
-        check_str=SYSTEM_MEMBER,
+        check_str=SYSTEM_ADMIN,
        scope_types=['system'],
        description='Disable Node disk cleaning',
        operations=[