stackhpc · claudia-lola · Sep 26, 2025 · Oct 8, 2025 · Nov 13, 2025 · Nov 13, 2025
@@ -0,0 +1,15 @@
+Policy for a baremetaluser role 
+===============================
+
+When deploying Slurm on baremetal nodes,
+it is typical to select a specific baremetal node,
+and give it the expected hostname. We allow this
+via a tweak to Nova policy.
+
+Similarly, it is common that the IP address has
+to match the expected one for the given node.
+We tweak neutron policy to allow fixed IPs,
+even when we do not own the network.
+
+We should never use the admin role to do these
+operations, as it has far too much privilege.
@@ -0,0 +1,4 @@
+#"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"
+"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser"
+#"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"
+"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser"
@@ -0,0 +1,4 @@
+#"os_compute_api:servers:create:forced_host": "rule:context_is_admin"
+"os_compute_api:servers:create:forced_host": "rule:context_is_admin or role:baremetaluser"
+#"compute:servers:create:requested_destination": "rule:context_is_admin"
+"compute:servers:create:requested_destination": "rule:context_is_admin or role:baremetaluser"
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added a mixin environment that includes policy overrides
+    to enable a ``baremetaluser`` role, that is able to create
+    servers on specific baremetal nodes, with specific IP addresses
+    on a shared network.