Node Multi-Tenancy¶
This guide explains the steps needed to enable node multi-tenancy. This feature enables non-admins to perform API actions on nodes, limited by policy configuration. The Bare Metal service supports two kinds of non-admin users:
Owner: owns specific nodes and performs administrative actions on them
Lessee: receives temporary and limited access to a node
Setting the Owner and Lessee¶
Non-administrative access to a node is controlled through a node’s owner
or lessee attribute:
baremetal node set --owner 080925ee2f464a2c9dce91ee6ea354e2 node-7
baremetal node set --lessee 2a210e5ff114c8f2b6e994218f51a904 node-10
Ironic’s API automatically grants visibility and access to these nodes when a user request comes in with a “project” scope, i.e. credentials which indicate the user is in a user within a project.
In older versions of Ironic, this functionality had to be manually configured and then set via custom policies, but now it is automatically available in modern versions of Ironic.
Trust Model¶
The owner and lessee fields imply very different levels of trust:
An
ownerproject is a delegated administrator of the hardware. With the default policies, its users holding thememberrole can, among other things, update the node’s BMC address and credentials, access the serial console, run arbitrary cleaning and service steps, and lease the node to other projects. In many environments, the owning project may also have physical access to the nodes, and Ironic does not fully isolate the nodes of one owner from the nodes of another owner.A
lesseeproject is a user of the hardware, and may be a completely untrusted customer. Thelesseefield may also be populated automatically and non-interactively when a node is deployed, as controlled byconductor.automatic_lessee_source. The default policies largely limit lessees to using the node, rather than administering it (lesseeadminusers can still reprovision it and run cleaning and service steps), and prevent them from viewing sensitive node fields.
Warning
Setting a project as a node’s owner grants elevated access to
all members of that project. It is highly advisable to use a
dedicated project with strictly limited membership to own nodes.
See the trust model description in Secure RBAC for details of exactly what access each field grants with the default policies.