From f1387b37dfdddca5fde2d28a445af0bf3c34cbf4 Mon Sep 17 00:00:00 2001
From: Claudia Watson <claudia@stackhpc.com>
Date: Fri, 26 Sep 2025 17:16:33 +0100
Subject: [PATCH] Update neutron and nova policies to include role
 baremetaluser

---
 etc/kayobe/environments/baremetal-policy/README.rst | 13 +++++++++++++
 .../kolla/config/neutron/policy.yml                 |  5 +++++
 .../baremetal-policy/kolla/config/nova/policy.yml   |  5 +++++
 ...er-neutron-and-nova-policy-321b73327546ceec.yaml |  6 ++++++
 4 files changed, 29 insertions(+)
 create mode 100644 etc/kayobe/environments/baremetal-policy/README.rst
 create mode 100644 etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml
 create mode 100644 etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml
 create mode 100644 releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml

diff --git a/etc/kayobe/environments/baremetal-policy/README.rst b/etc/kayobe/environments/baremetal-policy/README.rst
new file mode 100644
index 000000000..88dafb4ac
--- /dev/null
+++ b/etc/kayobe/environments/baremetal-policy/README.rst
@@ -0,0 +1,13 @@
+Policy for a baremetaluser role
+===============================
+
+When deploying Slurm on baremetal nodes, it is typical to select a specific
+baremetal node, and give it the expected hostname. We allow this via a tweak to
+Nova policy.
+
+Similarly, it is common that the IP address has to match the expected one for
+the given node. We tweak neutron policy to allow fixed IPs, even when we do
+not own the network.
+
+We should never use the admin role to do these operations, as it has far too
+much privilege.
diff --git a/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml
new file mode 100644
index 000000000..f297eef74
--- /dev/null
+++ b/etc/kayobe/environments/baremetal-policy/kolla/config/neutron/policy.yml
@@ -0,0 +1,5 @@
+# Comments show default policy for neutron.
+#"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"
+"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser"
+#"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"
+"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or role:baremetaluser"
diff --git a/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml b/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml
new file mode 100644
index 000000000..3328f40ab
--- /dev/null
+++ b/etc/kayobe/environments/baremetal-policy/kolla/config/nova/policy.yml
@@ -0,0 +1,5 @@
+# Comments show default policy for nova.
+#"os_compute_api:servers:create:forced_host": "rule:context_is_admin"
+"os_compute_api:servers:create:forced_host": "rule:context_is_admin or role:baremetaluser"
+#"compute:servers:create:requested_destination": "rule:context_is_admin"
+"compute:servers:create:requested_destination": "rule:context_is_admin or role:baremetaluser"
diff --git a/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml b/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml
new file mode 100644
index 000000000..bc773871e
--- /dev/null
+++ b/releasenotes/notes/baremetaluser-neutron-and-nova-policy-321b73327546ceec.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a mixin environment that includes policy overrides to enable a
+    ``baremetaluser`` role, that is able to create servers on specific
+    baremetal nodes, with specific IP addresses on a shared network.