From d49856bf3e3abdf2e7196feb121e23e30dd4dfe6 Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Fri, 8 Nov 2024 10:28:38 +0000
Subject: [PATCH] Allow admins to list all baremetal nodes

---
 etc/kayobe/kolla/config/ironic/policy.yaml                 | 6 ++++++
 .../notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml   | 7 +++++++
 2 files changed, 13 insertions(+)
 create mode 100644 etc/kayobe/kolla/config/ironic/policy.yaml
 create mode 100644 releasenotes/notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml

diff --git a/etc/kayobe/kolla/config/ironic/policy.yaml b/etc/kayobe/kolla/config/ironic/policy.yaml
new file mode 100644
index 000000000..3461786cc
--- /dev/null
+++ b/etc/kayobe/kolla/config/ironic/policy.yaml
@@ -0,0 +1,6 @@
+# Retrieve multiple Node records
+# GET  /nodes
+# GET  /nodes/detail
+# Intended scope(s): system, project
+# Overridden: added role:admin
+"baremetal:node:list_all": "role:admin or (role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role"
diff --git a/releasenotes/notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml b/releasenotes/notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml
new file mode 100644
index 000000000..b830aac0d
--- /dev/null
+++ b/releasenotes/notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added a custom policy to Ironic that allows users with the `admin` role to
+    list all baremetal nodes. This is required at sites where baremetal
+    provisioning targets a specific node, as we need to look up the node's uuid
+    to pass as the hypervisor hostname.