)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"fc4d1b9643a1015301951093f812d0bfd6f91ec8","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"In recent discussions of disallowing steps, it occured"},{"line_number":10,"context_line":"to me that operators might want to instead effectively"},{"line_number":11,"context_line":"say \"admin, your allowed to do this, but not manager\"."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Where this is different and difficult is becasue the"},{"line_number":14,"context_line":"same basic endpoint may be acceptable for a member to"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"f291034d_f846ce20","line":11,"updated":"2026-07-07 17:21:34.000000000","message":"your -\u003e you\u0027re","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"fc4d1b9643a1015301951093f812d0bfd6f91ec8","unresolved":true,"context_lines":[{"line_number":10,"context_line":"to me that operators might want to instead effectively"},{"line_number":11,"context_line":"say \"admin, your allowed to do this, but not manager\"."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Where this is different and difficult is becasue the"},{"line_number":14,"context_line":"same basic endpoint may be acceptable for a member to"},{"line_number":15,"context_line":"post to, which meant we really needed to permit operators"},{"line_number":16,"context_line":"to be able to define custom RBAC rules which is then applied"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"a524882e_0b68c3fd","line":13,"updated":"2026-07-07 17:21:34.000000000","message":"sp: because","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3eed2f3cbd3299bbdb318235bb1784d802ca8fcf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ae79bbe6_55753bb2","updated":"2026-07-07 19:44:07.000000000","message":"\"As a project scoped user creating a project scoped runbook, The step RBAC policy should apply *then* before being stored in ironic.\"\n\nFurthermore, step validation *WAY* later down int eh flow needs to be trusted if it comes from a runbook or deploy template, because a runbook can/is admin-approved or is specifically project scoped.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"fc4d1b9643a1015301951093f812d0bfd6f91ec8","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"07374433_69c4addd","updated":"2026-07-07 17:21:34.000000000","message":"GR-OSS team review\n\nI forsee a security issue with this change: we do not apply any of these restrictions (including allow_*_step in config, AFAICT) when creating or modifying runbooks or deploy_templates. This may act as a way to circumvent our policy checks.\n\nGiven part of the goal of runbooks is to allow operators to bundle \"dangerous steps\", it seems like we may want to add a check to disallow a project-owned runbook from having any steps that require admin-only to run? I\u0027m not 100% sure as to the solution though, because the RBAC intersection of runbooks-that-can-be-changed-to-admin and step-only-allowed-for-admin is pretty difficult to navigate.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"71ff90daedc0c9f504ef775521b46bf22676ecac","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"377d809c_13962b7d","updated":"2026-07-07 19:40:59.000000000","message":"Okay, discussed with Jay.\n\nWe likely need to do filtering on the API side on *submission*/post.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6cc5167831acd548626c4cc92c5cf322e1733d9e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"43ec2e27_6ad7c834","in_reply_to":"07374433_69c4addd","updated":"2026-07-07 18:06:50.000000000","message":"So that happens in _validate_user_steps which is after the deploy_template hydration, and similary for runbooks as they are hydrated super early before the conductor and passed in.\n\nI think the intersection could also be that if you want to, you can do a custom policy to go beyond the default.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"}],"ironic/conductor/manager.py":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"fc4d1b9643a1015301951093f812d0bfd6f91ec8","unresolved":true,"context_lines":[{"line_number":953,"context_line":"                # steps by RBAC model, then this is the point"},{"line_number":954,"context_line":"                # where the check occurs."},{"line_number":955,"context_line":"                conductor_steps.validate_user_steps_policy("},{"line_number":956,"context_line":"                     task, deploy_steps)"},{"line_number":957,"context_line":""},{"line_number":958,"context_line":"            deployments.start_deploy(task, self, configdrive, event\u003devent,"},{"line_number":959,"context_line":"                                     deploy_steps\u003ddeploy_steps)"}],"source_content_type":"text/x-python","patch_set":1,"id":"b4298f67_235140ed","line":956,"updated":"2026-07-07 17:21:34.000000000","message":"Just making a note: I checked, deploy_steps here are ONLY ones passed explicitly from API; deploy template steps are added afterwards. We should make sure the documentation calls out that the steps are only limited when called directly (but not via deploy_templates or runbooks).\n\nThis may lead to an ability to workaround this if someone can create+execute runbooks.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6cc5167831acd548626c4cc92c5cf322e1733d9e","unresolved":true,"context_lines":[{"line_number":953,"context_line":"                # steps by RBAC model, then this is the point"},{"line_number":954,"context_line":"                # where the check occurs."},{"line_number":955,"context_line":"                conductor_steps.validate_user_steps_policy("},{"line_number":956,"context_line":"                     task, deploy_steps)"},{"line_number":957,"context_line":""},{"line_number":958,"context_line":"            deployments.start_deploy(task, self, configdrive, event\u003devent,"},{"line_number":959,"context_line":"                                     deploy_steps\u003ddeploy_steps)"}],"source_content_type":"text/x-python","patch_set":1,"id":"00f7880c_733452ca","line":956,"in_reply_to":"b4298f67_235140ed","updated":"2026-07-07 18:06:50.000000000","message":"As I read the code, a validation helper which ultimately invokes _validate_user_steps still gets invoked *after* hydrating steps from the deploy templates.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9ac760e943b2988cfa9ea3c199b49fd0f0289705","unresolved":true,"context_lines":[{"line_number":1386,"context_line":"            # rights, but if an operator wanted to lockout specific"},{"line_number":1387,"context_line":"            # steps by RBAC model, then this is the point"},{"line_number":1388,"context_line":"            # where the check occurs."},{"line_number":1389,"context_line":"            conductor_steps.validate_user_steps_policy("},{"line_number":1390,"context_line":"                task, clean_steps)"},{"line_number":1391,"context_line":""},{"line_number":1392,"context_line":"            try:"}],"source_content_type":"text/x-python","patch_set":1,"id":"8ecfe175_3d599a2d","line":1389,"updated":"2026-07-07 19:50:14.000000000","message":"This and the other case likely needs to be moved into the API. The risk is an initial RBAC check is done on the servicing/cleaning runbook step invocation as a set of authorized steps which an admin has explicitly said is OKAY.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"}],"ironic/conductor/steps.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9ac760e943b2988cfa9ea3c199b49fd0f0289705","unresolved":true,"context_lines":[{"line_number":894,"context_line":"                errors.append(error)"},{"line_number":895,"context_line":"            continue"},{"line_number":896,"context_line":""},{"line_number":897,"context_line":"        rbac_error \u003d _check_step_policy(task, user_step)"},{"line_number":898,"context_line":"        if rbac_error:"},{"line_number":899,"context_line":"            errors.append(rbac_error)"},{"line_number":900,"context_line":"            result.append(user_step)"},{"line_number":901,"context_line":"            continue"},{"line_number":902,"context_line":""},{"line_number":903,"context_line":"        step_errors \u003d _validate_user_step(task, user_step, driver_step,"},{"line_number":904,"context_line":"                                          step_type, disable_ramdisk)"},{"line_number":905,"context_line":"        errors.extend(step_errors)"}],"source_content_type":"text/x-python","patch_set":1,"id":"f7d5ab11_7026e4f1","line":902,"range":{"start_line":897,"start_character":0,"end_line":902,"end_character":0},"updated":"2026-07-07 19:50:14.000000000","message":"Per discussion with Jay, this is simply too late in the process.","commit_id":"7a28d4fdfeeeb475ad78600fba85f4c243f10e4a"}]}
