From 96a2e8664ae49782f245a0522eeb009dc9cc420a Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 29 Jul 2025 16:45:19 +0100 Subject: [PATCH 1/4] Improve Ironic Horizon out of the box experience Policy override was causing lots of error messages in the Ironic view of Horizon. I've asked upstream if we can get this enabled by default: https://bugs.launchpad.net/horizon/+bug/2102214 But are yet to see any traction. --- .../kolla/config/horizon/_9999-custom-settings.py | 1 + etc/kayobe/kolla/config/ironic/policy.yaml | 2 +- ...x-ironic-horizon-integration-c844d19bd36ed014.yaml | 11 +++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 etc/kayobe/kolla/config/horizon/_9999-custom-settings.py create mode 100644 releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml diff --git a/etc/kayobe/kolla/config/horizon/_9999-custom-settings.py b/etc/kayobe/kolla/config/horizon/_9999-custom-settings.py new file mode 100644 index 0000000000..f27c222a95 --- /dev/null +++ b/etc/kayobe/kolla/config/horizon/_9999-custom-settings.py @@ -0,0 +1 @@ +SYSTEM_SCOPE_SERVICES = ['ironic'] diff --git a/etc/kayobe/kolla/config/ironic/policy.yaml b/etc/kayobe/kolla/config/ironic/policy.yaml index e37f33113a..b0ea552667 100644 --- a/etc/kayobe/kolla/config/ironic/policy.yaml +++ b/etc/kayobe/kolla/config/ironic/policy.yaml @@ -4,4 +4,4 @@ # GET /nodes/detail # Intended scope(s): system, project # Overridden: added role:admin -"baremetal:node:list_all": "role:admin or (role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role" +"baremetal:node:list_all": "role:baremetal_node_list_all or (role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role" diff --git a/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml new file mode 100644 index 0000000000..b789a2f005 --- /dev/null +++ b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + Users with the admin role can can no longer list all baremetal nodes by + default. This broke horizon as it tries to collect data for any nodes + that it can see. Please add the baremetal_node_list_all role + to any users to want this capability; it is not recommened since + Horizon will remain broken for them. +fixes: + - | + Fixes Horizon Ironic integration which was broken by custom policy. From 78586e4e3654f36aaaeb71719a4821e982c0287f Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 21 May 2026 10:43:53 +0100 Subject: [PATCH 2/4] Clarify admin role restrictions and fix Horizon integration Updated release notes to clarify role permissions and fix details. --- .../fix-ironic-horizon-integration-c844d19bd36ed014.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml index b789a2f005..1eb534af7b 100644 --- a/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml +++ b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml @@ -3,9 +3,7 @@ upgrade: - | Users with the admin role can can no longer list all baremetal nodes by default. This broke horizon as it tries to collect data for any nodes - that it can see. Please add the baremetal_node_list_all role - to any users to want this capability; it is not recommened since - Horizon will remain broken for them. + that it can see. fixes: - | Fixes Horizon Ironic integration which was broken by custom policy. From d1fee2537ad33baf7d8bdd4793dfdc50775ecb6e Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 21 May 2026 10:46:59 +0100 Subject: [PATCH 3/4] Update release notes for Ironic Horizon integration fix Clarified the restriction on admin role access to baremetal nodes and added role assignment instructions. --- .../fix-ironic-horizon-integration-c844d19bd36ed014.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml index 1eb534af7b..120637df20 100644 --- a/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml +++ b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml @@ -1,9 +1,8 @@ --- upgrade: - | - Users with the admin role can can no longer list all baremetal nodes by - default. This broke horizon as it tries to collect data for any nodes - that it can see. -fixes: + Users with the admin role can no longer list all baremetal nodes by + default. Please assign any users that want this functionality the + `baremetal_node_list` role. - | Fixes Horizon Ironic integration which was broken by custom policy. From 25241b034a64be28643ab2a9231c4db842a5a62b Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 21 May 2026 10:52:15 +0100 Subject: [PATCH 4/4] Update baremetal node listing role and fix integration Updated role requirement for listing baremetal nodes and fixed Horizon Ironic integration. --- .../notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml index 120637df20..f743cf9322 100644 --- a/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml +++ b/releasenotes/notes/fix-ironic-horizon-integration-c844d19bd36ed014.yaml @@ -3,6 +3,6 @@ upgrade: - | Users with the admin role can no longer list all baremetal nodes by default. Please assign any users that want this functionality the - `baremetal_node_list` role. + ``baremetal_node_list_all`` role. - | Fixes Horizon Ironic integration which was broken by custom policy.