Prevent modifying peers on managed node

Add validation to prevent any managed node from modifying "peers" through the API Peering from these nodes should be handled by setting peers_from_control_nodes only. Managed nodes are control nodes and ingress hop nodes. Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-01-10 15:32:07 -03:30 · 2024-01-23 15:50:16 -05:00 · 2024-01-23 15:50:16 -05:00 · c333d0e82f
commit c333d0e82f
parent b093c89a84
2 changed files with 6 additions and 8 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -5680,13 +5680,11 @@ class InstanceSerializer(BaseSerializer):
        if not self.instance and not settings.IS_K8S:
            raise serializers.ValidationError(_("Can only create instances on Kubernetes or OpenShift."))

-        node_type = get_field_from_model_or_attrs("node_type")
+        managed = get_field_from_model_or_attrs("managed")

-        if node_type in [Instance.Types.CONTROL, Instance.Types.HYBRID]:
+        if managed:
            if check_peers_changed():
-                raise serializers.ValidationError(
-                    _("Setting peers manually for control nodes is not allowed. Enable peers_from_control_nodes on the hop and execution nodes instead.")
-                )
+                raise serializers.ValidationError(_("Setting peers manually for managed nodes is not allowed."))

        if not settings.IS_K8S:
            if check_peers_changed():
--- a/awx/main/tests/functional/api/test_instance_peers.py
+++ b/awx/main/tests/functional/api/test_instance_peers.py
@ -188,7 +188,7 @@ class TestPeers:
        for control nodes, peers field should not be
        modified directly via patch.
        """
-        control = Instance.objects.create(hostname='abc', node_type=node_type)
+        control = Instance.objects.create(hostname='abc', node_type=node_type, managed=True)
        hop1 = Instance.objects.create(hostname='hop1', node_type='hop')
        hop1addr = ReceptorAddress.objects.create(instance=hop1, address='hop1', peers_from_control_nodes=True, canonical=True)
        hop2 = Instance.objects.create(hostname='hop2', node_type='hop')
@ -200,7 +200,7 @@ class TestPeers:
            user=admin_user,
            expect=400,  # cannot add peers manually
        )
-        assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data)
+        assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)

        patch(
            url=reverse('api:instance_detail', kwargs={'pk': control.pk}),
@ -214,7 +214,7 @@ class TestPeers:
            user=admin_user,
            expect=400,  # cannot remove peers directly
        )
-        assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data)
+        assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)

        patch(
            url=reverse('api:instance_detail', kwargs={'pk': control.pk}),