)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4264,"name":"Matthias Runge","email":"mrunge@redhat.com","username":"mrunge"},"change_message_id":"cf68aa815e4654c2ce4a1335e7666c9b6b60949a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ce890c8b_94a84f34","updated":"2025-02-05 10:41:16.000000000","message":"recheck","commit_id":"713ba83df2fcdab234317e6e06f4d4a5ac58ac4f"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"4724553fc9e14fb1ad4722f126af534850467bd8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"68d7ff5b_306f101c","updated":"2025-04-11 07:35:44.000000000","message":"I had to rebase on top of master after the previous change merged. I had to react to some of the function changing names. I retested the code with the unit tests as well as manually checking the functionality, everything seems to still work as intended.","commit_id":"e5c561a4c47ed20460b166b62f769d5bb1e59484"}],"aodh/api/policies.py":[{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"bdbe836e7c0a63cef14d873e9f168e72608d050d","unresolved":true,"context_lines":[{"line_number":319,"context_line":"            }"},{"line_number":320,"context_line":"        ]"},{"line_number":321,"context_line":"    ),"},{"line_number":322,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":323,"context_line":"        name\u003d\"telemetry:get_metrics:all_projects\","},{"line_number":324,"context_line":"        check_str\u003dPROJECT_ADMIN,"},{"line_number":325,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":326,"context_line":"        description\u003d\u0027Get all metrics from all projects.\u0027,"},{"line_number":327,"context_line":"        operations\u003d["},{"line_number":328,"context_line":"            {"},{"line_number":329,"context_line":"                \u0027path\u0027: \u0027/v2/metrics\u0027,"},{"line_number":330,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":331,"context_line":"            }"},{"line_number":332,"context_line":"        ]"},{"line_number":333,"context_line":"    ),"},{"line_number":334,"context_line":"]"},{"line_number":335,"context_line":""},{"line_number":336,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"58954a1c_88dc4ba1","line":333,"range":{"start_line":322,"start_character":1,"end_line":333,"end_character":6},"updated":"2025-01-23 10:32:58.000000000","message":"This will grant all project admins access to any other project\u0027s metrics too. This has been my problem with the current srbac model where the model indicates that the project admin has the project scope but in various services behaves like an global admin.\n\nSome specific ceilometer service role would be less worrysome.","commit_id":"8949301958b0e12794bbb9d47ea156696239047f"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"308621f752eb62ba2945e9f3c00801cce56b382e","unresolved":true,"context_lines":[{"line_number":319,"context_line":"            }"},{"line_number":320,"context_line":"        ]"},{"line_number":321,"context_line":"    ),"},{"line_number":322,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":323,"context_line":"        name\u003d\"telemetry:get_metrics:all_projects\","},{"line_number":324,"context_line":"        check_str\u003dPROJECT_ADMIN,"},{"line_number":325,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":326,"context_line":"        description\u003d\u0027Get all metrics from all projects.\u0027,"},{"line_number":327,"context_line":"        operations\u003d["},{"line_number":328,"context_line":"            {"},{"line_number":329,"context_line":"                \u0027path\u0027: \u0027/v2/metrics\u0027,"},{"line_number":330,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":331,"context_line":"            }"},{"line_number":332,"context_line":"        ]"},{"line_number":333,"context_line":"    ),"},{"line_number":334,"context_line":"]"},{"line_number":335,"context_line":""},{"line_number":336,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"aa7fd106_e2ba0f8c","line":333,"range":{"start_line":322,"start_character":1,"end_line":333,"end_character":6},"in_reply_to":"01959533_2df6a4a8","updated":"2025-03-03 10:23:33.000000000","message":"I agree that has been the problem but in fact we gave up introducing proper scope separation due to multiple techinical limitations. According to the latest direction, we require project scope for resources which belong to project so I think the current implementation is correct.","commit_id":"8949301958b0e12794bbb9d47ea156696239047f"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"417576faade0eba2cffb046744b9ec561415f962","unresolved":true,"context_lines":[{"line_number":319,"context_line":"            }"},{"line_number":320,"context_line":"        ]"},{"line_number":321,"context_line":"    ),"},{"line_number":322,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":323,"context_line":"        name\u003d\"telemetry:get_metrics:all_projects\","},{"line_number":324,"context_line":"        check_str\u003dPROJECT_ADMIN,"},{"line_number":325,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":326,"context_line":"        description\u003d\u0027Get all metrics from all projects.\u0027,"},{"line_number":327,"context_line":"        operations\u003d["},{"line_number":328,"context_line":"            {"},{"line_number":329,"context_line":"                \u0027path\u0027: \u0027/v2/metrics\u0027,"},{"line_number":330,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":331,"context_line":"            }"},{"line_number":332,"context_line":"        ]"},{"line_number":333,"context_line":"    ),"},{"line_number":334,"context_line":"]"},{"line_number":335,"context_line":""},{"line_number":336,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"a849bb66_0b6c24a2","line":333,"range":{"start_line":322,"start_character":1,"end_line":333,"end_character":6},"in_reply_to":"58954a1c_88dc4ba1","updated":"2025-01-29 09:04:39.000000000","message":"I see your concern. This is something I was thinking about too. In the end I decided to try to follow what seemed to be an established pattern. I wonder if there is some wider effort to strengthen the srbac model across services? (to not have a project admin behave like a global admin).\n\nThis is basically exposing the same data as getting all alarms, which is also accessible to project admins. The data are just aggregated over time.\n\nIt\u0027s not completely clear to me how the ceilometer role would be used. Who should create the role and when? The user? The installer? Or can Aodh or Ceilometer create it on startup? If the user should be the one to create it, it would need to be well documented (especially assuming we\u0027d use this role for other metrics in the future). Where would we document it, so that it\u0027s visible enough? I\u0027m a little worried that it could end up with confusion from users about why this feature doesn\u0027t work.","commit_id":"8949301958b0e12794bbb9d47ea156696239047f"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"cfc6b7d7a7460039452912b0460e1eca8458dae9","unresolved":true,"context_lines":[{"line_number":319,"context_line":"            }"},{"line_number":320,"context_line":"        ]"},{"line_number":321,"context_line":"    ),"},{"line_number":322,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":323,"context_line":"        name\u003d\"telemetry:get_metrics:all_projects\","},{"line_number":324,"context_line":"        check_str\u003dPROJECT_ADMIN,"},{"line_number":325,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":326,"context_line":"        description\u003d\u0027Get all metrics from all projects.\u0027,"},{"line_number":327,"context_line":"        operations\u003d["},{"line_number":328,"context_line":"            {"},{"line_number":329,"context_line":"                \u0027path\u0027: \u0027/v2/metrics\u0027,"},{"line_number":330,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":331,"context_line":"            }"},{"line_number":332,"context_line":"        ]"},{"line_number":333,"context_line":"    ),"},{"line_number":334,"context_line":"]"},{"line_number":335,"context_line":""},{"line_number":336,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"01959533_2df6a4a8","line":333,"range":{"start_line":322,"start_character":1,"end_line":333,"end_character":6},"in_reply_to":"a849bb66_0b6c24a2","updated":"2025-02-24 13:28:19.000000000","message":"@jokke@usr.fi","commit_id":"8949301958b0e12794bbb9d47ea156696239047f"}]}