)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"a5663fd4eb2647ad7b2b428f5e5e9db93630d365","unresolved":true,"context_lines":[{"line_number":14,"context_line":"This change deprecates this config option and hardcodes it to"},{"line_number":15,"context_line":"\"True\" for disabling the feature."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Fixes: https://bugs.launchpad.net/aodh/+bug/2106029"},{"line_number":18,"context_line":"Change-Id: I2146e8e753fd7b1214ff583d9d85bbd71bd36fed"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"29b43ba6_35ead935","line":17,"updated":"2025-04-03 00:53:47.000000000","message":"Closes-Bug: #2106029","commit_id":"673207b4eceaea8c4bfadf4fc774c51cde0b3b72"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"bd147a24a87547d5c7b38ba56a2aa13c612e56d7","unresolved":false,"context_lines":[{"line_number":14,"context_line":"This change deprecates this config option and hardcodes it to"},{"line_number":15,"context_line":"\"True\" for disabling the feature."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Fixes: https://bugs.launchpad.net/aodh/+bug/2106029"},{"line_number":18,"context_line":"Change-Id: I2146e8e753fd7b1214ff583d9d85bbd71bd36fed"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"f10aa23e_f1acfdbd","line":17,"in_reply_to":"29b43ba6_35ead935","updated":"2025-04-03 06:34:44.000000000","message":"Done","commit_id":"673207b4eceaea8c4bfadf4fc774c51cde0b3b72"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"a5663fd4eb2647ad7b2b428f5e5e9db93630d365","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"4a220200_f676b603","updated":"2025-04-03 00:53:47.000000000","message":"I might misunderstand something, but wasn\u0027t this option required in a use case where metrics of tenant resources need to be read by tenant users, which was allowed when gnocchi is used ?","commit_id":"673207b4eceaea8c4bfadf4fc774c51cde0b3b72"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"3299c0d8a6aff3c75305424c6e9b606124058dec","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a00c7bf8_af712719","updated":"2025-04-02 16:22:14.000000000","message":"This is how it looks before and after https://paste.opendev.org/show/b9x3pxqoSW9g5RtMvzBp/","commit_id":"673207b4eceaea8c4bfadf4fc774c51cde0b3b72"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"bd147a24a87547d5c7b38ba56a2aa13c612e56d7","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f399b840_a2c65715","in_reply_to":"4a220200_f676b603","updated":"2025-04-03 06:34:44.000000000","message":"I\u0027m not sure I understand the question, so I\u0027ll try to reiterate what this option does in connection with the Prometheus type alarms. This rbac feature, when enabled, will add a label to every query sent through the observabilityclient, which will restrict the query only to the current project. This works pretty OK when you\u0027re using the observabilityclient\u0027s `openstack metric` command, but since Aodh is a service, the current project is always the \"service\" project, no matter in which project the alarm was created, thus each query is being restricted to the service project (or at least trying to be restricted), which wasn\u0027t what was intended for this config option and it causes alarms to not work.\n\nBecause of limitations of this feature in the observabilityclient, it actually doesn\u0027t do anything unless a same named metric exists in the \"service\" project. That\u0027s why the alarms work pretty nicely until you get metrics in the service project.\n\nAlso the current implementation of the rbac feature in the observabilityclient doesn\u0027t allow to specify a different project to use for the restriction, it\u0027ll always use the current one, so there is currently no way for Aodh to use it.","commit_id":"673207b4eceaea8c4bfadf4fc774c51cde0b3b72"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"1138243dc021d3f85eefd04c6796022754a40fd4","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"da3b619d_d621577a","in_reply_to":"f399b840_a2c65715","updated":"2025-04-03 06:43:01.000000000","message":"The observabilityclient\u0027s rbac part isn\u0027t very good or useful at the moment, as it was an attempt to increase security by seemingly implementing multi-tenancy to Prometheus on the client-side, when using the observabilityclient for the queries, which doesn\u0027t do much for security when you can always just curl Prometheus directly without any restriction. We have a plan to implement a reverse-proxy for Prometheus to do this instead, which we plan to discuss during the PTG on Tuesday 2 PM UTC https://etherpad.opendev.org/p/telemetry-flamingo-ptg . Maybe if you have time, we could discuss it there? That way we\u0027ll actually be able to enforce authentication and multi-tenancy and we should also enable to use this feature by all services.","commit_id":"673207b4eceaea8c4bfadf4fc774c51cde0b3b72"},{"author":{"_account_id":4264,"name":"Matthias Runge","email":"mrunge@redhat.com","username":"mrunge"},"change_message_id":"c67edce48a9b1b9560bb3c10287981023e877fa5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"94f659d9_f9a108f6","updated":"2025-04-07 08:33:17.000000000","message":"Thank you Jaromir. I am all for replacing this client-side rbac implementation with a server side one.","commit_id":"79ae37256d883e539ddcc6bb4ea2bf65d91b6ec5"},{"author":{"_account_id":34975,"name":"Jaromír Wysoglad","email":"jwysogla@redhat.com","username":"jwysogla"},"change_message_id":"8d44ee4b8677c69fc4a50d9099438336fd202d16","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"db319a31_14fb6210","updated":"2025-04-08 11:33:05.000000000","message":"recheck","commit_id":"79ae37256d883e539ddcc6bb4ea2bf65d91b6ec5"}]}