)]}'
{"specs/train/secret-consumers.rst":[{"author":{"_account_id":27954,"name":"Moisés Guimarães de Medeiros","email":"guimaraes@pm.me","username":"moguimar"},"change_message_id":"3d0b2b6e9fe87134171e378dd0266033c32b6a3d","unresolved":false,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"This spec also proposes a change to the deletion of secrets to prevent"},{"line_number":20,"context_line":"secrets from being delted when they are still being used by another"},{"line_number":21,"context_line":"project unless a `force` parameter is provided."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"This spec is part of a larger effort to provide Encrypted Images"},{"line_number":24,"context_line":"to OpenStack clouds."}],"source_content_type":"text/x-rst","patch_set":1,"id":"bfb3d3c7_d2077f17","line":21,"range":{"start_line":21,"start_character":8,"end_line":21,"end_character":46},"updated":"2019-05-30 13:14:22.000000000","message":"According to the StackOverflow discussion, I think we should just error in case of secret deletion with consumers. Error should say \"Delete secret consumers first.","commit_id":"19c828b134a5fcee6c87bb4e5fe44a5cbee6d182"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b5ef58819ea0d810d63dff5b135cf7b6fe9dade7","unresolved":false,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"This spec also proposes a change to the deletion of secrets to prevent"},{"line_number":20,"context_line":"secrets from being delted when they are still being used by another"},{"line_number":21,"context_line":"project unless a `force` parameter is provided."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"This spec is part of a larger effort to provide Encrypted Images"},{"line_number":24,"context_line":"to OpenStack clouds."}],"source_content_type":"text/x-rst","patch_set":1,"id":"bfb3d3c7_11be6afe","line":21,"range":{"start_line":21,"start_character":8,"end_line":21,"end_character":46},"in_reply_to":"bfb3d3c7_d2077f17","updated":"2019-05-31 20:27:49.000000000","message":"That\u0027s one option, but I don\u0027t like it because you basically lose the ability to force a delete.  In other words, returning an error on DELETE would make the client have to delete every single entity that consumes the secret first.\n\nI would prefer it if a DELETE request always deleted the secret.  The logic to check for consumers and require a `force` option to be only client-side.","commit_id":"19c828b134a5fcee6c87bb4e5fe44a5cbee6d182"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"9005c59b9015839d7587d4ebb0e718f1f85a6b61","unresolved":false,"context_lines":[{"line_number":203,"context_line":"Request"},{"line_number":204,"context_line":"+++++++"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    DELETE /v1/secrets/{secret_id}?force\u003dtrue"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Responses"},{"line_number":209,"context_line":"+++++++++"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bfb3d3c7_1a6f85fc","line":206,"range":{"start_line":206,"start_character":34,"end_line":206,"end_character":45},"updated":"2019-05-29 15:04:13.000000000","message":"I\u0027m not sure this is the right thing to do here.  It seems that adding URL parameters and/or a body to a DELETE request is not a good practice.  See this discussion in Stack Overflow: \n\nhttps://stackoverflow.com/questions/14323716/restful-alternatives-to-delete-request-body","commit_id":"19c828b134a5fcee6c87bb4e5fe44a5cbee6d182"},{"author":{"_account_id":27954,"name":"Moisés Guimarães de Medeiros","email":"guimaraes@pm.me","username":"moguimar"},"change_message_id":"3d0b2b6e9fe87134171e378dd0266033c32b6a3d","unresolved":false,"context_lines":[{"line_number":272,"context_line":"    openstack secret delete {secret_uuid_with_consumers}"},{"line_number":273,"context_line":"    ERROR: Secret has one or more consumers.  Use --force to delete anyway."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"These changes will require a new Major version for python-barbicanclient."},{"line_number":276,"context_line":""},{"line_number":277,"context_line":"Other end user impact"},{"line_number":278,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bfb3d3c7_d220df9d","line":275,"range":{"start_line":275,"start_character":0,"end_line":275,"end_character":72},"updated":"2019-05-30 13:14:22.000000000","message":"Is this because we are changing the default behavior of secret deletion as now it might fail in a certain circumstance?","commit_id":"19c828b134a5fcee6c87bb4e5fe44a5cbee6d182"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"257d809aee6372e86669f0820d3164440c71d5c7","unresolved":false,"context_lines":[{"line_number":272,"context_line":"    openstack secret delete {secret_uuid_with_consumers}"},{"line_number":273,"context_line":"    ERROR: Secret has one or more consumers.  Use --force to delete anyway."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"These changes will require a new Major version for python-barbicanclient."},{"line_number":276,"context_line":""},{"line_number":277,"context_line":"Other end user impact"},{"line_number":278,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9fb8cfa7_a15372e2","line":275,"range":{"start_line":275,"start_character":0,"end_line":275,"end_character":72},"in_reply_to":"bfb3d3c7_d220df9d","updated":"2019-06-03 16:00:52.000000000","message":"Yes, I\u0027ll clarify this.","commit_id":"19c828b134a5fcee6c87bb4e5fe44a5cbee6d182"},{"author":{"_account_id":27954,"name":"Moisés Guimarães de Medeiros","email":"guimaraes@pm.me","username":"moguimar"},"change_message_id":"3d0b2b6e9fe87134171e378dd0266033c32b6a3d","unresolved":false,"context_lines":[{"line_number":285,"context_line":"Performance Impact"},{"line_number":286,"context_line":"------------------"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"CLI performance may be affected as we will likely need to perform additional"},{"line_number":289,"context_line":"requests to the API to get the list of consumers for a secret."},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bfb3d3c7_5234efdd","line":288,"range":{"start_line":288,"start_character":0,"end_line":288,"end_character":15},"updated":"2019-05-30 13:14:22.000000000","message":"Shouldn\u0027t we specify that only secret deletion is affected?","commit_id":"19c828b134a5fcee6c87bb4e5fe44a5cbee6d182"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"257d809aee6372e86669f0820d3164440c71d5c7","unresolved":false,"context_lines":[{"line_number":285,"context_line":"Performance Impact"},{"line_number":286,"context_line":"------------------"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"CLI performance may be affected as we will likely need to perform additional"},{"line_number":289,"context_line":"requests to the API to get the list of consumers for a secret."},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9fb8cfa7_0147de1f","line":288,"range":{"start_line":288,"start_character":0,"end_line":288,"end_character":15},"in_reply_to":"bfb3d3c7_5234efdd","updated":"2019-06-03 16:00:52.000000000","message":"Yes, I\u0027ll clarify this.","commit_id":"19c828b134a5fcee6c87bb4e5fe44a5cbee6d182"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4fa5b56d8addc210d84a39cf90861fbccbd3daf2","unresolved":false,"context_lines":[{"line_number":17,"context_line":"those secrets are being used by them."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"This spec also proposes a change to the deletion of secrets to prevent"},{"line_number":20,"context_line":"secrets from being delted when they are still being used by another"},{"line_number":21,"context_line":"project unless a `force` parameter is provided."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"This spec is part of a larger effort to provide Encrypted Images"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_4b4d153c","line":20,"range":{"start_line":20,"start_character":19,"end_line":20,"end_character":25},"updated":"2019-05-30 21:00:25.000000000","message":"s/delted/deleted","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4fa5b56d8addc210d84a39cf90861fbccbd3daf2","unresolved":false,"context_lines":[{"line_number":38,"context_line":"Proposed Change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"Add a new API to Secrets to register Secret Consumers (smiliar, but not"},{"line_number":42,"context_line":"identical to the Containers Consumer API [1])."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"With this new API, other OpenStack projects would register as a consumer"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_4b767572","line":41,"range":{"start_line":41,"start_character":55,"end_line":41,"end_character":62},"updated":"2019-05-30 21:00:25.000000000","message":"typo","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4fa5b56d8addc210d84a39cf90861fbccbd3daf2","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Barbican would change the way that Secret deletion works, by first checking"},{"line_number":50,"context_line":"to see if any projects have registered as a Secret Consumer.  If there is"},{"line_number":51,"context_line":"one or more Secret Consumers registerd on a Secret, then Barbican will"},{"line_number":52,"context_line":"return an error when a user requests to delete a Secret."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Because we ultimately want users to be able to delete their secrets if they"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_6bf6d9d9","line":51,"range":{"start_line":51,"start_character":29,"end_line":51,"end_character":38},"updated":"2019-05-30 21:00:25.000000000","message":"typo","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4fa5b56d8addc210d84a39cf90861fbccbd3daf2","unresolved":false,"context_lines":[{"line_number":116,"context_line":"                \"service\": \"image\","},{"line_number":117,"context_line":"                \"resource_type\": \"image\","},{"line_number":118,"context_line":"                \"resource_id\" : \"{image_id}\""},{"line_number":119,"context_line":"            }"},{"line_number":120,"context_line":"        ]"},{"line_number":121,"context_line":"    }"},{"line_number":122,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_16ef40e9","line":119,"updated":"2019-05-30 21:00:25.000000000","message":"Some details on the \"service\", \"resource_type\" and \"resource_id\" would be good here.  I think I understand what values you would put in here, but its good to make it explicit as to how these parameters would be used to construct a reference URL.","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b5ef58819ea0d810d63dff5b135cf7b6fe9dade7","unresolved":false,"context_lines":[{"line_number":116,"context_line":"                \"service\": \"image\","},{"line_number":117,"context_line":"                \"resource_type\": \"image\","},{"line_number":118,"context_line":"                \"resource_id\" : \"{image_id}\""},{"line_number":119,"context_line":"            }"},{"line_number":120,"context_line":"        ]"},{"line_number":121,"context_line":"    }"},{"line_number":122,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_91581afa","line":119,"in_reply_to":"bfb3d3c7_16ef40e9","updated":"2019-05-31 20:27:49.000000000","message":"Yes, that\u0027s a good point.  I\u0027ll add details on what we would expect and how that can be used to construct a URL.","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4fa5b56d8addc210d84a39cf90861fbccbd3daf2","unresolved":false,"context_lines":[{"line_number":164,"context_line":"|  403 | Forbidden - X-Auth-Token is valid, but the associated project does |"},{"line_number":165,"context_line":"|      |             not have the appropriate role/scope                    |"},{"line_number":166,"context_line":"+------+--------------------------------------------------------------------+"},{"line_number":167,"context_line":"|  409 | Conflict - Another consumer with the same resource_id already      |"},{"line_number":168,"context_line":"|      |            exists.                                                 |"},{"line_number":169,"context_line":"+------+--------------------------------------------------------------------+"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"DELETE /v1/secrets/{secret_id}/consumers/{resource_id}"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_76cd5c83","line":168,"range":{"start_line":167,"start_character":9,"end_line":168,"end_character":32},"updated":"2019-05-30 21:00:25.000000000","message":"Just to be clear -- this is same service, type and resource_id , right?","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b5ef58819ea0d810d63dff5b135cf7b6fe9dade7","unresolved":false,"context_lines":[{"line_number":164,"context_line":"|  403 | Forbidden - X-Auth-Token is valid, but the associated project does |"},{"line_number":165,"context_line":"|      |             not have the appropriate role/scope                    |"},{"line_number":166,"context_line":"+------+--------------------------------------------------------------------+"},{"line_number":167,"context_line":"|  409 | Conflict - Another consumer with the same resource_id already      |"},{"line_number":168,"context_line":"|      |            exists.                                                 |"},{"line_number":169,"context_line":"+------+--------------------------------------------------------------------+"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"DELETE /v1/secrets/{secret_id}/consumers/{resource_id}"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_f10ab6cf","line":168,"range":{"start_line":167,"start_character":9,"end_line":168,"end_character":32},"in_reply_to":"bfb3d3c7_76cd5c83","updated":"2019-05-31 20:27:49.000000000","message":"Yes, I will clarify that.\n\nAnother option is to return 200 OK on a duplicate since you could argue that the record \"already exists\" and that\u0027s what the client wanted with a POST request... but now that I wrote it down I\u0027m not sure I like it.","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"257d809aee6372e86669f0820d3164440c71d5c7","unresolved":false,"context_lines":[{"line_number":164,"context_line":"|  403 | Forbidden - X-Auth-Token is valid, but the associated project does |"},{"line_number":165,"context_line":"|      |             not have the appropriate role/scope                    |"},{"line_number":166,"context_line":"+------+--------------------------------------------------------------------+"},{"line_number":167,"context_line":"|  409 | Conflict - Another consumer with the same resource_id already      |"},{"line_number":168,"context_line":"|      |            exists.                                                 |"},{"line_number":169,"context_line":"+------+--------------------------------------------------------------------+"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"DELETE /v1/secrets/{secret_id}/consumers/{resource_id}"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9fb8cfa7_2159c2fd","line":168,"range":{"start_line":167,"start_character":9,"end_line":168,"end_character":32},"in_reply_to":"bfb3d3c7_f10ab6cf","updated":"2019-06-03 16:00:52.000000000","message":"So as I was updating this, I realized that DELETE on just resource_id may not work.  The assumption we were talking about at the PTG was that every resource would have a unique resource_id throughout the cloud.  I\u0027ll add some coments to the new patch when I post the other updates.","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"2da643e9b4661309fd33f7ec4128af2d6a0ea122","unresolved":false,"context_lines":[{"line_number":203,"context_line":"Request"},{"line_number":204,"context_line":"+++++++"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    DELETE /v1/secrets/{secret_id}?force\u003dtrue"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Responses"},{"line_number":209,"context_line":"+++++++++"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_aa8ce8d6","line":206,"range":{"start_line":206,"start_character":34,"end_line":206,"end_character":45},"updated":"2019-05-29 17:07:19.000000000","message":"Commenting again in latest patch for visibility.\n\nI\u0027m not sure this is the right thing to do here.  It seems that adding URL parameters and/or a body to a DELETE request is not a good practice.  See this discussion in Stack Overflow: \n\nhttps://stackoverflow.com/questions/14323716/restful-alternatives-to-delete-request-body\n\nI\u0027m starting to think it may be best to not mess with the `force` parameter at all in the API, but rather implement `force\u003dTrue / --force` in python-barbicanclient and the CLI.","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b5ef58819ea0d810d63dff5b135cf7b6fe9dade7","unresolved":false,"context_lines":[{"line_number":203,"context_line":"Request"},{"line_number":204,"context_line":"+++++++"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    DELETE /v1/secrets/{secret_id}?force\u003dtrue"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Responses"},{"line_number":209,"context_line":"+++++++++"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_11766a3f","line":206,"range":{"start_line":206,"start_character":34,"end_line":206,"end_character":45},"in_reply_to":"bfb3d3c7_767b1c27","updated":"2019-05-31 20:27:49.000000000","message":"Yes, that\u0027s my preference right now.  I think I\u0027ll update the spec to do that.  That would also prevent us from needing a microversion, I think.","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4fa5b56d8addc210d84a39cf90861fbccbd3daf2","unresolved":false,"context_lines":[{"line_number":203,"context_line":"Request"},{"line_number":204,"context_line":"+++++++"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    DELETE /v1/secrets/{secret_id}?force\u003dtrue"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Responses"},{"line_number":209,"context_line":"+++++++++"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_767b1c27","line":206,"range":{"start_line":206,"start_character":34,"end_line":206,"end_character":45},"in_reply_to":"bfb3d3c7_aa8ce8d6","updated":"2019-05-30 21:00:25.000000000","message":"So, given that the CLI and client communicate with the API - is the idea then that deletes would continue to occur by default (whether or not consumers exist), and that a check for existing consumers would only occur on the client side -- in the CLI and python-barbicanclient?","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4fa5b56d8addc210d84a39cf90861fbccbd3daf2","unresolved":false,"context_lines":[{"line_number":231,"context_line":"that a bad actor could add many consumers to try to fill the database disk"},{"line_number":232,"context_line":"space.  Secret Consumers should be limited to some maximum amount to mitigate"},{"line_number":233,"context_line":"this risk."},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"Notifications \u0026 Audit Impact"},{"line_number":236,"context_line":"----------------------------"},{"line_number":237,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bfb3d3c7_9697b03a","line":234,"updated":"2019-05-30 21:00:25.000000000","message":"Is this a quota thing?  Don\u0027t we have quotas for container consumers? (And how do they work?)","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b5ef58819ea0d810d63dff5b135cf7b6fe9dade7","unresolved":false,"context_lines":[{"line_number":231,"context_line":"that a bad actor could add many consumers to try to fill the database disk"},{"line_number":232,"context_line":"space.  Secret Consumers should be limited to some maximum amount to mitigate"},{"line_number":233,"context_line":"this risk."},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"Notifications \u0026 Audit Impact"},{"line_number":236,"context_line":"----------------------------"},{"line_number":237,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9fb8cfa7_16aac284","line":234,"in_reply_to":"bfb3d3c7_9697b03a","updated":"2019-05-31 20:27:49.000000000","message":"Yes, I\u0027ll rewrite this to say that quotas are needed.  Currently, container consumers use a quota called \"consumers\", so maybe we can just reuse that limit?  Looks like it can be set at a project level too, if needed.","commit_id":"1f65954d4ee2d0e54b5d1b6093e545fe98fd275f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"93468ce81955d1766912cf8d1d3d74401c2a8523","unresolved":false,"context_lines":[{"line_number":99,"context_line":"| resource_id         | string | Unique identifier for the resource using this secret.  |"},{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_38555e51","line":103,"range":{"start_line":102,"start_character":0,"end_line":103,"end_character":41},"updated":"2019-06-03 16:34:53.000000000","message":"Adding this per @Ade Lee\u0027s comments on Patch 3, however I\u0027m not sure if Barbican should consider the tuple (serive, resource_type, resource_id) to identify a unique consumer or just the resource_id.\n\nAt the PTG we talked about assuming that resource_id would be unique in a cloud since all projects use UUIDs, so the chances of two services having the same resource_id for different resources would be unlikely.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4daf963c3cea5292d8d99c9da07ae10f5692e091","unresolved":false,"context_lines":[{"line_number":99,"context_line":"| resource_id         | string | Unique identifier for the resource using this secret.  |"},{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_8198641b","line":103,"range":{"start_line":102,"start_character":0,"end_line":103,"end_character":41},"in_reply_to":"9fb8cfa7_38555e51","updated":"2019-06-05 21:52:36.000000000","message":"I guess the whole idea is the resource_id is unique.  I\u0027m OK with making that assumption.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"69310766316a16c3956d38a76d62c23e799388df","unresolved":false,"context_lines":[{"line_number":99,"context_line":"| resource_id         | string | Unique identifier for the resource using this secret.  |"},{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_aa20f94a","line":103,"range":{"start_line":102,"start_character":0,"end_line":103,"end_character":41},"in_reply_to":"9fb8cfa7_8198641b","updated":"2019-06-19 13:26:37.000000000","message":"Updated to assume resrouce_id is unique.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"93468ce81955d1766912cf8d1d3d74401c2a8523","unresolved":false,"context_lines":[{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Ideally, we would be able to recreate the URLs using the catalog and the"},{"line_number":109,"context_line":"service\u0027s version discovery api."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"Request"},{"line_number":112,"context_line":"+++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_db9f5cb2","line":109,"range":{"start_line":103,"start_character":43,"end_line":109,"end_character":32},"updated":"2019-06-03 16:34:53.000000000","message":"This will be tricky.  The advantage of using these values instead of just a URL is that we should, in theory, be able to recreate a URL using Version Discovery, so it would be future-proof.  I\u0027m not sure if all OpenStack APIs are written to be navigated with HATEOS links though?\n\nOn the other hand, instead of using a `resource_type` we may be able to use a `resource_path` instead.  For example:\n\nIn glance, the Keystone Catalog would point to `/` which returns the current Version as ending in `v2`.  The path to get an image is `v2/images/{image_id}` so resource_type\u003dimages would work to get the path from version discovery -\u003e entity URL.\n\nIn octavia, however, the Keystone Catalog would point to `/` which returns the current version as ending in `v2`, but the pat to get a load balancer is `v2/lbass/loadbalancers/{loadbalancer_id}.  The response for `v2` is not documented so it\u0027s not clear if there is a way to map the type `loadbalancers` to the path `lbass/loadbalancers`.  In this case the resource_type\u003dloadbalancers would not work so they would use resource_path\u003d\"lbass/loadbalancers\" instead. Thoughts?","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"69310766316a16c3956d38a76d62c23e799388df","unresolved":false,"context_lines":[{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Ideally, we would be able to recreate the URLs using the catalog and the"},{"line_number":109,"context_line":"service\u0027s version discovery api."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"Request"},{"line_number":112,"context_line":"+++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_ca1d2d10","line":109,"range":{"start_line":103,"start_character":43,"end_line":109,"end_character":32},"in_reply_to":"9fb8cfa7_1faaced1","updated":"2019-06-19 13:26:37.000000000","message":"Updated.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":10273,"name":"Adam Harwell","email":"flux.adam@gmail.com","username":"rm_you"},"change_message_id":"343f59b20673af5df210bb33cf67788e54973cb1","unresolved":false,"context_lines":[{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Ideally, we would be able to recreate the URLs using the catalog and the"},{"line_number":109,"context_line":"service\u0027s version discovery api."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"Request"},{"line_number":112,"context_line":"+++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_9da8938c","line":109,"range":{"start_line":103,"start_character":43,"end_line":109,"end_character":32},"in_reply_to":"9fb8cfa7_6179b0fa","updated":"2019-06-08 08:54:08.000000000","message":"i think my idea originally was that if you specified the service and the resource type and the id, you could use find it via the clients/api for the service. IE if i know it\u0027s Octavia/loadbalancer/12345abcde then i can just query that via the octavia client.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"aa847be80861b18e7e3113d620e2bc8729ff31b6","unresolved":false,"context_lines":[{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Ideally, we would be able to recreate the URLs using the catalog and the"},{"line_number":109,"context_line":"service\u0027s version discovery api."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"Request"},{"line_number":112,"context_line":"+++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_1faaced1","line":109,"range":{"start_line":103,"start_character":43,"end_line":109,"end_character":32},"in_reply_to":"9fb8cfa7_9da8938c","updated":"2019-06-17 15:27:36.000000000","message":"That actually sounds pretty reasonable.  The resource type should be whatever the service\u0027s client would need to be able to retrieve the relevant object.\n\nPresumably the services who store this data would be the best to determine that.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4daf963c3cea5292d8d99c9da07ae10f5692e091","unresolved":false,"context_lines":[{"line_number":100,"context_line":"+---------------------+--------+--------------------------------------------------------+"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Barbican will consider the combination of all three (service, resource_type,"},{"line_number":103,"context_line":"and resource_id) to be a unique consumer.  These values should be used to"},{"line_number":104,"context_line":"recreate a URL using the Keystone catalog:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    {catalog_url_for_service}/{resource_type}/{resource_id}"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Ideally, we would be able to recreate the URLs using the catalog and the"},{"line_number":109,"context_line":"service\u0027s version discovery api."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"Request"},{"line_number":112,"context_line":"+++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_6179b0fa","line":109,"range":{"start_line":103,"start_character":43,"end_line":109,"end_character":32},"in_reply_to":"9fb8cfa7_db9f5cb2","updated":"2019-06-05 21:52:36.000000000","message":"Can we assume that the resource_path will be future proof?  Or is that something that is API dependent as well?  My guess is that it pretty much is .. \n\nWe might want to check some of the horizon plugins to see how they do link resolution -- for an encrypted volume, say.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"93468ce81955d1766912cf8d1d3d74401c2a8523","unresolved":false,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"     or"},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"     DELETE v1/secrets/{secret_id}/consumers/{service}/{resource_type}/{resource_id}"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"Responses"},{"line_number":212,"context_line":"+++++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_d82f62f4","line":209,"range":{"start_line":209,"start_character":45,"end_line":209,"end_character":84},"updated":"2019-06-03 16:34:53.000000000","message":"If we do want to consider all 3 values together as an identifier (see comment above), then maybe it makes sense to use all 3 parts in the DELETE path?","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4daf963c3cea5292d8d99c9da07ae10f5692e091","unresolved":false,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"     or"},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"     DELETE v1/secrets/{secret_id}/consumers/{service}/{resource_type}/{resource_id}"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"Responses"},{"line_number":212,"context_line":"+++++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_e17600d9","line":209,"range":{"start_line":209,"start_character":45,"end_line":209,"end_character":84},"in_reply_to":"9fb8cfa7_d82f62f4","updated":"2019-06-05 21:52:36.000000000","message":"Yeah - if we assume resource_ids are unique, then we can remove this last one.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"69310766316a16c3956d38a76d62c23e799388df","unresolved":false,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"     or"},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"     DELETE v1/secrets/{secret_id}/consumers/{service}/{resource_type}/{resource_id}"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"Responses"},{"line_number":212,"context_line":"+++++++++"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_2ad2c935","line":209,"range":{"start_line":209,"start_character":45,"end_line":209,"end_character":84},"in_reply_to":"9fb8cfa7_e17600d9","updated":"2019-06-19 13:26:37.000000000","message":"Updated.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"4daf963c3cea5292d8d99c9da07ae10f5692e091","unresolved":false,"context_lines":[{"line_number":291,"context_line":"because the default --force\u003dFalse option could cause some scripts to break in"},{"line_number":292,"context_line":"certain scenarios where secrets are currently being deleted that do have"},{"line_number":293,"context_line":"consumers associated with them."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Other end user impact"},{"line_number":296,"context_line":"---------------------"},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_a1f008cb","line":294,"updated":"2019-06-05 21:52:36.000000000","message":"You should explicitly mention here that there is no change in behavior on the Barbican API.  That if a user chooses to delete a secret by going directly to the Rest API, then the secret will be deleted irrespective of the presence or absence of consumers.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"69310766316a16c3956d38a76d62c23e799388df","unresolved":false,"context_lines":[{"line_number":291,"context_line":"because the default --force\u003dFalse option could cause some scripts to break in"},{"line_number":292,"context_line":"certain scenarios where secrets are currently being deleted that do have"},{"line_number":293,"context_line":"consumers associated with them."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Other end user impact"},{"line_number":296,"context_line":"---------------------"},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_8aec15f4","line":294,"in_reply_to":"9fb8cfa7_a1f008cb","updated":"2019-06-19 13:26:37.000000000","message":"Good point, I added a note to the \"Other end user impact\" section below.","commit_id":"4b5c70a0c630e410700bbf509b68176911ec86d6"}]}