)]}'
{"specs/xena/s-rbac-ready.rst":[{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f84a262c9f3fc99698c42b855c2dec6b0de0f6f4","unresolved":true,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Cinder policies currently rely only on roles and don\u0027t recognize scope, which"},{"line_number":20,"context_line":"was introduced into Keystone in Queens.  As a result, implementing something"},{"line_number":21,"context_line":"like a read-only administrator in Cinder is very complicated and error-prone."},{"line_number":22,"context_line":"(See, for example, `Policy configuration HowTo"},{"line_number":23,"context_line":"\u003chttps://docs.openstack.org/cinder/latest/configuration/block-storage/policy-config-HOWTO.html\u003e`_"},{"line_number":24,"context_line":"in the Cinder documentation.)"}],"source_content_type":"text/x-rst","patch_set":1,"id":"005ae0ad_d15035e4","line":21,"range":{"start_line":21,"start_character":7,"end_line":21,"end_character":30},"updated":"2021-06-23 14:49:45.000000000","message":"I think we have had a long discussion on this but I\u0027m still not clear on the wording.\nreader is a role, admin is also a role.\nwe can have a system reader (which is not admin) so not sure what this means exactly.","commit_id":"02c22a61661e137f131584d5b34967999f61223a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1bcc7fa84339a8db47da4db54268158be248f4c9","unresolved":true,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Cinder policies currently rely only on roles and don\u0027t recognize scope, which"},{"line_number":20,"context_line":"was introduced into Keystone in Queens.  As a result, implementing something"},{"line_number":21,"context_line":"like a read-only administrator in Cinder is very complicated and error-prone."},{"line_number":22,"context_line":"(See, for example, `Policy configuration HowTo"},{"line_number":23,"context_line":"\u003chttps://docs.openstack.org/cinder/latest/configuration/block-storage/policy-config-HOWTO.html\u003e`_"},{"line_number":24,"context_line":"in the Cinder documentation.)"}],"source_content_type":"text/x-rst","patch_set":1,"id":"d9b2c6ca_3d9b6212","line":21,"range":{"start_line":21,"start_character":7,"end_line":21,"end_character":30},"in_reply_to":"005ae0ad_d15035e4","updated":"2021-06-23 15:20:26.000000000","message":"This is just normal parson talk not tied to the keystone default roles.  The idea is simply someone who can do what a regular cinder administrator can do, but non-destructively.","commit_id":"02c22a61661e137f131584d5b34967999f61223a"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f84a262c9f3fc99698c42b855c2dec6b0de0f6f4","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Some examples:"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"* An operator wants to have a read-only administrator."},{"line_number":39,"context_line":"* An operator wants to have different levels of end user in each project"},{"line_number":40,"context_line":"  (for example, a \"project administrator\" who can do more in the project"},{"line_number":41,"context_line":"  than just a \"project member\")."}],"source_content_type":"text/x-rst","patch_set":1,"id":"b3028524_ed55ad41","line":38,"range":{"start_line":38,"start_character":30,"end_line":38,"end_character":53},"updated":"2021-06-23 14:49:45.000000000","message":"same as above","commit_id":"02c22a61661e137f131584d5b34967999f61223a"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f84a262c9f3fc99698c42b855c2dec6b0de0f6f4","unresolved":true,"context_lines":[{"line_number":43,"context_line":"Proposed change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Here is where you cover the change you propose to make in detail. How do you"},{"line_number":47,"context_line":"propose to solve this problem?"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"If this is one part of a larger effort make it clear where this piece ends. In"},{"line_number":50,"context_line":"other words, what\u0027s the scope of this effort?"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Alternatives"},{"line_number":53,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1006d02e_07ee2d99","line":50,"range":{"start_line":46,"start_character":0,"end_line":50,"end_character":45},"updated":"2021-06-23 14:49:45.000000000","message":"are we leaving this part for later?","commit_id":"02c22a61661e137f131584d5b34967999f61223a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1bcc7fa84339a8db47da4db54268158be248f4c9","unresolved":true,"context_lines":[{"line_number":43,"context_line":"Proposed change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Here is where you cover the change you propose to make in detail. How do you"},{"line_number":47,"context_line":"propose to solve this problem?"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"If this is one part of a larger effort make it clear where this piece ends. In"},{"line_number":50,"context_line":"other words, what\u0027s the scope of this effort?"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Alternatives"},{"line_number":53,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7f44086c_32d6695a","line":50,"range":{"start_line":46,"start_character":0,"end_line":50,"end_character":45},"in_reply_to":"1006d02e_07ee2d99","updated":"2021-06-23 15:20:26.000000000","message":"No, I somehow completely skipped it.  Will fill in and put up a new patch right away.","commit_id":"02c22a61661e137f131584d5b34967999f61223a"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f84a262c9f3fc99698c42b855c2dec6b0de0f6f4","unresolved":true,"context_lines":[{"line_number":144,"context_line":"  Initial test patches:"},{"line_number":145,"context_line":"  https://review.opendev.org/q/project:openstack/cinder-tempest-plugin+topic:secure-rbac"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"* Client changes to support system scope:"},{"line_number":148,"context_line":"  https://review.opendev.org/c/openstack/python-cinderclient/+/776469"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"* Relax the cinder REST API to handle system scope:"},{"line_number":151,"context_line":"  https://review.opendev.org/c/openstack/cinder/+/776468"},{"line_number":152,"context_line":""},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a59860ed_6aa6282d","line":151,"range":{"start_line":147,"start_character":0,"end_line":151,"end_character":56},"updated":"2021-06-23 14:49:45.000000000","message":"maybe we could document somwhere why we have to go this way to support system scope?","commit_id":"02c22a61661e137f131584d5b34967999f61223a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1bcc7fa84339a8db47da4db54268158be248f4c9","unresolved":true,"context_lines":[{"line_number":144,"context_line":"  Initial test patches:"},{"line_number":145,"context_line":"  https://review.opendev.org/q/project:openstack/cinder-tempest-plugin+topic:secure-rbac"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"* Client changes to support system scope:"},{"line_number":148,"context_line":"  https://review.opendev.org/c/openstack/python-cinderclient/+/776469"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"* Relax the cinder REST API to handle system scope:"},{"line_number":151,"context_line":"  https://review.opendev.org/c/openstack/cinder/+/776468"},{"line_number":152,"context_line":""},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0e22838c_71287e1b","line":151,"range":{"start_line":147,"start_character":0,"end_line":151,"end_character":56},"in_reply_to":"a59860ed_6aa6282d","updated":"2021-06-23 15:20:26.000000000","message":"Good catch.  I\u0027ll add a ref below to the PTG discussion that addresses it.","commit_id":"02c22a61661e137f131584d5b34967999f61223a"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"05e32b36a533a90cdc428f5e77e3eaeca3f96df8","unresolved":true,"context_lines":[{"line_number":24,"context_line":"\u003chttps://docs.openstack.org/cinder/latest/configuration/block-storage/policy-config-HOWTO.html\u003e`_"},{"line_number":25,"context_line":"in the Cinder documentation.)"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Using token scope and other Keystone Queens-era improvements such as role"},{"line_number":28,"context_line":"inheritance, it is possible to define policy rules that recognize a set of"},{"line_number":29,"context_line":"useful \"personas\".  If all OpenStack services define policy rules to support"},{"line_number":30,"context_line":"this (which is the \"consistent\" part), operators will not have to rewrite"},{"line_number":31,"context_line":"policies in an attempt to create such personas themselves, but can instead"}],"source_content_type":"text/x-rst","patch_set":2,"id":"488c91d5_d3d97517","line":28,"range":{"start_line":27,"start_character":69,"end_line":28,"end_character":11},"updated":"2021-06-24 12:38:20.000000000","message":"just for my understanding, this is referring to how an admin is also a member and a reader, right?","commit_id":"38efff1e24af424091afa531d2ad359254c2dac4"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"4de224885f6753185105403870aac8d2a8274c8d","unresolved":true,"context_lines":[{"line_number":24,"context_line":"\u003chttps://docs.openstack.org/cinder/latest/configuration/block-storage/policy-config-HOWTO.html\u003e`_"},{"line_number":25,"context_line":"in the Cinder documentation.)"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Using token scope and other Keystone Queens-era improvements such as role"},{"line_number":28,"context_line":"inheritance, it is possible to define policy rules that recognize a set of"},{"line_number":29,"context_line":"useful \"personas\".  If all OpenStack services define policy rules to support"},{"line_number":30,"context_line":"this (which is the \"consistent\" part), operators will not have to rewrite"},{"line_number":31,"context_line":"policies in an attempt to create such personas themselves, but can instead"}],"source_content_type":"text/x-rst","patch_set":2,"id":"07da3fb9_e7562301","line":28,"range":{"start_line":27,"start_character":69,"end_line":28,"end_character":11},"in_reply_to":"488c91d5_d3d97517","updated":"2021-06-24 13:55:54.000000000","message":"Yes, you are understanding correctly.  What\u0027s even cooler is that keystone gives an operator the ability to apply inheritance to arbitrary roles, which makes it easier to configure very complex setups.","commit_id":"38efff1e24af424091afa531d2ad359254c2dac4"}]}