)]}'
{"doc/source/configuration/block-storage/policy-personas.rst":[{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":29,"context_line":"     - Has read only access to the API (cannot create, update, or delete)"},{"line_number":30,"context_line":"     - ``reader`` role with ``project`` scope"},{"line_number":31,"context_line":"   * - project-member"},{"line_number":32,"context_line":"     - A normal user in a project (tenant)."},{"line_number":33,"context_line":"     - ``member`` role with ``project`` scope"},{"line_number":34,"context_line":"   * - project-admin"},{"line_number":35,"context_line":"     - All the normal stuff plus some minor administrative abilities"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7277a68a_bae18830","line":32,"range":{"start_line":32,"start_character":34,"end_line":32,"end_character":42},"updated":"2020-11-27 07:41:24.000000000","message":"Not sure but i think we should avoid using \u0027tenant\u0027 as keystone has already removed/replaced it with project","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":false,"context_lines":[{"line_number":29,"context_line":"     - Has read only access to the API (cannot create, update, or delete)"},{"line_number":30,"context_line":"     - ``reader`` role with ``project`` scope"},{"line_number":31,"context_line":"   * - project-member"},{"line_number":32,"context_line":"     - A normal user in a project (tenant)."},{"line_number":33,"context_line":"     - ``member`` role with ``project`` scope"},{"line_number":34,"context_line":"   * - project-admin"},{"line_number":35,"context_line":"     - All the normal stuff plus some minor administrative abilities"}],"source_content_type":"text/x-rst","patch_set":3,"id":"f508f208_8892ddfe","line":32,"range":{"start_line":32,"start_character":34,"end_line":32,"end_character":42},"in_reply_to":"6b6d7db0_f2f22d02","updated":"2020-12-04 15:26:06.000000000","message":"Done","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":29,"context_line":"     - Has read only access to the API (cannot create, update, or delete)"},{"line_number":30,"context_line":"     - ``reader`` role with ``project`` scope"},{"line_number":31,"context_line":"   * - project-member"},{"line_number":32,"context_line":"     - A normal user in a project (tenant)."},{"line_number":33,"context_line":"     - ``member`` role with ``project`` scope"},{"line_number":34,"context_line":"   * - project-admin"},{"line_number":35,"context_line":"     - All the normal stuff plus some minor administrative abilities"}],"source_content_type":"text/x-rst","patch_set":3,"id":"6b6d7db0_f2f22d02","line":32,"range":{"start_line":32,"start_character":34,"end_line":32,"end_character":42},"in_reply_to":"7277a68a_bae18830","updated":"2020-12-03 23:49:05.000000000","message":"Good point.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"94c5452b9aa45c401b5977b18524eb62f8af3465","unresolved":false,"context_lines":[{"line_number":52,"context_line":"     successfully request a \"domain-scoped\" token from the Identity service,"},{"line_number":53,"context_line":"     you won\u0027t be able to use it with Cinder.  Request a \"project-scoped\""},{"line_number":54,"context_line":"     or \"system-scoped\" token instead."},{"line_number":55,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":56,"context_line":"     someone with the ``member`` role and ``system`` scope.  The"},{"line_number":57,"context_line":"     default Cinder policy configuration treats such a person as identical"},{"line_number":58,"context_line":"     to the *system-reader* persona described above."},{"line_number":59,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_c3c76945","line":56,"range":{"start_line":55,"start_character":5,"end_line":56,"end_character":59},"updated":"2020-11-19 16:00:49.000000000","message":"We do have it in the code[1] but probably won\u0027t be used anywhere so this is correct.\n\n[1] https://github.com/openstack/cinder/blob/master/cinder/policies/base.py#L22","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fb91311e4ae8a1aa5b5fce7040f130d7dc985207","unresolved":false,"context_lines":[{"line_number":52,"context_line":"     successfully request a \"domain-scoped\" token from the Identity service,"},{"line_number":53,"context_line":"     you won\u0027t be able to use it with Cinder.  Request a \"project-scoped\""},{"line_number":54,"context_line":"     or \"system-scoped\" token instead."},{"line_number":55,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":56,"context_line":"     someone with the ``member`` role and ``system`` scope.  The"},{"line_number":57,"context_line":"     default Cinder policy configuration treats such a person as identical"},{"line_number":58,"context_line":"     to the *system-reader* persona described above."},{"line_number":59,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_9e401a0a","line":56,"range":{"start_line":55,"start_character":5,"end_line":56,"end_character":59},"in_reply_to":"fffc6b78_c3c76945","updated":"2020-11-19 16:54:58.000000000","message":"That\u0027s a good point, I think we should remove it so it doesn\u0027t confuse people.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"94c5452b9aa45c401b5977b18524eb62f8af3465","unresolved":false,"context_lines":[{"line_number":54,"context_line":"     or \"system-scoped\" token instead."},{"line_number":55,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":56,"context_line":"     someone with the ``member`` role and ``system`` scope.  The"},{"line_number":57,"context_line":"     default Cinder policy configuration treats such a person as identical"},{"line_number":58,"context_line":"     to the *system-reader* persona described above."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. _cinder-permissions-matrix:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_23c5953d","line":57,"range":{"start_line":57,"start_character":55,"end_line":57,"end_character":61},"updated":"2020-11-19 16:00:49.000000000","message":"persona","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fb91311e4ae8a1aa5b5fce7040f130d7dc985207","unresolved":false,"context_lines":[{"line_number":54,"context_line":"     or \"system-scoped\" token instead."},{"line_number":55,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":56,"context_line":"     someone with the ``member`` role and ``system`` scope.  The"},{"line_number":57,"context_line":"     default Cinder policy configuration treats such a person as identical"},{"line_number":58,"context_line":"     to the *system-reader* persona described above."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. _cinder-permissions-matrix:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_be6fde90","line":57,"range":{"start_line":57,"start_character":55,"end_line":57,"end_character":61},"in_reply_to":"fffc6b78_23c5953d","updated":"2020-11-19 16:54:58.000000000","message":"I actually meant \"person\" here, but I can see how that\u0027s confusing.  I should probably change it to \"user\".","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"94c5452b9aa45c401b5977b18524eb62f8af3465","unresolved":false,"context_lines":[{"line_number":54,"context_line":"     or \"system-scoped\" token instead."},{"line_number":55,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":56,"context_line":"     someone with the ``member`` role and ``system`` scope.  The"},{"line_number":57,"context_line":"     default Cinder policy configuration treats such a person as identical"},{"line_number":58,"context_line":"     to the *system-reader* persona described above."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. _cinder-permissions-matrix:"},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_43e1b9d0","line":58,"range":{"start_line":57,"start_character":65,"end_line":58,"end_character":52},"updated":"2020-11-19 16:00:49.000000000","message":"I\u0027m not sure but i think that is similar to the system-admin persona","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fb91311e4ae8a1aa5b5fce7040f130d7dc985207","unresolved":false,"context_lines":[{"line_number":54,"context_line":"     or \"system-scoped\" token instead."},{"line_number":55,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":56,"context_line":"     someone with the ``member`` role and ``system`` scope.  The"},{"line_number":57,"context_line":"     default Cinder policy configuration treats such a person as identical"},{"line_number":58,"context_line":"     to the *system-reader* persona described above."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. _cinder-permissions-matrix:"},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_5ed23236","line":58,"range":{"start_line":57,"start_character":65,"end_line":58,"end_character":52},"in_reply_to":"fffc6b78_43e1b9d0","updated":"2020-11-19 16:54:58.000000000","message":"Well, if someone has a \u0027member\u0027 role, the default keystone role-inheritance rules also give them the \u0027reader\u0027 role.  If that user requests and receives a system-scoped token, Cinder will ignore the fact that they have member role (because we won\u0027t be looking for it) and will pick up on the fact that they have \u0027reader\u0027 role in system scope.  So we would treat them as the system-reader persona.  (Or am I completely misunderstanding your point?)","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":false,"context_lines":[{"line_number":54,"context_line":"     or \"system-scoped\" token instead."},{"line_number":55,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":56,"context_line":"     someone with the ``member`` role and ``system`` scope.  The"},{"line_number":57,"context_line":"     default Cinder policy configuration treats such a person as identical"},{"line_number":58,"context_line":"     to the *system-reader* persona described above."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. _cinder-permissions-matrix:"},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"64af0e55_8e216976","line":58,"range":{"start_line":57,"start_character":65,"end_line":58,"end_character":52},"in_reply_to":"fffc6b78_5ed23236","updated":"2020-11-27 07:41:24.000000000","message":"I got confused with scope and role and interchanged their meaning. You are right, it should be similar to system-reader.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":226,"context_line":"     - yes"},{"line_number":227,"context_line":"     - no"},{"line_number":228,"context_line":"     - yes"},{"line_number":229,"context_line":"   * - Update cluster."},{"line_number":230,"context_line":"     - ``PUT  /clusters/{cluster_id}``"},{"line_number":231,"context_line":"     - clusters:update"},{"line_number":232,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c8abc42b_46268161","line":229,"range":{"start_line":229,"start_character":21,"end_line":229,"end_character":22},"updated":"2020-11-27 07:41:24.000000000","message":"NIT: not needed\nhttps://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_f6a/763306/4/check/openstack-tox-docs/f6aee33/docs/configuration/block-storage/policy-personas.html#id5","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":false,"context_lines":[{"line_number":226,"context_line":"     - yes"},{"line_number":227,"context_line":"     - no"},{"line_number":228,"context_line":"     - yes"},{"line_number":229,"context_line":"   * - Update cluster."},{"line_number":230,"context_line":"     - ``PUT  /clusters/{cluster_id}``"},{"line_number":231,"context_line":"     - clusters:update"},{"line_number":232,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2a31c8b8_0c932012","line":229,"range":{"start_line":229,"start_character":21,"end_line":229,"end_character":22},"in_reply_to":"3ed6a26a_44ec006f","updated":"2020-12-04 15:26:06.000000000","message":"Done","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":226,"context_line":"     - yes"},{"line_number":227,"context_line":"     - no"},{"line_number":228,"context_line":"     - yes"},{"line_number":229,"context_line":"   * - Update cluster."},{"line_number":230,"context_line":"     - ``PUT  /clusters/{cluster_id}``"},{"line_number":231,"context_line":"     - clusters:update"},{"line_number":232,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3ed6a26a_44ec006f","line":229,"range":{"start_line":229,"start_character":21,"end_line":229,"end_character":22},"in_reply_to":"c8abc42b_46268161","updated":"2020-12-03 23:49:05.000000000","message":"Thanks for catching this.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":305,"context_line":"     - yes"},{"line_number":306,"context_line":"     - yes"},{"line_number":307,"context_line":"     - yes"},{"line_number":308,"context_line":"   * - List snapshots."},{"line_number":309,"context_line":"     - | ``GET  /snapshots``"},{"line_number":310,"context_line":"       | ``GET  /snapshots/detail``"},{"line_number":311,"context_line":"     - volume:get_all_snapshots"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9e8649d6_191bd895","line":308,"range":{"start_line":308,"start_character":21,"end_line":308,"end_character":22},"updated":"2020-11-27 07:41:24.000000000","message":"NIT: not needed","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":false,"context_lines":[{"line_number":305,"context_line":"     - yes"},{"line_number":306,"context_line":"     - yes"},{"line_number":307,"context_line":"     - yes"},{"line_number":308,"context_line":"   * - List snapshots."},{"line_number":309,"context_line":"     - | ``GET  /snapshots``"},{"line_number":310,"context_line":"       | ``GET  /snapshots/detail``"},{"line_number":311,"context_line":"     - volume:get_all_snapshots"}],"source_content_type":"text/x-rst","patch_set":3,"id":"72b593a3_1e2b1866","line":308,"range":{"start_line":308,"start_character":21,"end_line":308,"end_character":22},"in_reply_to":"9e8649d6_191bd895","updated":"2020-12-03 23:49:05.000000000","message":"Ack","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":790,"context_line":"     - **system-admin**"},{"line_number":791,"context_line":"     - **(old \"owner\")**"},{"line_number":792,"context_line":"     - **(old \"admin\")**"},{"line_number":793,"context_line":"   * - Reset status of group snapshot"},{"line_number":794,"context_line":"     - ``POST  /group_snapshots/{g_snapshot_id}/action`` (reset_status)"},{"line_number":795,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":796,"context_line":"     - rule:admin_or_owner"},{"line_number":797,"context_line":"     - no"},{"line_number":798,"context_line":"     - yes"},{"line_number":799,"context_line":"     - yes"},{"line_number":800,"context_line":"     - no"},{"line_number":801,"context_line":"     - yes"},{"line_number":802,"context_line":"     - yes"},{"line_number":803,"context_line":"     - yes"},{"line_number":804,"context_line":"   * - Delete group"},{"line_number":805,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":806,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ce4a55dc_42e3bc29","line":803,"range":{"start_line":793,"start_character":0,"end_line":803,"end_character":10},"updated":"2020-11-27 07:41:24.000000000","message":"I\u0027m not sure if this is treated differently or was just missed during the review but doesn\u0027t seem right to allow project members/admins to reset state as it should be a system admin action only as seen in other APIs.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"483b44144f00c45e5bc2767229d76beedbff438c","unresolved":true,"context_lines":[{"line_number":790,"context_line":"     - **system-admin**"},{"line_number":791,"context_line":"     - **(old \"owner\")**"},{"line_number":792,"context_line":"     - **(old \"admin\")**"},{"line_number":793,"context_line":"   * - Reset status of group snapshot"},{"line_number":794,"context_line":"     - ``POST  /group_snapshots/{g_snapshot_id}/action`` (reset_status)"},{"line_number":795,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":796,"context_line":"     - rule:admin_or_owner"},{"line_number":797,"context_line":"     - no"},{"line_number":798,"context_line":"     - yes"},{"line_number":799,"context_line":"     - yes"},{"line_number":800,"context_line":"     - no"},{"line_number":801,"context_line":"     - yes"},{"line_number":802,"context_line":"     - yes"},{"line_number":803,"context_line":"     - yes"},{"line_number":804,"context_line":"   * - Delete group"},{"line_number":805,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":806,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d344f6ef_1dd9da85","line":803,"range":{"start_line":793,"start_character":0,"end_line":803,"end_character":10},"in_reply_to":"632ab595_1a0a57b0","updated":"2020-12-04 09:12:01.000000000","message":"Right and i feel this was missed during review of the patch that added it[1].\nGood idea to discuss in mid-cycle.\n\n[1] https://review.opendev.org/c/openstack/cinder/+/507812","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":790,"context_line":"     - **system-admin**"},{"line_number":791,"context_line":"     - **(old \"owner\")**"},{"line_number":792,"context_line":"     - **(old \"admin\")**"},{"line_number":793,"context_line":"   * - Reset status of group snapshot"},{"line_number":794,"context_line":"     - ``POST  /group_snapshots/{g_snapshot_id}/action`` (reset_status)"},{"line_number":795,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":796,"context_line":"     - rule:admin_or_owner"},{"line_number":797,"context_line":"     - no"},{"line_number":798,"context_line":"     - yes"},{"line_number":799,"context_line":"     - yes"},{"line_number":800,"context_line":"     - no"},{"line_number":801,"context_line":"     - yes"},{"line_number":802,"context_line":"     - yes"},{"line_number":803,"context_line":"     - yes"},{"line_number":804,"context_line":"   * - Delete group"},{"line_number":805,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":806,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":3,"id":"632ab595_1a0a57b0","line":803,"range":{"start_line":793,"start_character":0,"end_line":803,"end_character":10},"in_reply_to":"ce4a55dc_42e3bc29","updated":"2020-12-03 23:49:05.000000000","message":"I\u0027m not sure either.  Let\u0027s make a note to ask about this at the mid-cycle next week.  For reference, here\u0027s where it\u0027s defined in the code:\nhttps://review.opendev.org/c/openstack/cinder/+/763306/3/cinder/policies/group_snapshot_actions.py#27","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":true,"context_lines":[{"line_number":790,"context_line":"     - **system-admin**"},{"line_number":791,"context_line":"     - **(old \"owner\")**"},{"line_number":792,"context_line":"     - **(old \"admin\")**"},{"line_number":793,"context_line":"   * - Reset status of group snapshot"},{"line_number":794,"context_line":"     - ``POST  /group_snapshots/{g_snapshot_id}/action`` (reset_status)"},{"line_number":795,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":796,"context_line":"     - rule:admin_or_owner"},{"line_number":797,"context_line":"     - no"},{"line_number":798,"context_line":"     - yes"},{"line_number":799,"context_line":"     - yes"},{"line_number":800,"context_line":"     - no"},{"line_number":801,"context_line":"     - yes"},{"line_number":802,"context_line":"     - yes"},{"line_number":803,"context_line":"     - yes"},{"line_number":804,"context_line":"   * - Delete group"},{"line_number":805,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":806,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3d149d65_cffebe17","line":803,"range":{"start_line":793,"start_character":0,"end_line":803,"end_character":10},"in_reply_to":"d344f6ef_1dd9da85","updated":"2020-12-04 15:26:06.000000000","message":"Thanks for digging up that patch.  Here\u0027s the original setting (admin only):\nhttps://review.opendev.org/c/openstack/cinder/+/507812/6/etc/cinder/policy.json#b108\n\nand here\u0027s the change made by the policy-in-code patch:\nhttps://review.opendev.org/c/openstack/cinder/+/507812/6/cinder/policies/group_snapshot_actions.py#27\n\nI don\u0027t see any discussion about that change on the review, so I suspect you are correct that it was just a mistake.  We can ask at the midcycle if anyone remembers a reason for changing the checkstring.\n\nI suspect not, so the way to fix this will be to file a bug, put up a patch to change the checkstring to admin only, and point out in the release note on that patch that the current value allows an ordinary user to do an administrative operation and so it\u0027s been changed in this release.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":982,"context_line":"     - rule:admin_api"},{"line_number":983,"context_line":"     - no"},{"line_number":984,"context_line":"     - no"},{"line_number":985,"context_line":"     - no"},{"line_number":986,"context_line":"     - no"},{"line_number":987,"context_line":"     - yes"},{"line_number":988,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c37e7a88_d5e1b109","line":985,"range":{"start_line":985,"start_character":7,"end_line":985,"end_character":9},"updated":"2020-11-27 07:41:24.000000000","message":"I think we should allow project admins to set quota for projects, any thoughts?","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"483b44144f00c45e5bc2767229d76beedbff438c","unresolved":true,"context_lines":[{"line_number":982,"context_line":"     - rule:admin_api"},{"line_number":983,"context_line":"     - no"},{"line_number":984,"context_line":"     - no"},{"line_number":985,"context_line":"     - no"},{"line_number":986,"context_line":"     - no"},{"line_number":987,"context_line":"     - yes"},{"line_number":988,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"6da66730_82308b60","line":985,"range":{"start_line":985,"start_character":7,"end_line":985,"end_character":9},"in_reply_to":"267b7557_e644f91a","updated":"2020-12-04 09:12:01.000000000","message":"My understanding of a project admin is to manage resources for a project that affects all the users of that project.\nIf i take reference of default volume types, the project admin sets default type for all the users of the project and not a specific user.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":true,"context_lines":[{"line_number":982,"context_line":"     - rule:admin_api"},{"line_number":983,"context_line":"     - no"},{"line_number":984,"context_line":"     - no"},{"line_number":985,"context_line":"     - no"},{"line_number":986,"context_line":"     - no"},{"line_number":987,"context_line":"     - yes"},{"line_number":988,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"52954dca_b63d9bd9","line":985,"range":{"start_line":985,"start_character":7,"end_line":985,"end_character":9},"in_reply_to":"6da66730_82308b60","updated":"2020-12-04 15:26:06.000000000","message":"Right, but the difference is that the choices of volume-type that the project-admin can choose from is set by the operator to the public volume types and any private volume types the operator has given that project access to.  So the project-admin can\u0027t do any damage.  By default, we don\u0027t want to allow arbitrary projects to increase their quotas, because that would defeat the whole point of quotas.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":982,"context_line":"     - rule:admin_api"},{"line_number":983,"context_line":"     - no"},{"line_number":984,"context_line":"     - no"},{"line_number":985,"context_line":"     - no"},{"line_number":986,"context_line":"     - no"},{"line_number":987,"context_line":"     - yes"},{"line_number":988,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"267b7557_e644f91a","line":985,"range":{"start_line":985,"start_character":7,"end_line":985,"end_character":9},"in_reply_to":"c37e7a88_d5e1b109","updated":"2020-12-03 23:49:05.000000000","message":"If they could assign quotas to users in their project, I\u0027d agree, but we don\u0027t want a project-level admin to increase the quotas for a project independently of what the operator has set for them.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":993,"context_line":"     - rule:admin_api"},{"line_number":994,"context_line":"     - no"},{"line_number":995,"context_line":"     - no"},{"line_number":996,"context_line":"     - no"},{"line_number":997,"context_line":"     - no"},{"line_number":998,"context_line":"     - yes"},{"line_number":999,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bb8922e8_c5cb5371","line":996,"range":{"start_line":996,"start_character":7,"end_line":996,"end_character":9},"updated":"2020-11-27 07:41:24.000000000","message":"same","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"483b44144f00c45e5bc2767229d76beedbff438c","unresolved":true,"context_lines":[{"line_number":993,"context_line":"     - rule:admin_api"},{"line_number":994,"context_line":"     - no"},{"line_number":995,"context_line":"     - no"},{"line_number":996,"context_line":"     - no"},{"line_number":997,"context_line":"     - no"},{"line_number":998,"context_line":"     - yes"},{"line_number":999,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c8be07da_510f7c66","line":996,"range":{"start_line":996,"start_character":7,"end_line":996,"end_character":9},"in_reply_to":"0bc9ec9f_ec0f4cb6","updated":"2020-12-04 09:12:01.000000000","message":"I feel the project admin should responsible enough to not do any such action? Else i don\u0027t see much difference between a project member and a project admin.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":993,"context_line":"     - rule:admin_api"},{"line_number":994,"context_line":"     - no"},{"line_number":995,"context_line":"     - no"},{"line_number":996,"context_line":"     - no"},{"line_number":997,"context_line":"     - no"},{"line_number":998,"context_line":"     - yes"},{"line_number":999,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0bc9ec9f_ec0f4cb6","line":996,"range":{"start_line":996,"start_character":7,"end_line":996,"end_character":9},"in_reply_to":"bb8922e8_c5cb5371","updated":"2020-12-03 23:49:05.000000000","message":"Think of the case where for some reason, the operator has set a quota lower than the defaults on a project.  If that project-admin could delete the quota, they would be restored to the default, which is exactly what the operator does not want.  So I think this needs to stay within system scope.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":true,"context_lines":[{"line_number":993,"context_line":"     - rule:admin_api"},{"line_number":994,"context_line":"     - no"},{"line_number":995,"context_line":"     - no"},{"line_number":996,"context_line":"     - no"},{"line_number":997,"context_line":"     - no"},{"line_number":998,"context_line":"     - yes"},{"line_number":999,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"f42d2c9f_8ca57f8f","line":996,"range":{"start_line":996,"start_character":7,"end_line":996,"end_character":9},"in_reply_to":"c8be07da_510f7c66","updated":"2020-12-04 15:26:06.000000000","message":"For Cinder, there isn\u0027t much difference between project-member and project-admin.  Remember that the project-admin is simply a user in a project; it\u0027s not like they\u0027re an employee of the operator in a public cloud, or report to the operator at a university.  A project-admin is simply a consumer of cloud resources.  So for Cinder, we only want a project-admin to do safe actions, if any, beyond what a project-member can do.\n\nBut remember that the personas are also implemented by Keystone, so it may be the case that a Keystone project-admin can add users to their project and assign roles to users in their project.  So that could be useful, in that the project-admin can make some users members and others readers.  But then they could also make everyone in the project an admin, too.  So we need to be very conservative about what a project-admin can do in Cinder.\n\nThat\u0027s by default, though.  If an operator wants to allow project-admins to do stuff like modify quotas, the operator can modify the Cinder policies.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":998,"context_line":"     - yes"},{"line_number":999,"context_line":"     - no"},{"line_number":1000,"context_line":"     - yes"},{"line_number":1001,"context_line":"   * - Validate setup for nested quota"},{"line_number":1002,"context_line":"     - ``GET  /os-quota-sets/validate_setup_for_nested_quota_use``"},{"line_number":1003,"context_line":"     - volume_extension:quota_classes:validate_setup_for_nested_quota_use"},{"line_number":1004,"context_line":"     - rule:admin_api"},{"line_number":1005,"context_line":"     - no"},{"line_number":1006,"context_line":"     - no"},{"line_number":1007,"context_line":"     - no"},{"line_number":1008,"context_line":"     - yes"},{"line_number":1009,"context_line":"     - yes"},{"line_number":1010,"context_line":"     - no"},{"line_number":1011,"context_line":"     - yes"},{"line_number":1012,"context_line":"   * - **Capabilities**"},{"line_number":1013,"context_line":"     -"},{"line_number":1014,"context_line":"     -"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fc430224_7bf14b45","line":1011,"range":{"start_line":1001,"start_character":0,"end_line":1011,"end_character":10},"updated":"2020-11-27 07:41:24.000000000","message":"Nested quotas will be removed in wallaby[1] so we can remove this as well\n\n[1] https://review.opendev.org/c/openstack/cinder/+/758913","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":false,"context_lines":[{"line_number":998,"context_line":"     - yes"},{"line_number":999,"context_line":"     - no"},{"line_number":1000,"context_line":"     - yes"},{"line_number":1001,"context_line":"   * - Validate setup for nested quota"},{"line_number":1002,"context_line":"     - ``GET  /os-quota-sets/validate_setup_for_nested_quota_use``"},{"line_number":1003,"context_line":"     - volume_extension:quota_classes:validate_setup_for_nested_quota_use"},{"line_number":1004,"context_line":"     - rule:admin_api"},{"line_number":1005,"context_line":"     - no"},{"line_number":1006,"context_line":"     - no"},{"line_number":1007,"context_line":"     - no"},{"line_number":1008,"context_line":"     - yes"},{"line_number":1009,"context_line":"     - yes"},{"line_number":1010,"context_line":"     - no"},{"line_number":1011,"context_line":"     - yes"},{"line_number":1012,"context_line":"   * - **Capabilities**"},{"line_number":1013,"context_line":"     -"},{"line_number":1014,"context_line":"     -"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d9bc11c5_873bf2b8","line":1011,"range":{"start_line":1001,"start_character":0,"end_line":1011,"end_character":10},"in_reply_to":"29907816_f0f8aff7","updated":"2020-12-04 15:26:06.000000000","message":"Done","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":998,"context_line":"     - yes"},{"line_number":999,"context_line":"     - no"},{"line_number":1000,"context_line":"     - yes"},{"line_number":1001,"context_line":"   * - Validate setup for nested quota"},{"line_number":1002,"context_line":"     - ``GET  /os-quota-sets/validate_setup_for_nested_quota_use``"},{"line_number":1003,"context_line":"     - volume_extension:quota_classes:validate_setup_for_nested_quota_use"},{"line_number":1004,"context_line":"     - rule:admin_api"},{"line_number":1005,"context_line":"     - no"},{"line_number":1006,"context_line":"     - no"},{"line_number":1007,"context_line":"     - no"},{"line_number":1008,"context_line":"     - yes"},{"line_number":1009,"context_line":"     - yes"},{"line_number":1010,"context_line":"     - no"},{"line_number":1011,"context_line":"     - yes"},{"line_number":1012,"context_line":"   * - **Capabilities**"},{"line_number":1013,"context_line":"     -"},{"line_number":1014,"context_line":"     -"}],"source_content_type":"text/x-rst","patch_set":3,"id":"29907816_f0f8aff7","line":1011,"range":{"start_line":1001,"start_character":0,"end_line":1011,"end_character":10},"in_reply_to":"fc430224_7bf14b45","updated":"2020-12-03 23:49:05.000000000","message":"Good point, I\u0027ll change the text here to make it clear that it\u0027s a placeholder until your removal patch has merged.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":1192,"context_line":"     - yes"},{"line_number":1193,"context_line":"     - no"},{"line_number":1194,"context_line":"     - yes"},{"line_number":1195,"context_line":"   * - Get one specific volume type"},{"line_number":1196,"context_line":"     - ``GET  /types/{type_id}``"},{"line_number":1197,"context_line":"     - volume_extension:type_get"},{"line_number":1198,"context_line":"     - empty"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a60227d_95ee546b","line":1195,"range":{"start_line":1195,"start_character":7,"end_line":1195,"end_character":35},"updated":"2020-11-27 07:41:24.000000000","message":"probably we can say \"show volume type\"","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":1192,"context_line":"     - yes"},{"line_number":1193,"context_line":"     - no"},{"line_number":1194,"context_line":"     - yes"},{"line_number":1195,"context_line":"   * - Get one specific volume type"},{"line_number":1196,"context_line":"     - ``GET  /types/{type_id}``"},{"line_number":1197,"context_line":"     - volume_extension:type_get"},{"line_number":1198,"context_line":"     - empty"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c93dbfd7_4ca6b5d4","line":1195,"range":{"start_line":1195,"start_character":7,"end_line":1195,"end_character":35},"in_reply_to":"3a60227d_95ee546b","updated":"2020-12-03 23:49:05.000000000","message":"Sounds good to me.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":false,"context_lines":[{"line_number":1192,"context_line":"     - yes"},{"line_number":1193,"context_line":"     - no"},{"line_number":1194,"context_line":"     - yes"},{"line_number":1195,"context_line":"   * - Get one specific volume type"},{"line_number":1196,"context_line":"     - ``GET  /types/{type_id}``"},{"line_number":1197,"context_line":"     - volume_extension:type_get"},{"line_number":1198,"context_line":"     - empty"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4e4c6f97_45286504","line":1195,"range":{"start_line":1195,"start_character":7,"end_line":1195,"end_character":35},"in_reply_to":"c93dbfd7_4ca6b5d4","updated":"2020-12-04 15:26:06.000000000","message":"Done","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":1214,"context_line":"     - yes"},{"line_number":1215,"context_line":"     - yes"},{"line_number":1216,"context_line":"     - yes"},{"line_number":1217,"context_line":"   * - Base policy for all volume type encryption type operations"},{"line_number":1218,"context_line":"     - Convenience default policy for the situation where you don\u0027t want"},{"line_number":1219,"context_line":"       to configure all the ``volume_type_encryption`` policies separately"},{"line_number":1220,"context_line":"     - volume_extension:volume_type_encryption"},{"line_number":1221,"context_line":"     - rule:admin_api"},{"line_number":1222,"context_line":"     - no"},{"line_number":1223,"context_line":"     - no"},{"line_number":1224,"context_line":"     - no"},{"line_number":1225,"context_line":"     - no"},{"line_number":1226,"context_line":"     - yes"},{"line_number":1227,"context_line":"     - no"},{"line_number":1228,"context_line":"     - yes"},{"line_number":1229,"context_line":"   * - Create volume type encryption"},{"line_number":1230,"context_line":"     - ``POST  /types/{type_id}/encryption``"},{"line_number":1231,"context_line":"     - volume_extension:volume_type_encryption:create"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c42a0045_878e2f60","line":1228,"range":{"start_line":1217,"start_character":0,"end_line":1228,"end_character":10},"updated":"2020-11-27 07:41:24.000000000","message":"It makes sense to deprecate/remove this policy from our code now","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":1214,"context_line":"     - yes"},{"line_number":1215,"context_line":"     - yes"},{"line_number":1216,"context_line":"     - yes"},{"line_number":1217,"context_line":"   * - Base policy for all volume type encryption type operations"},{"line_number":1218,"context_line":"     - Convenience default policy for the situation where you don\u0027t want"},{"line_number":1219,"context_line":"       to configure all the ``volume_type_encryption`` policies separately"},{"line_number":1220,"context_line":"     - volume_extension:volume_type_encryption"},{"line_number":1221,"context_line":"     - rule:admin_api"},{"line_number":1222,"context_line":"     - no"},{"line_number":1223,"context_line":"     - no"},{"line_number":1224,"context_line":"     - no"},{"line_number":1225,"context_line":"     - no"},{"line_number":1226,"context_line":"     - yes"},{"line_number":1227,"context_line":"     - no"},{"line_number":1228,"context_line":"     - yes"},{"line_number":1229,"context_line":"   * - Create volume type encryption"},{"line_number":1230,"context_line":"     - ``POST  /types/{type_id}/encryption``"},{"line_number":1231,"context_line":"     - volume_extension:volume_type_encryption:create"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d5d88955_9d34ad55","line":1228,"range":{"start_line":1217,"start_character":0,"end_line":1228,"end_character":10},"in_reply_to":"c42a0045_878e2f60","updated":"2020-12-03 23:49:05.000000000","message":"Thanks for catching this.  I thought I\u0027d left a comment here, but apparently not!","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":false,"context_lines":[{"line_number":1214,"context_line":"     - yes"},{"line_number":1215,"context_line":"     - yes"},{"line_number":1216,"context_line":"     - yes"},{"line_number":1217,"context_line":"   * - Base policy for all volume type encryption type operations"},{"line_number":1218,"context_line":"     - Convenience default policy for the situation where you don\u0027t want"},{"line_number":1219,"context_line":"       to configure all the ``volume_type_encryption`` policies separately"},{"line_number":1220,"context_line":"     - volume_extension:volume_type_encryption"},{"line_number":1221,"context_line":"     - rule:admin_api"},{"line_number":1222,"context_line":"     - no"},{"line_number":1223,"context_line":"     - no"},{"line_number":1224,"context_line":"     - no"},{"line_number":1225,"context_line":"     - no"},{"line_number":1226,"context_line":"     - yes"},{"line_number":1227,"context_line":"     - no"},{"line_number":1228,"context_line":"     - yes"},{"line_number":1229,"context_line":"   * - Create volume type encryption"},{"line_number":1230,"context_line":"     - ``POST  /types/{type_id}/encryption``"},{"line_number":1231,"context_line":"     - volume_extension:volume_type_encryption:create"}],"source_content_type":"text/x-rst","patch_set":3,"id":"83081c21_4edf8b9a","line":1228,"range":{"start_line":1217,"start_character":0,"end_line":1228,"end_character":10},"in_reply_to":"d5d88955_9d34ad55","updated":"2020-12-04 15:26:06.000000000","message":"Done","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":1316,"context_line":"     - rule:admin_api"},{"line_number":1317,"context_line":"     - no"},{"line_number":1318,"context_line":"     - no"},{"line_number":1319,"context_line":"     - no"},{"line_number":1320,"context_line":"     - no"},{"line_number":1321,"context_line":"     - yes"},{"line_number":1322,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a7fbb2b_5424acd8","line":1319,"range":{"start_line":1319,"start_character":7,"end_line":1319,"end_character":9},"updated":"2020-11-27 07:41:24.000000000","message":"I think a project admin should be able to add access for a specific project. thoughts?","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"d1e9e343707d822d17a4f0f839067e66afd7481c","unresolved":true,"context_lines":[{"line_number":1316,"context_line":"     - rule:admin_api"},{"line_number":1317,"context_line":"     - no"},{"line_number":1318,"context_line":"     - no"},{"line_number":1319,"context_line":"     - no"},{"line_number":1320,"context_line":"     - no"},{"line_number":1321,"context_line":"     - yes"},{"line_number":1322,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"764c5348_5a66cdb7","line":1319,"range":{"start_line":1319,"start_character":7,"end_line":1319,"end_character":9},"in_reply_to":"10fa0619_502bc0ad","updated":"2020-12-09 15:38:07.000000000","message":"As discussed in mid-cycle, good to keep it system admin as project admins can\u0027t be trusted in every deployment, if this makes sense for a project admin in any deployment then they can override the default policy but system admin is safer here.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":1316,"context_line":"     - rule:admin_api"},{"line_number":1317,"context_line":"     - no"},{"line_number":1318,"context_line":"     - no"},{"line_number":1319,"context_line":"     - no"},{"line_number":1320,"context_line":"     - no"},{"line_number":1321,"context_line":"     - yes"},{"line_number":1322,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9962ba16_3199ad8b","line":1319,"range":{"start_line":1319,"start_character":7,"end_line":1319,"end_character":9},"in_reply_to":"1a7fbb2b_5424acd8","updated":"2020-12-03 23:49:05.000000000","message":"This is a \"private type\" that the operator has created for some specific project(s); by default, I don\u0027t think we want to allow a project-admin in project A adding themselves to a private type that was created for project B.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":true,"context_lines":[{"line_number":1316,"context_line":"     - rule:admin_api"},{"line_number":1317,"context_line":"     - no"},{"line_number":1318,"context_line":"     - no"},{"line_number":1319,"context_line":"     - no"},{"line_number":1320,"context_line":"     - no"},{"line_number":1321,"context_line":"     - yes"},{"line_number":1322,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"10fa0619_502bc0ad","line":1319,"range":{"start_line":1319,"start_character":7,"end_line":1319,"end_character":9},"in_reply_to":"8b2f5ab0_2b104677","updated":"2020-12-04 15:26:06.000000000","message":"Cinder doesn\u0027t get to pick who is a project-admin or what their qualifications are, so we can\u0027t make any assumptions about whether they are a responsible user or just a customer with a credit card.  So we need to be extremely careful about giving a project-admin any powers that can impact the cinder deployment.\n\nIf an operator is carefully picking who gets to be a project-admin, then they can modify the default policies to allow more.  But the default needs to be very conservative.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"483b44144f00c45e5bc2767229d76beedbff438c","unresolved":true,"context_lines":[{"line_number":1316,"context_line":"     - rule:admin_api"},{"line_number":1317,"context_line":"     - no"},{"line_number":1318,"context_line":"     - no"},{"line_number":1319,"context_line":"     - no"},{"line_number":1320,"context_line":"     - no"},{"line_number":1321,"context_line":"     - yes"},{"line_number":1322,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"8b2f5ab0_2b104677","line":1319,"range":{"start_line":1319,"start_character":7,"end_line":1319,"end_character":9},"in_reply_to":"9962ba16_3199ad8b","updated":"2020-12-04 09:12:01.000000000","message":"Similar to my thought above, i feel the responsibility of a project *admin* is more as compared to a project *member* and shouldn\u0027t be doing any such action?","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":1327,"context_line":"     - rule:admin_api"},{"line_number":1328,"context_line":"     - no"},{"line_number":1329,"context_line":"     - no"},{"line_number":1330,"context_line":"     - no"},{"line_number":1331,"context_line":"     - no"},{"line_number":1332,"context_line":"     - yes"},{"line_number":1333,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"81cad007_e239d2f4","line":1330,"range":{"start_line":1330,"start_character":7,"end_line":1330,"end_character":9},"updated":"2020-11-27 07:41:24.000000000","message":"same","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":1327,"context_line":"     - rule:admin_api"},{"line_number":1328,"context_line":"     - no"},{"line_number":1329,"context_line":"     - no"},{"line_number":1330,"context_line":"     - no"},{"line_number":1331,"context_line":"     - no"},{"line_number":1332,"context_line":"     - yes"},{"line_number":1333,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"96bba067_573378ff","line":1330,"range":{"start_line":1330,"start_character":7,"end_line":1330,"end_character":9},"in_reply_to":"81cad007_e239d2f4","updated":"2020-12-03 23:49:05.000000000","message":"For this one ... maybe?  \n\nI guess the use case is: the operator created a private volume type for my project to use, but for some reason, I don\u0027t want users in my project creating volumes of that type any more.\n\nThat seems reasonable, but I don\u0027t know if we want to make it the default behavior.  Let\u0027s see what other people think.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":true,"context_lines":[{"line_number":1327,"context_line":"     - rule:admin_api"},{"line_number":1328,"context_line":"     - no"},{"line_number":1329,"context_line":"     - no"},{"line_number":1330,"context_line":"     - no"},{"line_number":1331,"context_line":"     - no"},{"line_number":1332,"context_line":"     - yes"},{"line_number":1333,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b4f3a13d_ab6f4ade","line":1330,"range":{"start_line":1330,"start_character":7,"end_line":1330,"end_character":9},"in_reply_to":"96bba067_573378ff","updated":"2020-12-04 15:26:06.000000000","message":"Looking at the code, this can be done while the project still contains volumes of that type (which is fine, the type will still exist), but it will cause weird behavior (you have a volume of type e44e6c9e-972f-40af-8166-ab0a67cfe816, but when you try to look at the type detail, you\u0027ll get a 404.  (Which can happen now, but it\u0027s caused by the operator, who would then have some context for the call to support.)  So I think it may be best to leave this as admin-only.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"d1e9e343707d822d17a4f0f839067e66afd7481c","unresolved":true,"context_lines":[{"line_number":1327,"context_line":"     - rule:admin_api"},{"line_number":1328,"context_line":"     - no"},{"line_number":1329,"context_line":"     - no"},{"line_number":1330,"context_line":"     - no"},{"line_number":1331,"context_line":"     - no"},{"line_number":1332,"context_line":"     - yes"},{"line_number":1333,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"57598b96_8dd44a89","line":1330,"range":{"start_line":1330,"start_character":7,"end_line":1330,"end_character":9},"in_reply_to":"b4f3a13d_ab6f4ade","updated":"2020-12-09 15:38:07.000000000","message":"Same, safer to keep it system admin","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":1453,"context_line":"     - yes"},{"line_number":1454,"context_line":"     - no"},{"line_number":1455,"context_line":"     - yes"},{"line_number":1456,"context_line":"   * - Migrate a volume to a specified host"},{"line_number":1457,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume)"},{"line_number":1458,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume"},{"line_number":1459,"context_line":"     - rule:admin_api"},{"line_number":1460,"context_line":"     - no"},{"line_number":1461,"context_line":"     - no"},{"line_number":1462,"context_line":"     - no"},{"line_number":1463,"context_line":"     - no"},{"line_number":1464,"context_line":"     - yes"},{"line_number":1465,"context_line":"     - no"},{"line_number":1466,"context_line":"     - yes"},{"line_number":1467,"context_line":"   * - Complete a volume migration"},{"line_number":1468,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume_completion)"},{"line_number":1469,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume_completion"}],"source_content_type":"text/x-rst","patch_set":3,"id":"dcae0c9f_1f695eb6","line":1466,"range":{"start_line":1456,"start_character":0,"end_line":1466,"end_character":10},"updated":"2020-11-27 07:41:24.000000000","message":"This is really strange, a volume migration requires cloud admin privileges but a retype operation doesn\u0027t (see L#1390) since retype also does a migration.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"483b44144f00c45e5bc2767229d76beedbff438c","unresolved":true,"context_lines":[{"line_number":1453,"context_line":"     - yes"},{"line_number":1454,"context_line":"     - no"},{"line_number":1455,"context_line":"     - yes"},{"line_number":1456,"context_line":"   * - Migrate a volume to a specified host"},{"line_number":1457,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume)"},{"line_number":1458,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume"},{"line_number":1459,"context_line":"     - rule:admin_api"},{"line_number":1460,"context_line":"     - no"},{"line_number":1461,"context_line":"     - no"},{"line_number":1462,"context_line":"     - no"},{"line_number":1463,"context_line":"     - no"},{"line_number":1464,"context_line":"     - yes"},{"line_number":1465,"context_line":"     - no"},{"line_number":1466,"context_line":"     - yes"},{"line_number":1467,"context_line":"   * - Complete a volume migration"},{"line_number":1468,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume_completion)"},{"line_number":1469,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume_completion"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d2e60114_1e87bb41","line":1466,"range":{"start_line":1456,"start_character":0,"end_line":1466,"end_character":10},"in_reply_to":"0e3c8291_3652d8af","updated":"2020-12-04 09:12:01.000000000","message":"Right, retype doesn\u0027t have to do a migration but I\u0027m referring to the case when the migration is done.\nThe difference between the two is specifying the host directly (in migration) and specifying the volume type (in retype) but my point is, migration of a volume from one storage node to another is done in both cases, so should we allow a project member to do retype with migration? or a project member should be able to do a migration to host?\nCorrect me if I\u0027m wrong anywhere but that\u0027s my understanding of the scenario.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"d1e9e343707d822d17a4f0f839067e66afd7481c","unresolved":true,"context_lines":[{"line_number":1453,"context_line":"     - yes"},{"line_number":1454,"context_line":"     - no"},{"line_number":1455,"context_line":"     - yes"},{"line_number":1456,"context_line":"   * - Migrate a volume to a specified host"},{"line_number":1457,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume)"},{"line_number":1458,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume"},{"line_number":1459,"context_line":"     - rule:admin_api"},{"line_number":1460,"context_line":"     - no"},{"line_number":1461,"context_line":"     - no"},{"line_number":1462,"context_line":"     - no"},{"line_number":1463,"context_line":"     - no"},{"line_number":1464,"context_line":"     - yes"},{"line_number":1465,"context_line":"     - no"},{"line_number":1466,"context_line":"     - yes"},{"line_number":1467,"context_line":"   * - Complete a volume migration"},{"line_number":1468,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume_completion)"},{"line_number":1469,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume_completion"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0b417d45_47c5d15c","line":1466,"range":{"start_line":1456,"start_character":0,"end_line":1466,"end_character":10},"in_reply_to":"7870a747_50737194","updated":"2020-12-09 15:38:07.000000000","message":"As discussed in mid-cycle, a migration requires to know the host info which is only accessible to admins. Incase of a retype, the non-admins have access to volume types which are configured by system admins so it is indirectly controlled by system admin.\nIn conclusion, current policies makes sense and don\u0027t need any change.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":true,"context_lines":[{"line_number":1453,"context_line":"     - yes"},{"line_number":1454,"context_line":"     - no"},{"line_number":1455,"context_line":"     - yes"},{"line_number":1456,"context_line":"   * - Migrate a volume to a specified host"},{"line_number":1457,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume)"},{"line_number":1458,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume"},{"line_number":1459,"context_line":"     - rule:admin_api"},{"line_number":1460,"context_line":"     - no"},{"line_number":1461,"context_line":"     - no"},{"line_number":1462,"context_line":"     - no"},{"line_number":1463,"context_line":"     - no"},{"line_number":1464,"context_line":"     - yes"},{"line_number":1465,"context_line":"     - no"},{"line_number":1466,"context_line":"     - yes"},{"line_number":1467,"context_line":"   * - Complete a volume migration"},{"line_number":1468,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume_completion)"},{"line_number":1469,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume_completion"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7870a747_50737194","line":1466,"range":{"start_line":1456,"start_character":0,"end_line":1466,"end_character":10},"in_reply_to":"d2e60114_1e87bb41","updated":"2020-12-04 15:26:06.000000000","message":"Look at it this way.  The user wants to retype from type A to type B, which happen to be on different backends.  The user could have created the volume of type B to begin with.  The \u0027migration_policy\u0027 in the API call lets the user indicate that they realize the retype may take extra time.\n\nThe other thing is that we currently allow project members to do this, so I think that should continue.  The way I\u0027m looking at this is a project-admin can do everything a project member can do now, plus (maybe) some safe actions that are currently restricted to admins only.  I don\u0027t agree with adding a project-admin persona and at the same time removing permissions from current project members.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":1453,"context_line":"     - yes"},{"line_number":1454,"context_line":"     - no"},{"line_number":1455,"context_line":"     - yes"},{"line_number":1456,"context_line":"   * - Migrate a volume to a specified host"},{"line_number":1457,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume)"},{"line_number":1458,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume"},{"line_number":1459,"context_line":"     - rule:admin_api"},{"line_number":1460,"context_line":"     - no"},{"line_number":1461,"context_line":"     - no"},{"line_number":1462,"context_line":"     - no"},{"line_number":1463,"context_line":"     - no"},{"line_number":1464,"context_line":"     - yes"},{"line_number":1465,"context_line":"     - no"},{"line_number":1466,"context_line":"     - yes"},{"line_number":1467,"context_line":"   * - Complete a volume migration"},{"line_number":1468,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume_completion)"},{"line_number":1469,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume_completion"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0e3c8291_3652d8af","line":1466,"range":{"start_line":1456,"start_character":0,"end_line":1466,"end_character":10},"in_reply_to":"dcae0c9f_1f695eb6","updated":"2020-12-03 23:49:05.000000000","message":"I think the difference is that retype doesn\u0027t *have* to do a migration, and with retype, you don\u0027t get to specify the host (which we don\u0027t expect (or want) users to know about.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6dda76fce34d204c2070fcd820765ccbc185b51c","unresolved":true,"context_lines":[{"line_number":1894,"context_line":"   * - List or show volume with tenant attribute"},{"line_number":1895,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":1896,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":1897,"context_line":"     - volume_extension:volume_tenant_attribute"},{"line_number":1898,"context_line":"     - rule:admin_or_owner"},{"line_number":1899,"context_line":"     - yes"},{"line_number":1900,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4fa19831_f4d649be","line":1897,"range":{"start_line":1897,"start_character":31,"end_line":1897,"end_character":37},"updated":"2020-11-27 07:41:24.000000000","message":"This might cause confusion as we have started using ``project`` keyword.\nCan we also change the policy name as part of deprecation process?","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8cae5adcbc2fb090c4d5cdb74d27f89e40e3cf7b","unresolved":false,"context_lines":[{"line_number":1894,"context_line":"   * - List or show volume with tenant attribute"},{"line_number":1895,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":1896,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":1897,"context_line":"     - volume_extension:volume_tenant_attribute"},{"line_number":1898,"context_line":"     - rule:admin_or_owner"},{"line_number":1899,"context_line":"     - yes"},{"line_number":1900,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"64b5f7a8_2bd936cc","line":1897,"range":{"start_line":1897,"start_character":31,"end_line":1897,"end_character":37},"in_reply_to":"269043a3_2650c797","updated":"2020-12-04 15:26:06.000000000","message":"Done","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"952de4dd1271a8a3bc2c2e7de6245121d12ebaa3","unresolved":true,"context_lines":[{"line_number":1894,"context_line":"   * - List or show volume with tenant attribute"},{"line_number":1895,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":1896,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":1897,"context_line":"     - volume_extension:volume_tenant_attribute"},{"line_number":1898,"context_line":"     - rule:admin_or_owner"},{"line_number":1899,"context_line":"     - yes"},{"line_number":1900,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"269043a3_2650c797","line":1897,"range":{"start_line":1897,"start_character":31,"end_line":1897,"end_character":37},"in_reply_to":"4fa19831_f4d649be","updated":"2020-12-03 23:49:05.000000000","message":"The problem is that this shows up in the response as\n\n  os-vol-tenant-attr:tenant_id\n\nso it might be even more confusing if we change it.  I\u0027ll say something about the project in the description, maybe that will help.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"94c5452b9aa45c401b5977b18524eb62f8af3465","unresolved":false,"context_lines":[{"line_number":1974,"context_line":"   * - Get all default types"},{"line_number":1975,"context_line":"     - ``GET  /default-types/``"},{"line_number":1976,"context_line":"     - volume_extension:default_get_all"},{"line_number":1977,"context_line":"     - role:admin and system_scope:all"},{"line_number":1978,"context_line":"     - no"},{"line_number":1979,"context_line":"     - no"},{"line_number":1980,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_638e7d28","line":1977,"range":{"start_line":1977,"start_character":7,"end_line":1977,"end_character":38},"updated":"2020-11-19 16:00:49.000000000","message":"this makes me curious as to which all personas we want to introduce a rule for\n\nhttps://github.com/openstack/cinder/blob/master/cinder/policies/base.py#L18-L35","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fb91311e4ae8a1aa5b5fce7040f130d7dc985207","unresolved":false,"context_lines":[{"line_number":1974,"context_line":"   * - Get all default types"},{"line_number":1975,"context_line":"     - ``GET  /default-types/``"},{"line_number":1976,"context_line":"     - volume_extension:default_get_all"},{"line_number":1977,"context_line":"     - role:admin and system_scope:all"},{"line_number":1978,"context_line":"     - no"},{"line_number":1979,"context_line":"     - no"},{"line_number":1980,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_de93c25b","line":1977,"range":{"start_line":1977,"start_character":7,"end_line":1977,"end_character":38},"in_reply_to":"fffc6b78_638e7d28","updated":"2020-11-19 16:54:58.000000000","message":"I think we\u0027ll want to introduce one for each of the 5 cinder personas because it will make the policies easier to read.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"483b44144f00c45e5bc2767229d76beedbff438c","unresolved":false,"context_lines":[{"line_number":1974,"context_line":"   * - Get all default types"},{"line_number":1975,"context_line":"     - ``GET  /default-types/``"},{"line_number":1976,"context_line":"     - volume_extension:default_get_all"},{"line_number":1977,"context_line":"     - role:admin and system_scope:all"},{"line_number":1978,"context_line":"     - no"},{"line_number":1979,"context_line":"     - no"},{"line_number":1980,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a771f4f3_dd3cf1f3","line":1977,"range":{"start_line":1977,"start_character":7,"end_line":1977,"end_character":38},"in_reply_to":"fffc6b78_de93c25b","updated":"2020-12-04 09:12:01.000000000","message":"Makes sense.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fb91311e4ae8a1aa5b5fce7040f130d7dc985207","unresolved":false,"context_lines":[{"line_number":1985,"context_line":"   * - Unset default type"},{"line_number":1986,"context_line":"     - ``DELETE  /default-types/{project-id}``"},{"line_number":1987,"context_line":"     - volume_extension:default_unset"},{"line_number":1988,"context_line":"     - rule:system_or_domain_or_project_admin"},{"line_number":1989,"context_line":"     - no"},{"line_number":1990,"context_line":"     - no"},{"line_number":1991,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fffc6b78_3e8e4e2e","line":1988,"range":{"start_line":1988,"start_character":7,"end_line":1988,"end_character":45},"updated":"2020-11-19 16:54:58.000000000","message":"I think we\u0027ll want to deprecate the domain scope stuff in the default types API in order to keep everything consistent.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"483b44144f00c45e5bc2767229d76beedbff438c","unresolved":false,"context_lines":[{"line_number":1985,"context_line":"   * - Unset default type"},{"line_number":1986,"context_line":"     - ``DELETE  /default-types/{project-id}``"},{"line_number":1987,"context_line":"     - volume_extension:default_unset"},{"line_number":1988,"context_line":"     - rule:system_or_domain_or_project_admin"},{"line_number":1989,"context_line":"     - no"},{"line_number":1990,"context_line":"     - no"},{"line_number":1991,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3de11173_e6b44944","line":1988,"range":{"start_line":1988,"start_character":7,"end_line":1988,"end_character":45},"in_reply_to":"fffc6b78_3e8e4e2e","updated":"2020-12-04 09:12:01.000000000","message":"Makes sense.","commit_id":"ff827ee9ce19fd04480a0c98ad89f380fefeec63"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d9c8167769d45d7d42c408eda6fae63a8918475","unresolved":true,"context_lines":[{"line_number":313,"context_line":"   * - List snapshots."},{"line_number":314,"context_line":"     - | ``GET  /snapshots``"},{"line_number":315,"context_line":"       | ``GET  /snapshots/detail``"},{"line_number":316,"context_line":"     - volume:get_all_snapshots"},{"line_number":317,"context_line":"     - rule:admin_or_owner"},{"line_number":318,"context_line":"     - yes"},{"line_number":319,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8944b500_23f44b7e","line":316,"range":{"start_line":316,"start_character":14,"end_line":316,"end_character":31},"updated":"2020-11-25 04:59:42.000000000","message":"Is this policy specific to getting all snapshots in the deployment? Or just all snapshots associated to a specific project?","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c225543bf006f42fa3d34c1ea457de2b74befec0","unresolved":true,"context_lines":[{"line_number":313,"context_line":"   * - List snapshots."},{"line_number":314,"context_line":"     - | ``GET  /snapshots``"},{"line_number":315,"context_line":"       | ``GET  /snapshots/detail``"},{"line_number":316,"context_line":"     - volume:get_all_snapshots"},{"line_number":317,"context_line":"     - rule:admin_or_owner"},{"line_number":318,"context_line":"     - yes"},{"line_number":319,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":4,"id":"af1a9b6e_ac25e9de","line":316,"range":{"start_line":316,"start_character":14,"end_line":316,"end_character":31},"in_reply_to":"8944b500_23f44b7e","updated":"2020-11-25 13:21:34.000000000","message":"Just the snapshots associated with the project whose project_id is in the URL; an admin (what we\u0027re now calling system-admin) has the option to include \u0027all_tenants\u0027 in the query parameters (where that\u0027s governed by is_admin on the context object).\n\nThis call is described as \"List accessible snapshots\" in the api-ref, though I\u0027m not sure I want to change it here because the assumption should be that the calls are limited to a particular project; i think it\u0027s unstated on most of the other call descriptions.","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d9c8167769d45d7d42c408eda6fae63a8918475","unresolved":true,"context_lines":[{"line_number":406,"context_line":"     - rule:admin_api"},{"line_number":407,"context_line":"     - no"},{"line_number":408,"context_line":"     - no"},{"line_number":409,"context_line":"     - no"},{"line_number":410,"context_line":"     - no"},{"line_number":411,"context_line":"     - yes"},{"line_number":412,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1ba90749_fed84108","line":409,"range":{"start_line":409,"start_character":7,"end_line":409,"end_character":9},"updated":"2020-11-25 04:59:42.000000000","message":"I\u0027ve wondered if this would be a good candidate for project-admin, assuming the API doesn\u0027t require any information that violates tenancy (e.g., the storage host information or something like that).","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c225543bf006f42fa3d34c1ea457de2b74befec0","unresolved":true,"context_lines":[{"line_number":406,"context_line":"     - rule:admin_api"},{"line_number":407,"context_line":"     - no"},{"line_number":408,"context_line":"     - no"},{"line_number":409,"context_line":"     - no"},{"line_number":410,"context_line":"     - no"},{"line_number":411,"context_line":"     - yes"},{"line_number":412,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":4,"id":"c6729f96_266890d8","line":409,"range":{"start_line":409,"start_character":7,"end_line":409,"end_character":9},"in_reply_to":"1ba90749_fed84108","updated":"2020-11-25 13:21:34.000000000","message":"I don\u0027t think so because there may be cleanup implications on the storage backend, so we only want system-admins to do this.","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"65944827e1107266cf7be94393d593667c71cebd","unresolved":false,"context_lines":[{"line_number":406,"context_line":"     - rule:admin_api"},{"line_number":407,"context_line":"     - no"},{"line_number":408,"context_line":"     - no"},{"line_number":409,"context_line":"     - no"},{"line_number":410,"context_line":"     - no"},{"line_number":411,"context_line":"     - yes"},{"line_number":412,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":4,"id":"993d2f4d_4303eed7","line":409,"range":{"start_line":409,"start_character":7,"end_line":409,"end_character":9},"in_reply_to":"c6729f96_266890d8","updated":"2020-11-25 14:42:29.000000000","message":"Ack","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d9c8167769d45d7d42c408eda6fae63a8918475","unresolved":true,"context_lines":[{"line_number":581,"context_line":"     - rule:admin_api"},{"line_number":582,"context_line":"     - no"},{"line_number":583,"context_line":"     - no"},{"line_number":584,"context_line":"     - no"},{"line_number":585,"context_line":"     - no"},{"line_number":586,"context_line":"     - yes"},{"line_number":587,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":4,"id":"510d85bd_d57d5be7","line":584,"range":{"start_line":584,"start_character":7,"end_line":584,"end_character":9},"updated":"2020-11-25 04:59:42.000000000","message":"Same comment here as above.","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c225543bf006f42fa3d34c1ea457de2b74befec0","unresolved":true,"context_lines":[{"line_number":581,"context_line":"     - rule:admin_api"},{"line_number":582,"context_line":"     - no"},{"line_number":583,"context_line":"     - no"},{"line_number":584,"context_line":"     - no"},{"line_number":585,"context_line":"     - no"},{"line_number":586,"context_line":"     - yes"},{"line_number":587,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":4,"id":"70374d2f_2a363ede","line":584,"range":{"start_line":584,"start_character":7,"end_line":584,"end_character":9},"in_reply_to":"510d85bd_d57d5be7","updated":"2020-11-25 13:21:34.000000000","message":"Yeah, same answer.  The \"force\" here gets it out of the database so it appears deleted to the project\u0027s users, but there may be actions outside of normal cinder operations that a system-admin must take to really get rid of the thing.","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"65944827e1107266cf7be94393d593667c71cebd","unresolved":false,"context_lines":[{"line_number":581,"context_line":"     - rule:admin_api"},{"line_number":582,"context_line":"     - no"},{"line_number":583,"context_line":"     - no"},{"line_number":584,"context_line":"     - no"},{"line_number":585,"context_line":"     - no"},{"line_number":586,"context_line":"     - yes"},{"line_number":587,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ac7cffb3_a83163b2","line":584,"range":{"start_line":584,"start_character":7,"end_line":584,"end_character":9},"in_reply_to":"70374d2f_2a363ede","updated":"2020-11-25 14:42:29.000000000","message":"Ack","commit_id":"ddce6b5c764f22cebe29c19fdc812db4356305b5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":6,"context_line":"   This describes work in progress.  Until this warning is removed,"},{"line_number":7,"context_line":"   you should regard the permissions described here as NOT IMPLEMENTED."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Beginning with the Wallaby release, the Block Storage service API v3 takes"},{"line_number":10,"context_line":"advantage of the default authentication and authorization apparatus supplied"},{"line_number":11,"context_line":"by the Keystone project to give operators a rich set of default policies to"},{"line_number":12,"context_line":"control how users interact with the Block Storage service API."}],"source_content_type":"text/x-rst","patch_set":6,"id":"ac3d9390_30f52900","line":9,"range":{"start_line":9,"start_character":66,"end_line":9,"end_character":68},"updated":"2020-12-09 15:43:35.000000000","message":"Does the v2 API use a different permission model? Or are we refraining from implementing it for v2 since it\u0027s deprecated?","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":6,"context_line":"   This describes work in progress.  Until this warning is removed,"},{"line_number":7,"context_line":"   you should regard the permissions described here as NOT IMPLEMENTED."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Beginning with the Wallaby release, the Block Storage service API v3 takes"},{"line_number":10,"context_line":"advantage of the default authentication and authorization apparatus supplied"},{"line_number":11,"context_line":"by the Keystone project to give operators a rich set of default policies to"},{"line_number":12,"context_line":"control how users interact with the Block Storage service API."}],"source_content_type":"text/x-rst","patch_set":6,"id":"ce0ff747_74bf397d","line":9,"range":{"start_line":9,"start_character":66,"end_line":9,"end_character":68},"in_reply_to":"ac3d9390_30f52900","updated":"2020-12-10 16:52:15.000000000","message":"Same model, but we\u0027re removing v2 this cycle.  Key point is that we\u0027ll only need to test against v3.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":21,"context_line":"is, Cinder and all its services), and a \"project\" refers to a container or"},{"line_number":22,"context_line":"namespace for resources."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"* In order to consume resources, a user must be assigned to a project by"},{"line_number":25,"context_line":"  being given a role (for example, \u0027member\u0027) in that project.  That\u0027s done"},{"line_number":26,"context_line":"  in Keystone; it\u0027s not a Cinder concern."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":".. list-table:: The Five Personas"},{"line_number":29,"context_line":"   :header-rows: 1"}],"source_content_type":"text/x-rst","patch_set":6,"id":"53b11402_b0eff7bc","line":26,"range":{"start_line":24,"start_character":2,"end_line":26,"end_character":41},"updated":"2020-12-09 15:43:35.000000000","message":"+1\n\nThanks for calling this out explicitly. If it helps, you can link to the operator documentation in keystone that describes each type of role assignment, how to create them, and what they mean [0].\n\n[0] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":21,"context_line":"is, Cinder and all its services), and a \"project\" refers to a container or"},{"line_number":22,"context_line":"namespace for resources."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"* In order to consume resources, a user must be assigned to a project by"},{"line_number":25,"context_line":"  being given a role (for example, \u0027member\u0027) in that project.  That\u0027s done"},{"line_number":26,"context_line":"  in Keystone; it\u0027s not a Cinder concern."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":".. list-table:: The Five Personas"},{"line_number":29,"context_line":"   :header-rows: 1"}],"source_content_type":"text/x-rst","patch_set":6,"id":"ba2197a8_e9319fa3","line":26,"range":{"start_line":24,"start_character":2,"end_line":26,"end_character":41},"in_reply_to":"53b11402_b0eff7bc","updated":"2020-12-10 16:52:15.000000000","message":"Good idea, will add the reference.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":32,"context_line":"     - what"},{"line_number":33,"context_line":"     - Keystone technical info"},{"line_number":34,"context_line":"   * - project-reader"},{"line_number":35,"context_line":"     - Has read only access to the API (cannot create, update, or delete)"},{"line_number":36,"context_line":"     - ``reader`` role with ``project`` scope"},{"line_number":37,"context_line":"   * - project-member"},{"line_number":38,"context_line":"     - A normal user in a project."}],"source_content_type":"text/x-rst","patch_set":6,"id":"29e50f2b_22ed237b","line":35,"range":{"start_line":35,"start_character":7,"end_line":35,"end_character":73},"updated":"2020-12-09 15:43:35.000000000","message":"(nit) I think this table provides a nice overview, but I\u0027m wondering if we should include scope in the \u0027what\u0027 portion. My concern is that someone unfamiliar with the scopes might wonder what the difference is between system-reader and project-reader. For example:\n\n\"Has read-only API access to project-specific resources (cannot create, update, or delete project-specific resources)\"","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":32,"context_line":"     - what"},{"line_number":33,"context_line":"     - Keystone technical info"},{"line_number":34,"context_line":"   * - project-reader"},{"line_number":35,"context_line":"     - Has read only access to the API (cannot create, update, or delete)"},{"line_number":36,"context_line":"     - ``reader`` role with ``project`` scope"},{"line_number":37,"context_line":"   * - project-member"},{"line_number":38,"context_line":"     - A normal user in a project."}],"source_content_type":"text/x-rst","patch_set":6,"id":"2f2c7816_c77ecf28","line":35,"range":{"start_line":35,"start_character":7,"end_line":35,"end_character":73},"in_reply_to":"29e50f2b_22ed237b","updated":"2020-12-10 16:52:15.000000000","message":"Good suggestion, I will clarify.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":50,"context_line":"       \"administrator only\" functions"},{"line_number":51,"context_line":"     - ``reader`` role with ``system`` scope"},{"line_number":52,"context_line":"   * - system-admin"},{"line_number":53,"context_line":"     - A Cinder super-user (can do everything!)"},{"line_number":54,"context_line":"     - ``admin`` role with ``system`` scope"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":".. note::"},{"line_number":57,"context_line":"   The Keystone project provides the ability to describe additional personas,"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c68d167a_e89647ad","line":54,"range":{"start_line":53,"start_character":0,"end_line":54,"end_character":43},"updated":"2020-12-09 15:43:35.000000000","message":"Would it help to describe these with hypothetical people? For example:\n\nA system-admin is an operator or deployer with the highest level of authorization on the system. They\u0027re allowed to perform nearly any action in Cinder.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":50,"context_line":"       \"administrator only\" functions"},{"line_number":51,"context_line":"     - ``reader`` role with ``system`` scope"},{"line_number":52,"context_line":"   * - system-admin"},{"line_number":53,"context_line":"     - A Cinder super-user (can do everything!)"},{"line_number":54,"context_line":"     - ``admin`` role with ``system`` scope"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":".. note::"},{"line_number":57,"context_line":"   The Keystone project provides the ability to describe additional personas,"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c55e9da2_468390de","line":54,"range":{"start_line":53,"start_character":0,"end_line":54,"end_character":43},"in_reply_to":"c68d167a_e89647ad","updated":"2020-12-10 16:52:15.000000000","message":"Rewrote this for the next patch set.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":74,"context_line":"   **Privacy Expectations**"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"   Cinder\u0027s model of resources (volumes, backups, snapshots, etc.) is that they"},{"line_number":77,"context_line":"   are owned by the *project*.  Thus, they are shared by all users in that"},{"line_number":78,"context_line":"   project, no matter what persona that user has been assigned.  For example,"},{"line_number":79,"context_line":"   if Alice and Bob are in Project P, and Alice has persona project-member"},{"line_number":80,"context_line":"   while Bob has persona project-reader, if Alice creates volume V in Project"},{"line_number":81,"context_line":"   P, Bob can see volume V in the volume-list response, and Bob can read all"}],"source_content_type":"text/x-rst","patch_set":6,"id":"4be407a2_913eb6ef","line":78,"range":{"start_line":77,"start_character":67,"end_line":78,"end_character":10},"updated":"2020-12-09 15:43:35.000000000","message":"(nit) who have a role assignment on that project","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":74,"context_line":"   **Privacy Expectations**"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"   Cinder\u0027s model of resources (volumes, backups, snapshots, etc.) is that they"},{"line_number":77,"context_line":"   are owned by the *project*.  Thus, they are shared by all users in that"},{"line_number":78,"context_line":"   project, no matter what persona that user has been assigned.  For example,"},{"line_number":79,"context_line":"   if Alice and Bob are in Project P, and Alice has persona project-member"},{"line_number":80,"context_line":"   while Bob has persona project-reader, if Alice creates volume V in Project"},{"line_number":81,"context_line":"   P, Bob can see volume V in the volume-list response, and Bob can read all"}],"source_content_type":"text/x-rst","patch_set":6,"id":"40a2eb1b_59d5ba8b","line":78,"range":{"start_line":77,"start_character":67,"end_line":78,"end_character":10},"in_reply_to":"4be407a2_913eb6ef","updated":"2020-12-10 16:52:15.000000000","message":"It\u0027s worth being completely accurate, I\u0027ll make the change.  Thanks!","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":76,"context_line":"   Cinder\u0027s model of resources (volumes, backups, snapshots, etc.) is that they"},{"line_number":77,"context_line":"   are owned by the *project*.  Thus, they are shared by all users in that"},{"line_number":78,"context_line":"   project, no matter what persona that user has been assigned.  For example,"},{"line_number":79,"context_line":"   if Alice and Bob are in Project P, and Alice has persona project-member"},{"line_number":80,"context_line":"   while Bob has persona project-reader, if Alice creates volume V in Project"},{"line_number":81,"context_line":"   P, Bob can see volume V in the volume-list response, and Bob can read all"},{"line_number":82,"context_line":"   the volume metadata on volume V.  The key point here is that even though"},{"line_number":83,"context_line":"   Alice created volume V, *it\u0027s not her volume*.  The volume is \"owned\" by"},{"line_number":84,"context_line":"   Project P and is available to all users contained in that project; what a"},{"line_number":85,"context_line":"   user can do with volume V depends on whether that user has an admin, member,"},{"line_number":86,"context_line":"   or reader role."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"   With respect to Project P, the personas with system scope (system-admin and"},{"line_number":89,"context_line":"   system-reader) have access to the project in the sense that a cinder"}],"source_content_type":"text/x-rst","patch_set":6,"id":"f4362f4e_68b503ff","line":86,"range":{"start_line":79,"start_character":1,"end_line":86,"end_character":18},"updated":"2020-12-09 15:43:35.000000000","message":"+2\n\nThanks for calling this out :)","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. _cinder-permissions-matrix:"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Cinder Permissions Matrix"},{"line_number":101,"context_line":"-------------------------"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Now that you know who the personas are, here\u0027s what they can do with respect"},{"line_number":104,"context_line":"to the policies that are recognized by Cinder."}],"source_content_type":"text/x-rst","patch_set":6,"id":"663229da_a0054354","line":101,"range":{"start_line":100,"start_character":0,"end_line":101,"end_character":25},"updated":"2020-12-09 15:43:35.000000000","message":"Food for thought.\n\nMost of the information in the table below can be derived from DocumentedRuleDefaults that we have in each project. It would be cool to find a way to generate this table, and populate it like we do with sample policy and configuration files.\n\nAny new updates would automatically be reflected in documentation. But, maybe that\u0027s the opposite review flow you\u0027re looking for here (review and approve the docs before merging policy changes).","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. _cinder-permissions-matrix:"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Cinder Permissions Matrix"},{"line_number":101,"context_line":"-------------------------"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Now that you know who the personas are, here\u0027s what they can do with respect"},{"line_number":104,"context_line":"to the policies that are recognized by Cinder."}],"source_content_type":"text/x-rst","patch_set":6,"id":"eddd220c_1dec246c","line":101,"range":{"start_line":100,"start_character":0,"end_line":101,"end_character":25},"in_reply_to":"663229da_a0054354","updated":"2020-12-10 16:52:15.000000000","message":"I\u0027m kind of mixed about this idea.  I want the workflow of matrix first then write policies to meet the matrix, and then write tests to validate policies against the matrix.\n\nThat said, it was a PITA to put this together, so a script to convert the policies in code into a table (or set of tables--I split it up so that we can eventually embed anchors and make easy references to particular sets of policies from elsewhere in the docs, though I\u0027m not sure the result is visually pleasing, as all the tables have different column widths now!) would be really helpful to get the process started.  (And some projects may feel differently about the workflow, and be perfectly fine with making the DocumentedRuleDefaults primary.)","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":353,"context_line":"       | ``GET  /snapshots/detail``"},{"line_number":354,"context_line":"     - volume:get_all_snapshots"},{"line_number":355,"context_line":"     - rule:admin_or_owner"},{"line_number":356,"context_line":"     - yes"},{"line_number":357,"context_line":"     - yes"},{"line_number":358,"context_line":"     - yes"},{"line_number":359,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":6,"id":"8af1a925_9c952f5c","line":356,"range":{"start_line":356,"start_character":7,"end_line":356,"end_character":10},"updated":"2020-12-09 15:43:35.000000000","message":"This will only return all snapshots within the project, right?","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":353,"context_line":"       | ``GET  /snapshots/detail``"},{"line_number":354,"context_line":"     - volume:get_all_snapshots"},{"line_number":355,"context_line":"     - rule:admin_or_owner"},{"line_number":356,"context_line":"     - yes"},{"line_number":357,"context_line":"     - yes"},{"line_number":358,"context_line":"     - yes"},{"line_number":359,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":6,"id":"86f2bb04_beeb5f7a","line":356,"range":{"start_line":356,"start_character":7,"end_line":356,"end_character":10},"in_reply_to":"8af1a925_9c952f5c","updated":"2020-12-10 16:52:15.000000000","message":"Yes. The v3 URL structure is:\n\n  {endpoint-URL}/v3/{project_id}/snapshots\n\nwhich I\u0027ve always taken to mean that the snapshots are a sub-resource of the project container.  (Similar for volumes, backups, etc.)  It gets weird when you have something like volume-types, where the public ones are accessible to everyone in the system, but you can still tell a story about the response from\n\n  {endpoint-URL}/v3/{project_id}/types\n\ngiving all the volume-types accessible within that project.  It gets weird for some admin operations, though.  Also, a lot of service catalogs are configured so that the \"endpoint\" for the block storage API v3 is in its own service catalog object and is pre-loaded with v3 and the project_id.  In that sense, the paths specified here are misleading.  I imagine they were done like this so there wouldn\u0027t be v2/v3 duplication of basically the same path.  Now that we\u0027ll only have v3 in Wallaby, I wonder whether it\u0027s worth rewriting the paths in the DocumentedRuleDefaults to have the prefix \u0027/v3/{project_id}\u0027 where appropriate.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"811083b52ce2e70190c6b66aaae4c378780696e1","unresolved":true,"context_lines":[{"line_number":380,"context_line":"     - yes"},{"line_number":381,"context_line":"     - yes"},{"line_number":382,"context_line":"     - no"},{"line_number":383,"context_line":"     - yes"},{"line_number":384,"context_line":"     - yes"},{"line_number":385,"context_line":"     - yes"},{"line_number":386,"context_line":"   * - Show snapshot"}],"source_content_type":"text/x-rst","patch_set":6,"id":"1c9a5fef_fd7e400f","line":383,"range":{"start_line":383,"start_character":0,"end_line":383,"end_character":10},"updated":"2020-12-09 15:43:35.000000000","message":"Snapshots are associated to project based on an attribute of the request, right?\n\nThe system-admin context object will not have a project_id attribute, so the API will need to support another way of obtaining the project information if it\u0027s required for the API.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c2b78fe6ac9fc1c2f4eeb393fb0ea6b68995a361","unresolved":true,"context_lines":[{"line_number":380,"context_line":"     - yes"},{"line_number":381,"context_line":"     - yes"},{"line_number":382,"context_line":"     - no"},{"line_number":383,"context_line":"     - yes"},{"line_number":384,"context_line":"     - yes"},{"line_number":385,"context_line":"     - yes"},{"line_number":386,"context_line":"   * - Show snapshot"}],"source_content_type":"text/x-rst","patch_set":6,"id":"ce5d23f1_fac18629","line":383,"range":{"start_line":383,"start_character":0,"end_line":383,"end_character":10},"in_reply_to":"1c9a5fef_fd7e400f","updated":"2020-12-10 16:52:15.000000000","message":"Correct, it\u0027s in the path.  What I\u0027m thinking is that the Block Storage API URLs are designed to have a project_id in the URL (see my comment at line 356), so the info would come from there.","commit_id":"96e4187682a085a42c875235fa7440ce3c005642"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"8e16ea147926fccdf9bac62dc8a87b6e82e71751","unresolved":true,"context_lines":[{"line_number":61,"context_line":"       operator, deployer, or other highly trusted person will be"},{"line_number":62,"context_line":"       assigned this persona.  This is a Cinder super-user who can do"},{"line_number":63,"context_line":"       *everything*, both with respect to the Cinder system and all"},{"line_number":64,"context_line":"       individual projects."},{"line_number":65,"context_line":"     - ``admin`` role with ``system`` scope"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":7,"id":"b1334b8f_956ef04c","line":64,"range":{"start_line":64,"start_character":18,"end_line":64,"end_character":26},"updated":"2021-01-08 10:50:11.000000000","message":"does the project here refer to \"projects created via keystone\" or we\u0027re talking about nova, neutron, glance etc?","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a485fca41d773da753ce48aeef42e7cc568dd9c0","unresolved":true,"context_lines":[{"line_number":61,"context_line":"       operator, deployer, or other highly trusted person will be"},{"line_number":62,"context_line":"       assigned this persona.  This is a Cinder super-user who can do"},{"line_number":63,"context_line":"       *everything*, both with respect to the Cinder system and all"},{"line_number":64,"context_line":"       individual projects."},{"line_number":65,"context_line":"     - ``admin`` role with ``system`` scope"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a47630af_2990eb23","line":64,"range":{"start_line":64,"start_character":18,"end_line":64,"end_character":26},"in_reply_to":"b1334b8f_956ef04c","updated":"2021-01-14 20:57:36.000000000","message":"I meant this in the sense defined in lines 21-22 (projects created in keystone).  I will copy the \"Vocabulary Note\" from the config HOWTO doc to the top of this file and that should make it completely clear.","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"8e16ea147926fccdf9bac62dc8a87b6e82e71751","unresolved":true,"context_lines":[{"line_number":92,"context_line":"   For example, if Alice and Bob are in Project P, and Alice has persona"},{"line_number":93,"context_line":"   project-member while Bob has persona project-reader, if Alice creates volume"},{"line_number":94,"context_line":"   V in Project P, Bob can see volume V in the volume-list response, and Bob"},{"line_number":95,"context_line":"   can read all the volume metadata on volume V.  The key point here is that"},{"line_number":96,"context_line":"   even though Alice created volume V, *it\u0027s not her volume*.  The volume is"},{"line_number":97,"context_line":"   \"owned\" by Project P and is available to all users contained in that"},{"line_number":98,"context_line":"   project.  What a user can do with volume V depends on whether that user has"}],"source_content_type":"text/x-rst","patch_set":7,"id":"0da2fff8_10f52946","line":95,"range":{"start_line":95,"start_character":20,"end_line":95,"end_character":35},"updated":"2021-01-08 10:50:11.000000000","message":"If we mean the volume attributes like id, size etc then True.\nIf we\u0027re talking about metadata then Bob can only read the metadata available to non-admins and needs to be a project-admin to access volume_admin_metadata.\nI think we are referring to the former here but just wanted to clarify this for my understanding.","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a485fca41d773da753ce48aeef42e7cc568dd9c0","unresolved":true,"context_lines":[{"line_number":92,"context_line":"   For example, if Alice and Bob are in Project P, and Alice has persona"},{"line_number":93,"context_line":"   project-member while Bob has persona project-reader, if Alice creates volume"},{"line_number":94,"context_line":"   V in Project P, Bob can see volume V in the volume-list response, and Bob"},{"line_number":95,"context_line":"   can read all the volume metadata on volume V.  The key point here is that"},{"line_number":96,"context_line":"   even though Alice created volume V, *it\u0027s not her volume*.  The volume is"},{"line_number":97,"context_line":"   \"owned\" by Project P and is available to all users contained in that"},{"line_number":98,"context_line":"   project.  What a user can do with volume V depends on whether that user has"}],"source_content_type":"text/x-rst","patch_set":7,"id":"d32ef84f_ab2ac509","line":95,"range":{"start_line":95,"start_character":20,"end_line":95,"end_character":35},"in_reply_to":"0da2fff8_10f52946","updated":"2021-01-14 20:57:36.000000000","message":"Yes, you\u0027re right, we\u0027re talking about the \"regular\" volume metadata.  I\u0027ll rephrase to make this clear.\n\nA project-admin should NOT be able to access volume_admin_metadata, however.  Only someone with system scope should be able to see that. (We don\u0027t want an end user modifying, for example, the new format field that you\u0027re introducing on another patch).  Likewise, the admin metadata can contain backend details that shouldn\u0027t concern non-system-scope users.","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"8e16ea147926fccdf9bac62dc8a87b6e82e71751","unresolved":true,"context_lines":[{"line_number":440,"context_line":"     - yes"},{"line_number":441,"context_line":"     - no"},{"line_number":442,"context_line":"     - yes"},{"line_number":443,"context_line":"   * - Update database fields of snapshot"},{"line_number":444,"context_line":"     - ``POST  /snapshots/{snapshot_id}/action`` (update_snapshot_status)"},{"line_number":445,"context_line":"     - snapshot_extension:snapshot_actions:update_snapshot_status"},{"line_number":446,"context_line":"     - empty"},{"line_number":447,"context_line":"     - no"},{"line_number":448,"context_line":"     - yes"},{"line_number":449,"context_line":"     - yes"},{"line_number":450,"context_line":"     - no"},{"line_number":451,"context_line":"     - yes"},{"line_number":452,"context_line":"     - yes"},{"line_number":453,"context_line":"     - yes"},{"line_number":454,"context_line":"   * - Force delete a snapshot"},{"line_number":455,"context_line":"     - ``POST  /snapshots/{snapshot_id}/action`` (os-force_delete)"},{"line_number":456,"context_line":"     - volume_extension:snapshot_admin_actions:force_delete"}],"source_content_type":"text/x-rst","patch_set":7,"id":"29833126_374e1d85","line":453,"range":{"start_line":443,"start_character":0,"end_line":453,"end_character":10},"updated":"2021-01-08 10:50:11.000000000","message":"This shares some of the functionalities with the reset-state operation.\nSince there is no CLI available for this and is only used by nova, it seems a much safer operation but still I\u0027ve some concerns if a non-admin calls this API[1] to exploit the volume status.\n\n[1] https://docs.openstack.org/api-ref/block-storage/v3/?expanded\u003dupdate-status-of-a-snapshot-detail#update-status-of-a-snapshot","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a485fca41d773da753ce48aeef42e7cc568dd9c0","unresolved":true,"context_lines":[{"line_number":440,"context_line":"     - yes"},{"line_number":441,"context_line":"     - no"},{"line_number":442,"context_line":"     - yes"},{"line_number":443,"context_line":"   * - Update database fields of snapshot"},{"line_number":444,"context_line":"     - ``POST  /snapshots/{snapshot_id}/action`` (update_snapshot_status)"},{"line_number":445,"context_line":"     - snapshot_extension:snapshot_actions:update_snapshot_status"},{"line_number":446,"context_line":"     - empty"},{"line_number":447,"context_line":"     - no"},{"line_number":448,"context_line":"     - yes"},{"line_number":449,"context_line":"     - yes"},{"line_number":450,"context_line":"     - no"},{"line_number":451,"context_line":"     - yes"},{"line_number":452,"context_line":"     - yes"},{"line_number":453,"context_line":"     - yes"},{"line_number":454,"context_line":"   * - Force delete a snapshot"},{"line_number":455,"context_line":"     - ``POST  /snapshots/{snapshot_id}/action`` (os-force_delete)"},{"line_number":456,"context_line":"     - volume_extension:snapshot_admin_actions:force_delete"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5aac901d_9b4e2f73","line":453,"range":{"start_line":443,"start_character":0,"end_line":453,"end_character":10},"in_reply_to":"29833126_374e1d85","updated":"2021-01-14 20:57:36.000000000","message":"Thanks for flagging this.  You\u0027re right, I think it should be the same as the os-reset_status action.  I wonder what credentials nova uses to make the call -- we may need to leave this as \u0027yes\u0027 for project-member and project-admin if nova uses the user\u0027s token.  If so, this will have to be fixed later by nova passing along a service token, because, I agree, we don\u0027t want to have this available to non-system users.\n\nAlso, I need to change the description -- \"database fields\" breaks the abstraction here.","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"8e16ea147926fccdf9bac62dc8a87b6e82e71751","unresolved":true,"context_lines":[{"line_number":867,"context_line":"     - system-admin"},{"line_number":868,"context_line":"     - (old \"owner\")"},{"line_number":869,"context_line":"     - (old \"admin\")"},{"line_number":870,"context_line":"   * - Reset status of group snapshot"},{"line_number":871,"context_line":"     - ``POST  /group_snapshots/{g_snapshot_id}/action`` (reset_status)"},{"line_number":872,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":873,"context_line":"     - | rule:admin_or_owner"},{"line_number":874,"context_line":"       | (really? why not admin only?)"},{"line_number":875,"context_line":"     - no"},{"line_number":876,"context_line":"     - yes"},{"line_number":877,"context_line":"     - yes"},{"line_number":878,"context_line":"     - no"},{"line_number":879,"context_line":"     - yes"},{"line_number":880,"context_line":"     - yes"},{"line_number":881,"context_line":"     - yes"},{"line_number":882,"context_line":"   * - Delete group"},{"line_number":883,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":884,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":7,"id":"0394f7d6_c9a4d6d3","line":881,"range":{"start_line":870,"start_character":0,"end_line":881,"end_character":10},"updated":"2021-01-08 10:50:11.000000000","message":"since this is corrected in master, we need to update this\n\n[1] https://review.opendev.org/c/openstack/cinder/+/767226","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a485fca41d773da753ce48aeef42e7cc568dd9c0","unresolved":false,"context_lines":[{"line_number":867,"context_line":"     - system-admin"},{"line_number":868,"context_line":"     - (old \"owner\")"},{"line_number":869,"context_line":"     - (old \"admin\")"},{"line_number":870,"context_line":"   * - Reset status of group snapshot"},{"line_number":871,"context_line":"     - ``POST  /group_snapshots/{g_snapshot_id}/action`` (reset_status)"},{"line_number":872,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":873,"context_line":"     - | rule:admin_or_owner"},{"line_number":874,"context_line":"       | (really? why not admin only?)"},{"line_number":875,"context_line":"     - no"},{"line_number":876,"context_line":"     - yes"},{"line_number":877,"context_line":"     - yes"},{"line_number":878,"context_line":"     - no"},{"line_number":879,"context_line":"     - yes"},{"line_number":880,"context_line":"     - yes"},{"line_number":881,"context_line":"     - yes"},{"line_number":882,"context_line":"   * - Delete group"},{"line_number":883,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":884,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":7,"id":"946bf736_8b6ccf8d","line":881,"range":{"start_line":870,"start_character":0,"end_line":881,"end_character":10},"in_reply_to":"0394f7d6_c9a4d6d3","updated":"2021-01-14 20:57:36.000000000","message":"Ack","commit_id":"70ffc4f7e01910455cb4fc0f4feaf01c8ea88afb"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"56c5dc1ceec6130bef20be46d0770005c1d8b495","unresolved":true,"context_lines":[{"line_number":17,"context_line":"We need to clarify some terms we\u0027ll be using below."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Project"},{"line_number":20,"context_line":"    This is an administrative grouping of users into a unit that can own"},{"line_number":21,"context_line":"    cloud resources.  (This is what used to be called a \"tenant\", but you"},{"line_number":22,"context_line":"    should never call it that.)"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"80842e8e_9c43778b","line":20,"range":{"start_line":20,"start_character":15,"end_line":20,"end_character":29},"updated":"2021-01-26 19:34:58.000000000","message":"Can you define what you mean by administrative?\n\nIn keystone, we just refer to projects as a container of resources (e.g., volumes, instances, images, networks, etc.)","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":17,"context_line":"We need to clarify some terms we\u0027ll be using below."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Project"},{"line_number":20,"context_line":"    This is an administrative grouping of users into a unit that can own"},{"line_number":21,"context_line":"    cloud resources.  (This is what used to be called a \"tenant\", but you"},{"line_number":22,"context_line":"    should never call it that.)"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"bd8adab5_7f27ede1","line":20,"range":{"start_line":20,"start_character":15,"end_line":20,"end_character":29},"in_reply_to":"80842e8e_9c43778b","updated":"2021-01-28 23:04:01.000000000","message":"I meant \"for management purposes\", but you\u0027re right, it could be confusing to readers given that we\u0027ll be talking about system administration below.  I want to keep the focus on users, though, since we\u0027re using \u0027project\u0027 to explicate the personas below.  (I\u0027m trying to avoid \u0027container\u0027 because everyone immediately thinks of k8s these days.)","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e2bb85b4e548add43338dfc93589eb02521299d7","unresolved":true,"context_lines":[{"line_number":17,"context_line":"We need to clarify some terms we\u0027ll be using below."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Project"},{"line_number":20,"context_line":"    This is an administrative grouping of users into a unit that can own"},{"line_number":21,"context_line":"    cloud resources.  (This is what used to be called a \"tenant\", but you"},{"line_number":22,"context_line":"    should never call it that.)"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"1f0ce633_577edce3","line":20,"range":{"start_line":20,"start_character":15,"end_line":20,"end_character":29},"in_reply_to":"bd8adab5_7f27ede1","updated":"2021-02-01 19:51:16.000000000","message":"Yeah - container isn\u0027t exactly a great choice either.\n\nWhat if we just omit administrative and container? The \"grouping\" bit here might be just fine on its own?","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"56c5dc1ceec6130bef20be46d0770005c1d8b495","unresolved":true,"context_lines":[{"line_number":43,"context_line":""},{"line_number":44,"context_line":"This is easiest to explain if we introduce the five \"personas\" Cinder"},{"line_number":45,"context_line":"recognizes.  In the list below, a \"system\" refers to the deployed system (that"},{"line_number":46,"context_line":"is, Cinder and all its services), and a \"project\" refers to a container or"},{"line_number":47,"context_line":"namespace for resources."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* In order to consume resources, a user must be assigned to a project by"}],"source_content_type":"text/x-rst","patch_set":8,"id":"bc85432c_7638a67f","line":46,"updated":"2021-01-26 19:34:58.000000000","message":"+1","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"56c5dc1ceec6130bef20be46d0770005c1d8b495","unresolved":true,"context_lines":[{"line_number":64,"context_line":"     - Has access to the API for read-only requests that affect only"},{"line_number":65,"context_line":"       project-specific resources (that is, cannot create, update, or"},{"line_number":66,"context_line":"       delete resources within a project)"},{"line_number":67,"context_line":"     - ``reader`` role with ``project`` scope"},{"line_number":68,"context_line":"   * - project-member"},{"line_number":69,"context_line":"     - A normal user in a project."},{"line_number":70,"context_line":"     - ``member`` role with ``project`` scope"}],"source_content_type":"text/x-rst","patch_set":8,"id":"66b1510a_85746bf0","line":67,"range":{"start_line":67,"start_character":8,"end_line":67,"end_character":45},"updated":"2021-01-26 19:34:58.000000000","message":"nit: Do you think people are going to intepret this as setting a \"scope\" on a role?\n\nWe could do something like:\n\n  - ``reader`` role on a ``project``, resulting in project-scope\n\nSame applies below if you think it\u0027s valid.","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":64,"context_line":"     - Has access to the API for read-only requests that affect only"},{"line_number":65,"context_line":"       project-specific resources (that is, cannot create, update, or"},{"line_number":66,"context_line":"       delete resources within a project)"},{"line_number":67,"context_line":"     - ``reader`` role with ``project`` scope"},{"line_number":68,"context_line":"   * - project-member"},{"line_number":69,"context_line":"     - A normal user in a project."},{"line_number":70,"context_line":"     - ``member`` role with ``project`` scope"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7961127b_4e7bebaa","line":67,"range":{"start_line":67,"start_character":8,"end_line":67,"end_character":45},"in_reply_to":"66b1510a_85746bf0","updated":"2021-01-28 23:04:01.000000000","message":"I\u0027ll revise.  You are correct that it could be mis-interpreted.","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"56c5dc1ceec6130bef20be46d0770005c1d8b495","unresolved":true,"context_lines":[{"line_number":78,"context_line":"     - ``admin`` role with ``project`` scope"},{"line_number":79,"context_line":"   * - system-reader"},{"line_number":80,"context_line":"     - Has read only access to the full API, including the traditionally"},{"line_number":81,"context_line":"       \"administrator only\" functions"},{"line_number":82,"context_line":"     - ``reader`` role with ``system`` scope"},{"line_number":83,"context_line":"   * - system-admin"},{"line_number":84,"context_line":"     - Has the highest level of authorization on the system and can"}],"source_content_type":"text/x-rst","patch_set":8,"id":"2600b346_b8ae2de9","line":81,"updated":"2021-01-26 19:34:58.000000000","message":"nit: This user isn\u0027t allowed to view sensitive information (if applicable).","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":78,"context_line":"     - ``admin`` role with ``project`` scope"},{"line_number":79,"context_line":"   * - system-reader"},{"line_number":80,"context_line":"     - Has read only access to the full API, including the traditionally"},{"line_number":81,"context_line":"       \"administrator only\" functions"},{"line_number":82,"context_line":"     - ``reader`` role with ``system`` scope"},{"line_number":83,"context_line":"   * - system-admin"},{"line_number":84,"context_line":"     - Has the highest level of authorization on the system and can"}],"source_content_type":"text/x-rst","patch_set":8,"id":"2f01dfea_31dcbcbc","line":81,"in_reply_to":"2600b346_b8ae2de9","updated":"2021-01-28 23:04:01.000000000","message":"That\u0027s more than a nit.  We need to define \"sensitive information\" here as well.","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"56c5dc1ceec6130bef20be46d0770005c1d8b495","unresolved":true,"context_lines":[{"line_number":120,"context_line":"   can read all the volume metadata on volume V that Alice can read--even"},{"line_number":121,"context_line":"   volume metadata that Alice may have added to the volume.  The key point here"},{"line_number":122,"context_line":"   is that even though Alice created volume V, *it\u0027s not her volume*.  The"},{"line_number":123,"context_line":"   volume is \"owned\" by Project P and is available to all users contained in"},{"line_number":124,"context_line":"   that project.  What a user can do with volume V depends on whether that user"},{"line_number":125,"context_line":"   has an admin, member, or reader role in project P."},{"line_number":126,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"93ec7577_ea41b52f","line":123,"range":{"start_line":123,"start_character":64,"end_line":123,"end_character":73},"updated":"2021-01-26 19:34:58.000000000","message":"nit: all users who have authorization on that project via role assignments in keystone.\n\nI tried to avoid phrase that makes user-to-project relationships appear one-to-one. Or that one contains another.","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":120,"context_line":"   can read all the volume metadata on volume V that Alice can read--even"},{"line_number":121,"context_line":"   volume metadata that Alice may have added to the volume.  The key point here"},{"line_number":122,"context_line":"   is that even though Alice created volume V, *it\u0027s not her volume*.  The"},{"line_number":123,"context_line":"   volume is \"owned\" by Project P and is available to all users contained in"},{"line_number":124,"context_line":"   that project.  What a user can do with volume V depends on whether that user"},{"line_number":125,"context_line":"   has an admin, member, or reader role in project P."},{"line_number":126,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"6a1a4e58_375626c2","line":123,"range":{"start_line":123,"start_character":64,"end_line":123,"end_character":73},"in_reply_to":"93ec7577_ea41b52f","updated":"2021-01-28 23:04:01.000000000","message":"good point, I will adopt your phrasing.","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":1084,"context_line":"     - yes"},{"line_number":1085,"context_line":"   * - Update qos specs (including updating association)"},{"line_number":1086,"context_line":"     - | ``PUT  /qos-specs/{qos_id}``"},{"line_number":1087,"context_line":"       | ``GET  /qos-specs/{qos_id}/disassociate_all``"},{"line_number":1088,"context_line":"       | ``GET  /qos-specs/{qos_id}/associate``"},{"line_number":1089,"context_line":"       | ``GET  /qos-specs/{qos_id}/disassociate``"},{"line_number":1090,"context_line":"     - volume_extension:qos_specs_manage:update"}],"source_content_type":"text/x-rst","patch_set":8,"id":"86f127db_1ba2b891","line":1087,"updated":"2021-01-28 23:04:01.000000000","message":"(should probably add a note that these 3 GETs are really updates)","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":1085,"context_line":"   * - Update qos specs (including updating association)"},{"line_number":1086,"context_line":"     - | ``PUT  /qos-specs/{qos_id}``"},{"line_number":1087,"context_line":"       | ``GET  /qos-specs/{qos_id}/disassociate_all``"},{"line_number":1088,"context_line":"       | ``GET  /qos-specs/{qos_id}/associate``"},{"line_number":1089,"context_line":"       | ``GET  /qos-specs/{qos_id}/disassociate``"},{"line_number":1090,"context_line":"     - volume_extension:qos_specs_manage:update"},{"line_number":1091,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":8,"id":"06c5ff0d_67bd3837","line":1088,"range":{"start_line":1088,"start_character":36,"end_line":1088,"end_character":45},"updated":"2021-01-28 23:04:01.000000000","message":"associate?vol_type_id\u003d{volume_type_id}","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":1086,"context_line":"     - | ``PUT  /qos-specs/{qos_id}``"},{"line_number":1087,"context_line":"       | ``GET  /qos-specs/{qos_id}/disassociate_all``"},{"line_number":1088,"context_line":"       | ``GET  /qos-specs/{qos_id}/associate``"},{"line_number":1089,"context_line":"       | ``GET  /qos-specs/{qos_id}/disassociate``"},{"line_number":1090,"context_line":"     - volume_extension:qos_specs_manage:update"},{"line_number":1091,"context_line":"     - rule:admin_api"},{"line_number":1092,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":8,"id":"873de0a9_93859966","line":1089,"range":{"start_line":1089,"start_character":36,"end_line":1089,"end_character":48},"updated":"2021-01-28 23:04:01.000000000","message":"disassociate?vol_type_id\u003d{volume_type_id}","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":1433,"context_line":"   * - Create, update and delete volume type"},{"line_number":1434,"context_line":"     - | ``POST  /types``"},{"line_number":1435,"context_line":"       | ``PUT  /types``"},{"line_number":1436,"context_line":"       | ``DELETE  /types``"},{"line_number":1437,"context_line":"     - volume_extension:types_manage"},{"line_number":1438,"context_line":"     - rule:admin_api"},{"line_number":1439,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7cdf6811_c58c9340","line":1436,"updated":"2021-01-28 23:04:01.000000000","message":"I just noticed that most calls have different policies for (A) create/update and (B) delete.  Keeping them together like this is OK for the default personas, but makes it impossible to define a \"creator\" (can create/update but not delete).  So maybe we should split these up?  (I think this is the only policy like this, so we should probably split them up for consistency.)","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":1978,"context_line":"       | Volume\u0027s image metadata related operation, create, delete, show and"},{"line_number":1979,"context_line":"         list"},{"line_number":1980,"context_line":"     - | (NOTE: need new policies to split GET and POST)"},{"line_number":1981,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":1982,"context_line":"       | ``GET  /volumes/{volume_id}``"},{"line_number":1983,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-set_image_metadata)"},{"line_number":1984,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-unset_image_metadata)"},{"line_number":1985,"context_line":"     - volume_extension:volume_image_metadata"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a296f4c_4bcb3e09","line":1982,"range":{"start_line":1981,"start_character":0,"end_line":1982,"end_character":38},"updated":"2021-01-28 23:04:01.000000000","message":"this is one of those where this policy governs whether image metadata will be included in the response, but the calls are governed by different policies (volume:get_all and volume:get)","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":1981,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":1982,"context_line":"       | ``GET  /volumes/{volume_id}``"},{"line_number":1983,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-set_image_metadata)"},{"line_number":1984,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-unset_image_metadata)"},{"line_number":1985,"context_line":"     - volume_extension:volume_image_metadata"},{"line_number":1986,"context_line":"     - rule:admin_or_owner"},{"line_number":1987,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":8,"id":"4096f939_3ef941fe","line":1984,"range":{"start_line":1984,"start_character":48,"end_line":1984,"end_character":71},"updated":"2021-01-28 23:04:01.000000000","message":"this is an update that can delete, but I don\u0027t know if we want to get that fine-grained.  It deletes an attribute, not the resource, so maybe it\u0027s more of an update than a delete?","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1e29fca78b367e0e7385b10a56c575bef9cf77c7","unresolved":true,"context_lines":[{"line_number":2159,"context_line":"     - yes"},{"line_number":2160,"context_line":"     - yes"},{"line_number":2161,"context_line":"   * - Force Delete a volume"},{"line_number":2162,"context_line":"     - ``DELETE  /volumes/{volume_id}``"},{"line_number":2163,"context_line":"     - volume:force_delete"},{"line_number":2164,"context_line":"     - rule:admin_api"},{"line_number":2165,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":8,"id":"ca102614_0e747b3a","line":2162,"updated":"2021-01-28 23:04:01.000000000","message":"add: with \u0027force\u003dtrue\u0027 in the query string\nnote: there\u0027s a different policy that governs the volume os-force_delete action (volume_extension:volume_admin_actions:force_delete)","commit_id":"0e3ca4670515c291aabb2927c837dc8c584af4a7"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"6d891b4c8b2fa4d017e39ea52b0c77b1f5bc649a","unresolved":true,"context_lines":[{"line_number":299,"context_line":"     - no"},{"line_number":300,"context_line":"     - no"},{"line_number":301,"context_line":"     - no"},{"line_number":302,"context_line":"     - yes"},{"line_number":303,"context_line":"     - yes"},{"line_number":304,"context_line":"     - no"},{"line_number":305,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":9,"id":"644c5ba4_916c30f9","line":302,"range":{"start_line":302,"start_character":7,"end_line":302,"end_character":10},"updated":"2021-02-17 13:46:02.000000000","message":"I\u0027m not sure what info a system reader could see or not see was decided but i thought this shouldn\u0027t be accessible to the reader role. (also same question for similar admin only APIs)\nCorrect me if my understanding is wrong.","commit_id":"5af533e05e6c2f6c6e557a9317dd1d942206c9a6"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"221956670fa7e89f882ce30fa31fd6a484074e96","unresolved":true,"context_lines":[{"line_number":299,"context_line":"     - no"},{"line_number":300,"context_line":"     - no"},{"line_number":301,"context_line":"     - no"},{"line_number":302,"context_line":"     - yes"},{"line_number":303,"context_line":"     - yes"},{"line_number":304,"context_line":"     - no"},{"line_number":305,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":9,"id":"a4a33ec4_e374de45","line":302,"range":{"start_line":302,"start_character":7,"end_line":302,"end_character":10},"in_reply_to":"644c5ba4_916c30f9","updated":"2021-02-17 22:42:51.000000000","message":"I think you\u0027re right.  The system-reader will only be able to see \"regular\" fields on responses (for example, in the volume-show response) and will *not* be able to make any of the traditional \"admin API\" calls.\n\nI will have to revise this again!","commit_id":"5af533e05e6c2f6c6e557a9317dd1d942206c9a6"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fac4afe0f6354d38566c0e8be627d41a938ba5d6","unresolved":true,"context_lines":[{"line_number":469,"context_line":"     - yes"},{"line_number":470,"context_line":"     - no"},{"line_number":471,"context_line":"     - yes"},{"line_number":472,"context_line":"   * - | **NEEDS REVIEW**"},{"line_number":473,"context_line":"       | Update status (and optionally progress) of snapshot"},{"line_number":474,"context_line":"     - ``POST  /snapshots/{snapshot_id}/action`` (os-update_snapshot_status)"},{"line_number":475,"context_line":"     - snapshot_extension:snapshot_actions:update_snapshot_status"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3250dc1f_136164de","line":472,"range":{"start_line":472,"start_character":11,"end_line":472,"end_character":23},"updated":"2021-02-17 13:28:53.000000000","message":"The review needed is that this policy is currently unrestricted.","commit_id":"5af533e05e6c2f6c6e557a9317dd1d942206c9a6"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"27116dca85de820f65fdd798451a2998c106dd18","unresolved":true,"context_lines":[{"line_number":472,"context_line":"     - yes"},{"line_number":473,"context_line":"     - no"},{"line_number":474,"context_line":"     - yes"},{"line_number":475,"context_line":"   * - | **NEEDS REVIEW**"},{"line_number":476,"context_line":"       | Update status (and optionally progress) of snapshot"},{"line_number":477,"context_line":"     - ``POST  /snapshots/{snapshot_id}/action`` (os-update_snapshot_status)"},{"line_number":478,"context_line":"     - snapshot_extension:snapshot_actions:update_snapshot_status"}],"source_content_type":"text/x-rst","patch_set":10,"id":"ae657e35_7debd261","line":475,"range":{"start_line":475,"start_character":2,"end_line":475,"end_character":1},"updated":"2021-02-25 18:52:07.000000000","message":"As far as I understood and double checking the  Secure RBAC Open Office Hours docs this is correct.","commit_id":"e3689b5df0323792dcfd49e965f5129befd29a53"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"af8591721f21f77ed9c199b1fbb5fcb99d9f0015","unresolved":true,"context_lines":[{"line_number":770,"context_line":"     - | ``POST /group_types/``"},{"line_number":771,"context_line":"       | ``PUT /group_types/{group_type_id}``"},{"line_number":772,"context_line":"       | ``DELETE /group_types/{group_type_id}``"},{"line_number":773,"context_line":"     - group:group_types_manage"},{"line_number":774,"context_line":"     - rule:admin_api"},{"line_number":775,"context_line":"     - no"},{"line_number":776,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":10,"id":"80b6cd62_ef223a4f","line":773,"range":{"start_line":773,"start_character":7,"end_line":773,"end_character":31},"updated":"2021-04-22 20:43:18.000000000","message":"This should be split into separate create,update,delete policies","commit_id":"e3689b5df0323792dcfd49e965f5129befd29a53"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"27116dca85de820f65fdd798451a2998c106dd18","unresolved":true,"context_lines":[{"line_number":2335,"context_line":"     - yes"},{"line_number":2336,"context_line":"     - yes"},{"line_number":2337,"context_line":""},{"line_number":2338,"context_line":".. list-table:: Default Volume Types (Microversion 3.62)"},{"line_number":2339,"context_line":"   :header-rows: 1"},{"line_number":2340,"context_line":""},{"line_number":2341,"context_line":"   * - functionality"}],"source_content_type":"text/x-rst","patch_set":10,"id":"6dfb1c40_5d874c97","line":2338,"updated":"2021-02-25 18:52:07.000000000","message":"I\u0027m not 100% sure so I\u0027ll wait to see what are the team\u0027s comments.","commit_id":"e3689b5df0323792dcfd49e965f5129befd29a53"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"74836f4fcf13ac42e02b7b9c46a3f66da3a28e8d","unresolved":true,"context_lines":[{"line_number":1955,"context_line":"   * - List volume transfer"},{"line_number":1956,"context_line":"     - | ``GET  /os-volume-transfer``"},{"line_number":1957,"context_line":"       | ``GET  /os-volume-transfer/detail``"},{"line_number":1958,"context_line":"       | ``GET  /volume_transfers``"},{"line_number":1959,"context_line":"       | ``GET  /volume-transfers/detail``"},{"line_number":1960,"context_line":"     - volume:get_all_transfers"},{"line_number":1961,"context_line":"     - rule:admin_or_owner"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4a5b3ac2_df70237e","line":1958,"range":{"start_line":1958,"start_character":23,"end_line":1958,"end_character":24},"updated":"2021-05-05 13:38:53.000000000","message":"this should be a hyphen","commit_id":"785cfb66a29b0cfdf3a91589bba85a204c0071a0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"74836f4fcf13ac42e02b7b9c46a3f66da3a28e8d","unresolved":true,"context_lines":[{"line_number":1968,"context_line":"     - yes"},{"line_number":1969,"context_line":"   * - Create a volume transfer"},{"line_number":1970,"context_line":"     - | ``POST  /os-volume-transfer``"},{"line_number":1971,"context_line":"       | ``POST  /volume_transfers``"},{"line_number":1972,"context_line":"     - volume:create_transfer"},{"line_number":1973,"context_line":"     - rule:admin_or_owner"},{"line_number":1974,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":11,"id":"cd99e3e6_3e4c3409","line":1971,"range":{"start_line":1971,"start_character":24,"end_line":1971,"end_character":25},"updated":"2021-05-05 13:38:53.000000000","message":"this should be a hyphen","commit_id":"785cfb66a29b0cfdf3a91589bba85a204c0071a0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7b2129f16b97824b57df879268d27bbeb18aaaec","unresolved":true,"context_lines":[{"line_number":193,"context_line":"     - yes"},{"line_number":194,"context_line":"     - yes"},{"line_number":195,"context_line":"     - yes"},{"line_number":196,"context_line":"   * - Mark a volume attachment process as completed (in-use) (mv 3.44)"},{"line_number":197,"context_line":"     - ``POST  /attachments/{attachment_id}/action`` (os-complete)"},{"line_number":198,"context_line":"     - volume:attachment_complete"},{"line_number":199,"context_line":"     - rule:admin_or_owner"}],"source_content_type":"text/x-rst","patch_set":12,"id":"b2f7e5f2_39c883b9","line":196,"updated":"2021-06-25 15:12:40.000000000","message":"This appears to be the only place where microversion info appears in the first column of the table. More often it appears in the second column, with \"Microversion\" spelled out (not just \"mv\"). See L560 for an example.\n\nSo for consistency, should \"Microversion 3.44\" be moved into the column started on L197?","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":193,"context_line":"     - yes"},{"line_number":194,"context_line":"     - yes"},{"line_number":195,"context_line":"     - yes"},{"line_number":196,"context_line":"   * - Mark a volume attachment process as completed (in-use) (mv 3.44)"},{"line_number":197,"context_line":"     - ``POST  /attachments/{attachment_id}/action`` (os-complete)"},{"line_number":198,"context_line":"     - volume:attachment_complete"},{"line_number":199,"context_line":"     - rule:admin_or_owner"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3240bbd0_12847141","line":196,"in_reply_to":"b2f7e5f2_39c883b9","updated":"2021-06-29 13:21:04.000000000","message":"Good catch.  I\u0027ll make it consistent.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"7ef5c88ab13142476ea4d3cde95fab32ad1e7dac","unresolved":true,"context_lines":[{"line_number":355,"context_line":"     - system-admin"},{"line_number":356,"context_line":"     - (old \"owner\")"},{"line_number":357,"context_line":"     - (old \"admin\")"},{"line_number":358,"context_line":"   * - Show snapshot\u0027s metadata or one specified metadata with a given key"},{"line_number":359,"context_line":"     - | ``GET  /snapshots/{snapshot_id}/metadata``"},{"line_number":360,"context_line":"       | ``GET  /snapshots/{snapshot_id}/metadata/{key}``"},{"line_number":361,"context_line":"     - volume:get_snapshot_metadata"},{"line_number":362,"context_line":"     - rule:admin_or_owner"},{"line_number":363,"context_line":"     - yes"},{"line_number":364,"context_line":"     - yes"},{"line_number":365,"context_line":"     - yes"},{"line_number":366,"context_line":"     - yes"},{"line_number":367,"context_line":"     - yes"},{"line_number":368,"context_line":"     - yes"},{"line_number":369,"context_line":"     - yes"},{"line_number":370,"context_line":"   * - Update snapshot\u0027s metadata or one specified metadata with a given key"},{"line_number":371,"context_line":"     - | ``PUT  /snapshots/{snapshot_id}/metadata``"},{"line_number":372,"context_line":"       | ``PUT  /snapshots/{snapshot_id}/metadata/{key}``"}],"source_content_type":"text/x-rst","patch_set":12,"id":"8273825c_53732a78","line":369,"range":{"start_line":358,"start_character":7,"end_line":369,"end_character":10},"updated":"2021-06-25 14:26:47.000000000","message":"this and other snapshot metadata policies are specified in a different file so it makes sense to separate it out in a different section as we did for volume and volume_metadata","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"8b4a57d909f80d875409c8bbba9f4d287f03d2b3","unresolved":true,"context_lines":[{"line_number":355,"context_line":"     - system-admin"},{"line_number":356,"context_line":"     - (old \"owner\")"},{"line_number":357,"context_line":"     - (old \"admin\")"},{"line_number":358,"context_line":"   * - Show snapshot\u0027s metadata or one specified metadata with a given key"},{"line_number":359,"context_line":"     - | ``GET  /snapshots/{snapshot_id}/metadata``"},{"line_number":360,"context_line":"       | ``GET  /snapshots/{snapshot_id}/metadata/{key}``"},{"line_number":361,"context_line":"     - volume:get_snapshot_metadata"},{"line_number":362,"context_line":"     - rule:admin_or_owner"},{"line_number":363,"context_line":"     - yes"},{"line_number":364,"context_line":"     - yes"},{"line_number":365,"context_line":"     - yes"},{"line_number":366,"context_line":"     - yes"},{"line_number":367,"context_line":"     - yes"},{"line_number":368,"context_line":"     - yes"},{"line_number":369,"context_line":"     - yes"},{"line_number":370,"context_line":"   * - Update snapshot\u0027s metadata or one specified metadata with a given key"},{"line_number":371,"context_line":"     - | ``PUT  /snapshots/{snapshot_id}/metadata``"},{"line_number":372,"context_line":"       | ``PUT  /snapshots/{snapshot_id}/metadata/{key}``"}],"source_content_type":"text/x-rst","patch_set":12,"id":"da68a579_6ae0cd78","line":369,"range":{"start_line":358,"start_character":7,"end_line":369,"end_character":10},"in_reply_to":"8273825c_53732a78","updated":"2021-06-25 14:32:41.000000000","message":"To be specific there are 3 snapshot metadata policies, GET, UPDATE and DELETE\nhttps://opendev.org/openstack/cinder/src/branch/master/cinder/policies/snapshot_metadata.py","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"6ccbe1f72733a7ea9adfec3bbb1abe3b55c9fe9c","unresolved":true,"context_lines":[{"line_number":557,"context_line":"     - yes"},{"line_number":558,"context_line":"     - yes"},{"line_number":559,"context_line":"   * - List backups or show backup *with project attributes*"},{"line_number":560,"context_line":"     - | Microversion 3.18"},{"line_number":561,"context_line":"       | Adds ``os-backup-project-attr:project_id`` to the following responses:"},{"line_number":562,"context_line":"       | ``GET  /backups/detail``"},{"line_number":563,"context_line":"       | ``GET  /backups/{backup_id}``"}],"source_content_type":"text/x-rst","patch_set":12,"id":"73621232_63d24037","line":560,"updated":"2021-06-25 16:54:51.000000000","message":"Questions that can be valid or not: Why not set 3.56 microversion instead of 3.18?\n\nMicroversion 3.18\nBACKUP_PROJECT_USER_ID \u003d \u00273.56\u0027\n\n:nit: 3.56 - Add user_id attribute to the response body of list backup with detail and show backup detail APIs. I think we may need to use microversion 3.56 in order of a much more complete response?","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":557,"context_line":"     - yes"},{"line_number":558,"context_line":"     - yes"},{"line_number":559,"context_line":"   * - List backups or show backup *with project attributes*"},{"line_number":560,"context_line":"     - | Microversion 3.18"},{"line_number":561,"context_line":"       | Adds ``os-backup-project-attr:project_id`` to the following responses:"},{"line_number":562,"context_line":"       | ``GET  /backups/detail``"},{"line_number":563,"context_line":"       | ``GET  /backups/{backup_id}``"}],"source_content_type":"text/x-rst","patch_set":12,"id":"69a6799c_e419679f","line":560,"in_reply_to":"73621232_63d24037","updated":"2021-06-29 13:21:04.000000000","message":"\u003e Why not set 3.56 microversion instead of 3.18?\n\nGood question.  3.18 includes the project_id in the response and is governed by policy; 3.56 includes the user_id in the response and is *not* governed by a policy.  So I don\u0027t mention 3.56 here because it doesn\u0027t have policy implications (people can learn about it in the api-ref).","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"5bb9d6a151df82db621f55de3750f2deea5a4415","unresolved":true,"context_lines":[{"line_number":593,"context_line":"     - yes"},{"line_number":594,"context_line":"     - yes"},{"line_number":595,"context_line":"     - yes"},{"line_number":596,"context_line":"   * - | Microversion 3.9"},{"line_number":597,"context_line":"       | Update backup"},{"line_number":598,"context_line":"     - ``PUT  /backups/{backup_id}``"},{"line_number":599,"context_line":"     - backup:update"}],"source_content_type":"text/x-rst","patch_set":12,"id":"18bfcdf2_f4c88620","line":596,"updated":"2021-06-25 15:33:26.000000000","message":"To make it the same as in the other tables. The microversion should be in the API call column instead of functionality column.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":593,"context_line":"     - yes"},{"line_number":594,"context_line":"     - yes"},{"line_number":595,"context_line":"     - yes"},{"line_number":596,"context_line":"   * - | Microversion 3.9"},{"line_number":597,"context_line":"       | Update backup"},{"line_number":598,"context_line":"     - ``PUT  /backups/{backup_id}``"},{"line_number":599,"context_line":"     - backup:update"}],"source_content_type":"text/x-rst","patch_set":12,"id":"4c981fae_535ec084","line":596,"in_reply_to":"18bfcdf2_f4c88620","updated":"2021-06-29 13:21:04.000000000","message":"Good catch, will fix.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"e57aab1268c77d6f88d9f6c8153d31394fa5fa0c","unresolved":true,"context_lines":[{"line_number":1107,"context_line":"     - (old \"admin\")"},{"line_number":1108,"context_line":"   * - List qos specs or list all associations"},{"line_number":1109,"context_line":"     - | ``GET  /qos-specs``"},{"line_number":1110,"context_line":"       | ``GET  /qos-specs/{qos_id}/associations``"},{"line_number":1111,"context_line":"     - volume_extension:qos_specs_manage:get_all"},{"line_number":1112,"context_line":"     - rule:admin_api"},{"line_number":1113,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":12,"id":"d0e73184_bf806ad9","line":1110,"updated":"2021-07-06 13:30:28.000000000","message":"It doesn\u0027t feel right to me that /qos-specs and /qos-specs/{qos_id}/associations share the same policy. I realize they\u0027re both \"get all\" requests, but /qos-specs/{qos_id} has its own policy and so I wonder if /qos-specs/{qos_id}/associations should -NOT- share the same policy as /qos-specs. In other words, perhaps it warrants its own policy (volume_extension:qos_specs_manage:get_all_associations?)","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"e57aab1268c77d6f88d9f6c8153d31394fa5fa0c","unresolved":true,"context_lines":[{"line_number":1185,"context_line":"   * - | **DEPRECATE**"},{"line_number":1186,"context_line":"       | Show or update project quota class"},{"line_number":1187,"context_line":"     - | (NOTE: new policies split GET and PUT)"},{"line_number":1188,"context_line":"       | ``GET  /os-quota-class-sets/{project_id}``"},{"line_number":1189,"context_line":"       | ``PUT  /os-quota-class-sets/{project_id}``"},{"line_number":1190,"context_line":"     - volume_extension:quota_classes"},{"line_number":1191,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":12,"id":"34700612_d56a48c9","line":1188,"updated":"2021-07-06 13:30:28.000000000","message":"The API ref specifies an {admin_project_id} scope. Is that relevant in this doc? This applies to all the quota and quota_class URLs.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"203baa2f13b0fbd993ddcc45e6d6f2d1d8456d92","unresolved":true,"context_lines":[{"line_number":1185,"context_line":"   * - | **DEPRECATE**"},{"line_number":1186,"context_line":"       | Show or update project quota class"},{"line_number":1187,"context_line":"     - | (NOTE: new policies split GET and PUT)"},{"line_number":1188,"context_line":"       | ``GET  /os-quota-class-sets/{project_id}``"},{"line_number":1189,"context_line":"       | ``PUT  /os-quota-class-sets/{project_id}``"},{"line_number":1190,"context_line":"     - volume_extension:quota_classes"},{"line_number":1191,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bc4cdcaa_2078aff8","line":1188,"in_reply_to":"34700612_d56a48c9","updated":"2021-07-19 16:20:08.000000000","message":"You\u0027ll notice that all the API ref URLs are of the form VERB /v3/{project_id}/resource/path, and we only have the /resource/path part here.  The {admin_project_id} is just used in some URLs like these where you need to distinguish  the project_id of the caller (the admin) from the project_id later in the path (of the tenant whose quota-class the admin wants to manipulate).  There are also some calls documented in the api-ref as having VERB /v3/{project_id}/resource/path where the project_id must be that of an admin project (an example is the the Snapshot manage extension), but we just have \"project_id\" in the documented URL.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":4523,"name":"Eric Harney","email":"eharney@redhat.com","username":"eharney"},"change_message_id":"c6e9778de266da971f3890e86ab536cb8a617405","unresolved":true,"context_lines":[{"line_number":1459,"context_line":"     - yes"},{"line_number":1460,"context_line":"     - no"},{"line_number":1461,"context_line":"     - yes"},{"line_number":1462,"context_line":"   * - Stop managing a volume"},{"line_number":1463,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-unmanage)"},{"line_number":1464,"context_line":"     - volume_extension:volume_unmanage"},{"line_number":1465,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":12,"id":"d24cffd3_9c9656a3","line":1462,"range":{"start_line":1462,"start_character":7,"end_line":1462,"end_character":20},"updated":"2021-07-19 14:37:05.000000000","message":"IMO it would be better to just use \"unmanage\" here since it may not be obvious what \"Stop managing\" means to someone who isn\u0027t familiar with this feature.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"94d2d5698a6ab73d43802be78c440372fa7af0b7","unresolved":true,"context_lines":[{"line_number":1459,"context_line":"     - yes"},{"line_number":1460,"context_line":"     - no"},{"line_number":1461,"context_line":"     - yes"},{"line_number":1462,"context_line":"   * - Stop managing a volume"},{"line_number":1463,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-unmanage)"},{"line_number":1464,"context_line":"     - volume_extension:volume_unmanage"},{"line_number":1465,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":12,"id":"8b5eaa3c_8759f438","line":1462,"range":{"start_line":1462,"start_character":7,"end_line":1462,"end_character":20},"in_reply_to":"d24cffd3_9c9656a3","updated":"2021-07-20 22:59:32.000000000","message":"Sounds good to me.  (Will make the same change for snapshots.)","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":4523,"name":"Eric Harney","email":"eharney@redhat.com","username":"eharney"},"change_message_id":"dccda8e29850966751383411af6e23551eecbc16","unresolved":true,"context_lines":[{"line_number":1514,"context_line":"     - yes"},{"line_number":1515,"context_line":"   * - | **NEW**"},{"line_number":1516,"context_line":"       | Update a volume type"},{"line_number":1517,"context_line":"     - ``PUT  /types``"},{"line_number":1518,"context_line":"     - volume_extension:type_update"},{"line_number":1519,"context_line":"     - (new policy)"},{"line_number":1520,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":12,"id":"6fad971d_0e564d7d","line":1517,"range":{"start_line":1517,"start_character":7,"end_line":1517,"end_character":22},"updated":"2021-06-25 14:22:41.000000000","message":"This should be\n  PUT /types/{type_id}","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":1514,"context_line":"     - yes"},{"line_number":1515,"context_line":"   * - | **NEW**"},{"line_number":1516,"context_line":"       | Update a volume type"},{"line_number":1517,"context_line":"     - ``PUT  /types``"},{"line_number":1518,"context_line":"     - volume_extension:type_update"},{"line_number":1519,"context_line":"     - (new policy)"},{"line_number":1520,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":12,"id":"9f79d262_663c168c","line":1517,"range":{"start_line":1517,"start_character":7,"end_line":1517,"end_character":22},"in_reply_to":"6fad971d_0e564d7d","updated":"2021-06-29 13:21:04.000000000","message":"You\u0027re correct (same change at line 1529)","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"b33944556bf8518eec6a11915201b63c6edfaa56","unresolved":true,"context_lines":[{"line_number":1841,"context_line":"   * - Complete a volume migration"},{"line_number":1842,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume_completion)"},{"line_number":1843,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume_completion"},{"line_number":1844,"context_line":"     - rule:admin_or_owner"},{"line_number":1845,"context_line":"     - no"},{"line_number":1846,"context_line":"     - yes"},{"line_number":1847,"context_line":"     - yes"},{"line_number":1848,"context_line":"     - no"},{"line_number":1849,"context_line":"     - yes"},{"line_number":1850,"context_line":"     - yes"},{"line_number":1851,"context_line":"     - yes"},{"line_number":1852,"context_line":"   * - Initialize volume attachment"},{"line_number":1853,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-initialize_connection)"},{"line_number":1854,"context_line":"     - volume_extension:volume_actions:initialize_connection"},{"line_number":1855,"context_line":"     - rule:admin_or_owner"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ddc4bc60_c9363c44","line":1852,"range":{"start_line":1844,"start_character":0,"end_line":1852,"end_character":0},"updated":"2021-06-25 16:48:31.000000000","message":"-1: This should be rule:admin_api [1]\n\n[1] https://opendev.org/openstack/cinder/src/branch/master/cinder/policies/volume_actions.py#L156","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":false,"context_lines":[{"line_number":1841,"context_line":"   * - Complete a volume migration"},{"line_number":1842,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-migrate_volume_completion)"},{"line_number":1843,"context_line":"     - volume_extension:volume_admin_actions:migrate_volume_completion"},{"line_number":1844,"context_line":"     - rule:admin_or_owner"},{"line_number":1845,"context_line":"     - no"},{"line_number":1846,"context_line":"     - yes"},{"line_number":1847,"context_line":"     - yes"},{"line_number":1848,"context_line":"     - no"},{"line_number":1849,"context_line":"     - yes"},{"line_number":1850,"context_line":"     - yes"},{"line_number":1851,"context_line":"     - yes"},{"line_number":1852,"context_line":"   * - Initialize volume attachment"},{"line_number":1853,"context_line":"     - ``POST  /volumes/{volume_id}/action`` (os-initialize_connection)"},{"line_number":1854,"context_line":"     - volume_extension:volume_actions:initialize_connection"},{"line_number":1855,"context_line":"     - rule:admin_or_owner"}],"source_content_type":"text/x-rst","patch_set":12,"id":"197db318_4afe20fd","line":1852,"range":{"start_line":1844,"start_character":0,"end_line":1852,"end_character":0},"in_reply_to":"ddc4bc60_c9363c44","updated":"2021-06-29 13:21:04.000000000","message":"Ack","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"f787afb36e59348f606ecd2ab8acf5cafde2018e","unresolved":true,"context_lines":[{"line_number":1938,"context_line":"     - yes"},{"line_number":1939,"context_line":"     - yes"},{"line_number":1940,"context_line":""},{"line_number":1941,"context_line":".. list-table:: Volume Transfers (Microversions 3.55, 3.57)"},{"line_number":1942,"context_line":"   :header-rows: 1"},{"line_number":1943,"context_line":""},{"line_number":1944,"context_line":"   * - functionality"}],"source_content_type":"text/x-rst","patch_set":12,"id":"a4f0b588_747c291d","line":1941,"range":{"start_line":1941,"start_character":33,"end_line":1941,"end_character":59},"updated":"2021-06-25 15:23:20.000000000","message":"-1: We should remove the mention of the microversions.\n\nThe feature has been available for a long time.  Those microversions are only relevant for the create a volume transfer operation, and they don\u0027t affect the policy, just the parameters that can be passed to Cinder that that allows caller to use the new functionality (like transferring snapshots).","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"9adb9ef71dee8593d9e56c274ae314f13093612c","unresolved":false,"context_lines":[{"line_number":1938,"context_line":"     - yes"},{"line_number":1939,"context_line":"     - yes"},{"line_number":1940,"context_line":""},{"line_number":1941,"context_line":".. list-table:: Volume Transfers (Microversions 3.55, 3.57)"},{"line_number":1942,"context_line":"   :header-rows: 1"},{"line_number":1943,"context_line":""},{"line_number":1944,"context_line":"   * - functionality"}],"source_content_type":"text/x-rst","patch_set":12,"id":"cd6ca7ac_0d0bbeac","line":1941,"range":{"start_line":1941,"start_character":33,"end_line":1941,"end_character":59},"in_reply_to":"29de284d_115cafb4","updated":"2021-06-29 16:22:11.000000000","message":"Done","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":1938,"context_line":"     - yes"},{"line_number":1939,"context_line":"     - yes"},{"line_number":1940,"context_line":""},{"line_number":1941,"context_line":".. list-table:: Volume Transfers (Microversions 3.55, 3.57)"},{"line_number":1942,"context_line":"   :header-rows: 1"},{"line_number":1943,"context_line":""},{"line_number":1944,"context_line":"   * - functionality"}],"source_content_type":"text/x-rst","patch_set":12,"id":"29de284d_115cafb4","line":1941,"range":{"start_line":1941,"start_character":33,"end_line":1941,"end_character":59},"in_reply_to":"a4f0b588_747c291d","updated":"2021-06-29 13:21:04.000000000","message":"I agree.  The microversion doesn\u0027t introduce any new policies, they\u0027re the same policies from the old os-volume-transfer API.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"6ccbe1f72733a7ea9adfec3bbb1abe3b55c9fe9c","unresolved":true,"context_lines":[{"line_number":2015,"context_line":"     - yes"},{"line_number":2016,"context_line":"     - yes"},{"line_number":2017,"context_line":""},{"line_number":2018,"context_line":".. list-table:: Volume Metadata"},{"line_number":2019,"context_line":"   :header-rows: 1"},{"line_number":2020,"context_line":""},{"line_number":2021,"context_line":"   * - functionality"}],"source_content_type":"text/x-rst","patch_set":12,"id":"20121b95_26a63428","line":2018,"updated":"2021-06-25 16:54:51.000000000","message":":nit: I think we may want to add a new row for \u0027volume list metadata (summary) since https://opendev.org/openstack/cinder/src/branch/master/cinder/api/openstack/api_version_request.py#L92","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":2015,"context_line":"     - yes"},{"line_number":2016,"context_line":"     - yes"},{"line_number":2017,"context_line":""},{"line_number":2018,"context_line":".. list-table:: Volume Metadata"},{"line_number":2019,"context_line":"   :header-rows: 1"},{"line_number":2020,"context_line":""},{"line_number":2021,"context_line":"   * - functionality"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3d2c58d4_07ef6653","line":2018,"in_reply_to":"20121b95_26a63428","updated":"2021-06-29 13:21:04.000000000","message":"As far as I can tell, mv 3.36 doesn\u0027t have a policy associated with it.  GET /volumes/summary is added by mv 3.12 and uses the volume:get_all policy, but I think mv 3.36 just includes the metadata summary without checking any additional policy (and there\u0027s no query parameter controlling it either).  Maybe this is a bug?  Probably no one has ever noticed because the default for volume:get_volume_metadata has always been admin_or_owner.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"6ccbe1f72733a7ea9adfec3bbb1abe3b55c9fe9c","unresolved":true,"context_lines":[{"line_number":2032,"context_line":"   * - Show volume\u0027s metadata or one specified metadata with a given key."},{"line_number":2033,"context_line":"     - | ``GET  /volumes/{volume_id}/metadata``"},{"line_number":2034,"context_line":"       | ``GET  /volumes/{volume_id}/metadata/{key}``"},{"line_number":2035,"context_line":"       | ``POST /volumes/{volume_id}/action`` (os-show_image_metadata)"},{"line_number":2036,"context_line":"     - volume:get_volume_metadata"},{"line_number":2037,"context_line":"     - rule:admin_or_owner"},{"line_number":2038,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"b13109d0_da9c5f3e","line":2035,"range":{"start_line":2035,"start_character":7,"end_line":2035,"end_character":70},"updated":"2021-06-25 16:54:51.000000000","message":":nit: I think this looks weird here because image doesn\u0027t involved volume\u0027s metadata and \u0027one specified metadata\u0027 may be too generic. Should we create a new row for image metadata since *Volume’s image metadata* functionality is deprecated to make it clearer or just leave it as it is now.\n\nhttps://opendev.org/openstack/cinder/src/branch/master/cinder/volume/api.py#L1261","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":2032,"context_line":"   * - Show volume\u0027s metadata or one specified metadata with a given key."},{"line_number":2033,"context_line":"     - | ``GET  /volumes/{volume_id}/metadata``"},{"line_number":2034,"context_line":"       | ``GET  /volumes/{volume_id}/metadata/{key}``"},{"line_number":2035,"context_line":"       | ``POST /volumes/{volume_id}/action`` (os-show_image_metadata)"},{"line_number":2036,"context_line":"     - volume:get_volume_metadata"},{"line_number":2037,"context_line":"     - rule:admin_or_owner"},{"line_number":2038,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"49d888bb_d57ff753","line":2035,"range":{"start_line":2035,"start_character":7,"end_line":2035,"end_character":70},"in_reply_to":"b13109d0_da9c5f3e","updated":"2021-06-29 13:21:04.000000000","message":"I agree that it looks really weird.  Not sure what to do about it, because if you give someone the volume:get_volume_metadata permission, they can make the POST /action call and see the volume image metadata, even if they don\u0027t have the volume_extension:volume_image_metadata permission, so I think we need to leave it here.  (This may be another bug ... we may want to change the policy governing this action after the s-rbac stuff is over.)","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"6ccbe1f72733a7ea9adfec3bbb1abe3b55c9fe9c","unresolved":true,"context_lines":[{"line_number":2079,"context_line":"   * - | **DEPRECATE**"},{"line_number":2080,"context_line":"       | Volume\u0027s image metadata related operation, create, delete, show and"},{"line_number":2081,"context_line":"         list"},{"line_number":2082,"context_line":"     - | (NOTE: need new policies to split GET and POST)"},{"line_number":2083,"context_line":"       | Microversion 3.4"},{"line_number":2084,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2085,"context_line":"       | ``GET  /volumes/{volume_id}``"}],"source_content_type":"text/x-rst","patch_set":12,"id":"2b2f7e7d_622be29f","line":2082,"range":{"start_line":2082,"start_character":8,"end_line":2082,"end_character":56},"updated":"2021-06-25 16:54:51.000000000","message":":nit: should we do it in this patch or in a follow up?","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":2079,"context_line":"   * - | **DEPRECATE**"},{"line_number":2080,"context_line":"       | Volume\u0027s image metadata related operation, create, delete, show and"},{"line_number":2081,"context_line":"         list"},{"line_number":2082,"context_line":"     - | (NOTE: need new policies to split GET and POST)"},{"line_number":2083,"context_line":"       | Microversion 3.4"},{"line_number":2084,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2085,"context_line":"       | ``GET  /volumes/{volume_id}``"}],"source_content_type":"text/x-rst","patch_set":12,"id":"9cf93cf6_6895433b","line":2082,"range":{"start_line":2082,"start_character":8,"end_line":2082,"end_character":56},"in_reply_to":"2b2f7e7d_622be29f","updated":"2021-06-29 13:21:04.000000000","message":"This note is confusing.  The new GET policy is line 2105; the new POST policy is line 2118.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"f787afb36e59348f606ecd2ab8acf5cafde2018e","unresolved":true,"context_lines":[{"line_number":2171,"context_line":"     - no"},{"line_number":2172,"context_line":"     - no"},{"line_number":2173,"context_line":"     - no"},{"line_number":2174,"context_line":"     - no"},{"line_number":2175,"context_line":"     - yes"},{"line_number":2176,"context_line":"     - no"},{"line_number":2177,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"a04089c9_9482f93d","line":2174,"range":{"start_line":2174,"start_character":7,"end_line":2174,"end_character":9},"updated":"2021-06-25 15:23:20.000000000","message":"In my opinion a system reader should be able to check the extra specs, since that would let them confirm if a volume type is correct, the backend where it will go, etc.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":2171,"context_line":"     - no"},{"line_number":2172,"context_line":"     - no"},{"line_number":2173,"context_line":"     - no"},{"line_number":2174,"context_line":"     - no"},{"line_number":2175,"context_line":"     - yes"},{"line_number":2176,"context_line":"     - no"},{"line_number":2177,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"f5b639af_52291253","line":2174,"range":{"start_line":2174,"start_character":7,"end_line":2174,"end_character":9},"in_reply_to":"a04089c9_9482f93d","updated":"2021-06-29 13:21:04.000000000","message":"Remember that long discussion about a \"reader\" vs. an \"auditor\" during wallaby?  The conclusion was that a system-reader should be just like a project-reader, with the difference being that the system-reader can see into any cinder project.  An \"auditor\" would have read-only access to everything a system-admin can see, but that role doesn\u0027t exist yet.  (At least that\u0027s my understanding.)","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"9adb9ef71dee8593d9e56c274ae314f13093612c","unresolved":false,"context_lines":[{"line_number":2171,"context_line":"     - no"},{"line_number":2172,"context_line":"     - no"},{"line_number":2173,"context_line":"     - no"},{"line_number":2174,"context_line":"     - no"},{"line_number":2175,"context_line":"     - yes"},{"line_number":2176,"context_line":"     - no"},{"line_number":2177,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"4675e377_2cb59df8","line":2174,"range":{"start_line":2174,"start_character":7,"end_line":2174,"end_character":9},"in_reply_to":"f5b639af_52291253","updated":"2021-06-29 16:22:11.000000000","message":"You are correct, that\u0027s what was agreed.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"f787afb36e59348f606ecd2ab8acf5cafde2018e","unresolved":true,"context_lines":[{"line_number":2193,"context_line":"     - no"},{"line_number":2194,"context_line":"     - no"},{"line_number":2195,"context_line":"     - no"},{"line_number":2196,"context_line":"     - no"},{"line_number":2197,"context_line":"     - yes"},{"line_number":2198,"context_line":"     - no"},{"line_number":2199,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"7d2faf1d_38c60b54","line":2196,"range":{"start_line":2196,"start_character":7,"end_line":2196,"end_character":9},"updated":"2021-06-25 15:23:20.000000000","message":"Same here, I think it would make sense to make it \"yes\"","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"9adb9ef71dee8593d9e56c274ae314f13093612c","unresolved":false,"context_lines":[{"line_number":2193,"context_line":"     - no"},{"line_number":2194,"context_line":"     - no"},{"line_number":2195,"context_line":"     - no"},{"line_number":2196,"context_line":"     - no"},{"line_number":2197,"context_line":"     - yes"},{"line_number":2198,"context_line":"     - no"},{"line_number":2199,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"51abcfa8_cbaebc2b","line":2196,"range":{"start_line":2196,"start_character":7,"end_line":2196,"end_character":9},"in_reply_to":"16452e6a_aaad7413","updated":"2021-06-29 16:22:11.000000000","message":"No need to check, I remember now the discussion and you are right.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":2193,"context_line":"     - no"},{"line_number":2194,"context_line":"     - no"},{"line_number":2195,"context_line":"     - no"},{"line_number":2196,"context_line":"     - no"},{"line_number":2197,"context_line":"     - yes"},{"line_number":2198,"context_line":"     - no"},{"line_number":2199,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"16452e6a_aaad7413","line":2196,"range":{"start_line":2196,"start_character":7,"end_line":2196,"end_character":9},"in_reply_to":"7d2faf1d_38c60b54","updated":"2021-06-29 13:21:04.000000000","message":"I\u0027ll take a note to check this with Lance when he gets back to make sure my explanation at line 2174 is correct.  (I haven\u0027t been able to figure out how to get RST comments into a list-table without breaking it.)","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f702fdef184e9ae8efed05b7c2ca7f8379b1b116","unresolved":true,"context_lines":[{"line_number":2316,"context_line":"     - yes"},{"line_number":2317,"context_line":"   * - List or show volume with host attribute"},{"line_number":2318,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":2319,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2320,"context_line":"     - volume_extension:volume_host_attribute"},{"line_number":2321,"context_line":"     - rule:admin_api"},{"line_number":2322,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bcfbfc96_9986812f","line":2319,"updated":"2021-06-25 17:23:07.000000000","message":"Should mention here that this affects response content, not whether or not you can make the call.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":false,"context_lines":[{"line_number":2316,"context_line":"     - yes"},{"line_number":2317,"context_line":"   * - List or show volume with host attribute"},{"line_number":2318,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":2319,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2320,"context_line":"     - volume_extension:volume_host_attribute"},{"line_number":2321,"context_line":"     - rule:admin_api"},{"line_number":2322,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":12,"id":"984a8c7d_7893786d","line":2319,"in_reply_to":"bcfbfc96_9986812f","updated":"2021-06-29 13:21:04.000000000","message":"Ack","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f702fdef184e9ae8efed05b7c2ca7f8379b1b116","unresolved":true,"context_lines":[{"line_number":2328,"context_line":"     - yes"},{"line_number":2329,"context_line":"   * - List or show volume with tenant attribute (the project ID)"},{"line_number":2330,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":2331,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2332,"context_line":"     - volume_extension:volume_tenant_attribute"},{"line_number":2333,"context_line":"     - rule:admin_or_owner"},{"line_number":2334,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"545b77a7_36f9d4ee","line":2331,"updated":"2021-06-25 17:23:07.000000000","message":"Should mention here that this affects response content, not whether or not you can make the call.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":false,"context_lines":[{"line_number":2328,"context_line":"     - yes"},{"line_number":2329,"context_line":"   * - List or show volume with tenant attribute (the project ID)"},{"line_number":2330,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":2331,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2332,"context_line":"     - volume_extension:volume_tenant_attribute"},{"line_number":2333,"context_line":"     - rule:admin_or_owner"},{"line_number":2334,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"fea568b9_1bddc3b7","line":2331,"in_reply_to":"545b77a7_36f9d4ee","updated":"2021-06-29 13:21:04.000000000","message":"Ack","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f702fdef184e9ae8efed05b7c2ca7f8379b1b116","unresolved":true,"context_lines":[{"line_number":2340,"context_line":"     - yes"},{"line_number":2341,"context_line":"   * - List or show volume with migration status attribute"},{"line_number":2342,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":2343,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2344,"context_line":"     - volume_extension:volume_mig_status_attribute"},{"line_number":2345,"context_line":"     - rule:admin_api"},{"line_number":2346,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1fafaa6a_5d60ed05","line":2343,"updated":"2021-06-25 17:23:07.000000000","message":"Should mention here that this affects response content, not whether or not you can make the call.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":false,"context_lines":[{"line_number":2340,"context_line":"     - yes"},{"line_number":2341,"context_line":"   * - List or show volume with migration status attribute"},{"line_number":2342,"context_line":"     - | ``GET  /volumes/{volume_id}``"},{"line_number":2343,"context_line":"       | ``GET  /volumes/detail``"},{"line_number":2344,"context_line":"     - volume_extension:volume_mig_status_attribute"},{"line_number":2345,"context_line":"     - rule:admin_api"},{"line_number":2346,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":12,"id":"e18601c6_8bd65769","line":2343,"in_reply_to":"1fafaa6a_5d60ed05","updated":"2021-06-29 13:21:04.000000000","message":"Ack","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f702fdef184e9ae8efed05b7c2ca7f8379b1b116","unresolved":true,"context_lines":[{"line_number":2364,"context_line":"     - yes"},{"line_number":2365,"context_line":"   * - Create multiattach capable volume"},{"line_number":2366,"context_line":"     - ``POST  /volumes``"},{"line_number":2367,"context_line":"     - volume:multiattach"},{"line_number":2368,"context_line":"     - rule:admin_or_owner"},{"line_number":2369,"context_line":"     - no"},{"line_number":2370,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"8542ccb9_420215b7","line":2367,"updated":"2021-06-25 17:23:07.000000000","message":"This also affects retyping.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":false,"context_lines":[{"line_number":2364,"context_line":"     - yes"},{"line_number":2365,"context_line":"   * - Create multiattach capable volume"},{"line_number":2366,"context_line":"     - ``POST  /volumes``"},{"line_number":2367,"context_line":"     - volume:multiattach"},{"line_number":2368,"context_line":"     - rule:admin_or_owner"},{"line_number":2369,"context_line":"     - no"},{"line_number":2370,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"e5eb2a3d_a34077ec","line":2367,"in_reply_to":"8542ccb9_420215b7","updated":"2021-06-29 13:21:04.000000000","message":"Ack","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"644dd4d63678931a4452bd7dc601319de4bc26fe","unresolved":true,"context_lines":[{"line_number":2409,"context_line":"     - no"},{"line_number":2410,"context_line":"     - no"},{"line_number":2411,"context_line":"     - yes"},{"line_number":2412,"context_line":"     - no"},{"line_number":2413,"context_line":"     - yes"},{"line_number":2414,"context_line":"     - no"},{"line_number":2415,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"26a44c86_88b7eb7b","line":2412,"range":{"start_line":2412,"start_character":7,"end_line":2412,"end_character":9},"updated":"2021-06-25 16:05:44.000000000","message":"I think it would be useful to set this to yes, so a system reader can check the defaults for all the projects.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":2409,"context_line":"     - no"},{"line_number":2410,"context_line":"     - no"},{"line_number":2411,"context_line":"     - yes"},{"line_number":2412,"context_line":"     - no"},{"line_number":2413,"context_line":"     - yes"},{"line_number":2414,"context_line":"     - no"},{"line_number":2415,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"95bbcdb0_3b326f69","line":2412,"range":{"start_line":2412,"start_character":7,"end_line":2412,"end_character":9},"in_reply_to":"26a44c86_88b7eb7b","updated":"2021-06-29 13:21:04.000000000","message":"See comment above about \"reader\" vs. \"auditor\".","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"644dd4d63678931a4452bd7dc601319de4bc26fe","unresolved":true,"context_lines":[{"line_number":2420,"context_line":"     - no"},{"line_number":2421,"context_line":"     - no"},{"line_number":2422,"context_line":"     - no"},{"line_number":2423,"context_line":"     - no"},{"line_number":2424,"context_line":"     - yes"},{"line_number":2425,"context_line":"     - no"},{"line_number":2426,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"832cfb50_b1e75471","line":2423,"range":{"start_line":2423,"start_character":7,"end_line":2423,"end_character":9},"updated":"2021-06-25 16:05:44.000000000","message":"-1: We should change this to \"yes\" since the current policy allows everyone in the system scope, so we should keep it.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"9adb9ef71dee8593d9e56c274ae314f13093612c","unresolved":true,"context_lines":[{"line_number":2420,"context_line":"     - no"},{"line_number":2421,"context_line":"     - no"},{"line_number":2422,"context_line":"     - no"},{"line_number":2423,"context_line":"     - no"},{"line_number":2424,"context_line":"     - yes"},{"line_number":2425,"context_line":"     - no"},{"line_number":2426,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3cef5aac_830a3a08","line":2423,"range":{"start_line":2423,"start_character":7,"end_line":2423,"end_character":9},"in_reply_to":"0bdb578a_5e6ff6b3","updated":"2021-06-29 16:22:11.000000000","message":"But wouldn\u0027t that be a backward incompatible change?  Something that can be done now with the default policy and won\u0027t be possible with the new one?\n\nI don\u0027t think it\u0027s a big deal though, since most likely only admins are currently using it.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d8d858850f1fb47bcad78ec35b65021adcc97a0b","unresolved":true,"context_lines":[{"line_number":2420,"context_line":"     - no"},{"line_number":2421,"context_line":"     - no"},{"line_number":2422,"context_line":"     - no"},{"line_number":2423,"context_line":"     - no"},{"line_number":2424,"context_line":"     - yes"},{"line_number":2425,"context_line":"     - no"},{"line_number":2426,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"aaea3c2e_4ca0ecb2","line":2423,"range":{"start_line":2423,"start_character":7,"end_line":2423,"end_character":9},"in_reply_to":"3cef5aac_830a3a08","updated":"2021-06-29 16:27:37.000000000","message":"Yes, it would be backward incompatible, but I think we can justify it as a \"secure and consistent\" change (as long as we call it out in the release notes and explain what to do to restore it to the previous value).","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"722fe58da012b36ae3418f1dad575a0aabb629fc","unresolved":true,"context_lines":[{"line_number":2420,"context_line":"     - no"},{"line_number":2421,"context_line":"     - no"},{"line_number":2422,"context_line":"     - no"},{"line_number":2423,"context_line":"     - no"},{"line_number":2424,"context_line":"     - yes"},{"line_number":2425,"context_line":"     - no"},{"line_number":2426,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":12,"id":"0bdb578a_5e6ff6b3","line":2423,"range":{"start_line":2423,"start_character":7,"end_line":2423,"end_character":9},"in_reply_to":"832cfb50_b1e75471","updated":"2021-06-29 13:21:04.000000000","message":"The problem is that that would be inconsistent with the way the system-reader persona is being dealt with elsewhere in the API.","commit_id":"4e8080a46d6b63ae34f89b264ee017c967578d5d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80f565e82a20dc5a79edb5ead38be3186e08cdae","unresolved":true,"context_lines":[{"line_number":1652,"context_line":"       | Volume type access related APIs."},{"line_number":1653,"context_line":"     - | Adds ``os-volume-type-access:is_public`` to the following responses:"},{"line_number":1654,"context_line":"       | ``GET  /types``"},{"line_number":1655,"context_line":"       | ``GET  /types/detail``"},{"line_number":1656,"context_line":"       | ``GET  /types/{type_id}``"},{"line_number":1657,"context_line":"       | ``POST  /types``"},{"line_number":1658,"context_line":"       | The ability to make these API calls is governed by other policies."}],"source_content_type":"text/x-rst","patch_set":13,"id":"1ec12833_c8503637","line":1655,"range":{"start_line":1655,"start_character":0,"end_line":1655,"end_character":31},"updated":"2021-06-29 16:19:27.000000000","message":"Eric noticed that this call doesn\u0027t exist.","commit_id":"b9a1a5ee866dbbe6235dbd8afd97ddb36b6c3c93"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"71af3372f38bb861b56a95c64243085b0e901bab","unresolved":true,"context_lines":[{"line_number":983,"context_line":"     - yes"},{"line_number":984,"context_line":"     - yes"},{"line_number":985,"context_line":"   * - Update group snapshot"},{"line_number":986,"context_line":"     - ``PUT  /group_snapshots/{group_snapshot_id}``"},{"line_number":987,"context_line":"     - group:update_group_snapshot"},{"line_number":988,"context_line":"     - rule:admin_or_owner"},{"line_number":989,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":14,"id":"424421c7_88f13624","line":986,"range":{"start_line":986,"start_character":7,"end_line":986,"end_character":52},"updated":"2021-07-30 14:49:02.000000000","message":"there is no API for update in the api-ref[1] and noone is calling the update code where this policy is used[2] so we should change this\n\n[1] https://docs.openstack.org/api-ref/block-storage/v3/?expanded\u003d#group-snapshots-group-snapshots\n[2] https://github.com/openstack/cinder/blob/master/cinder/group/api.py#L911-L915","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a78c1428e9e3baf168c60046efd5e79092de7d09","unresolved":true,"context_lines":[{"line_number":983,"context_line":"     - yes"},{"line_number":984,"context_line":"     - yes"},{"line_number":985,"context_line":"   * - Update group snapshot"},{"line_number":986,"context_line":"     - ``PUT  /group_snapshots/{group_snapshot_id}``"},{"line_number":987,"context_line":"     - group:update_group_snapshot"},{"line_number":988,"context_line":"     - rule:admin_or_owner"},{"line_number":989,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":14,"id":"05dae42e_4e7290d4","line":986,"range":{"start_line":986,"start_character":7,"end_line":986,"end_character":52},"in_reply_to":"424421c7_88f13624","updated":"2021-08-02 20:52:34.000000000","message":"I\u0027ll add a note about the call not being implemented in the REST API.  We can decide to remove the policy or implement the request later.","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"5a5146db0fa9e599beab553b236d007e756c234d","unresolved":true,"context_lines":[{"line_number":1027,"context_line":"     - | Microversion 3.19"},{"line_number":1028,"context_line":"       | ``POST  /group_snapshots/{group_snapshot_id}/action`` (reset_status)"},{"line_number":1029,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":1030,"context_line":"     - rule:admin_api"},{"line_number":1031,"context_line":"     - no"},{"line_number":1032,"context_line":"     - yes"},{"line_number":1033,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":14,"id":"0589c5d9_9400eff5","line":1030,"range":{"start_line":1030,"start_character":7,"end_line":1030,"end_character":21},"updated":"2021-07-19 14:27:24.000000000","message":":nit: Since the rule is admin shouldn\u0027t this be?\n     - rule:admin_api\n     - no\n     - no\n     - no\n     - no\n     - yes\n     - no\n     - yes","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"94d2d5698a6ab73d43802be78c440372fa7af0b7","unresolved":true,"context_lines":[{"line_number":1027,"context_line":"     - | Microversion 3.19"},{"line_number":1028,"context_line":"       | ``POST  /group_snapshots/{group_snapshot_id}/action`` (reset_status)"},{"line_number":1029,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":1030,"context_line":"     - rule:admin_api"},{"line_number":1031,"context_line":"     - no"},{"line_number":1032,"context_line":"     - yes"},{"line_number":1033,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":14,"id":"031841ef_6b042c95","line":1030,"range":{"start_line":1030,"start_character":7,"end_line":1030,"end_character":21},"in_reply_to":"0589c5d9_9400eff5","updated":"2021-07-20 22:59:32.000000000","message":"You are correct!","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"5a5146db0fa9e599beab553b236d007e756c234d","unresolved":true,"context_lines":[{"line_number":1023,"context_line":"     - system-admin"},{"line_number":1024,"context_line":"     - (old \"owner\")"},{"line_number":1025,"context_line":"     - (old \"admin\")"},{"line_number":1026,"context_line":"   * - Reset status of group snapshot"},{"line_number":1027,"context_line":"     - | Microversion 3.19"},{"line_number":1028,"context_line":"       | ``POST  /group_snapshots/{group_snapshot_id}/action`` (reset_status)"},{"line_number":1029,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":1030,"context_line":"     - rule:admin_api"},{"line_number":1031,"context_line":"     - no"},{"line_number":1032,"context_line":"     - yes"},{"line_number":1033,"context_line":"     - yes"},{"line_number":1034,"context_line":"     - no"},{"line_number":1035,"context_line":"     - yes"},{"line_number":1036,"context_line":"     - yes"},{"line_number":1037,"context_line":"     - yes"},{"line_number":1038,"context_line":"   * - Delete group"},{"line_number":1039,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":1040,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":14,"id":"44d4b8e7_48d92f5e","line":1037,"range":{"start_line":1026,"start_character":0,"end_line":1037,"end_character":10},"updated":"2021-07-19 14:27:24.000000000","message":":nit: I guess it\u0027s a group action but maybe it makes more sense if this row be on the table above \"Group Snapshots (Microversion 3.14)\" ?","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"94d2d5698a6ab73d43802be78c440372fa7af0b7","unresolved":true,"context_lines":[{"line_number":1023,"context_line":"     - system-admin"},{"line_number":1024,"context_line":"     - (old \"owner\")"},{"line_number":1025,"context_line":"     - (old \"admin\")"},{"line_number":1026,"context_line":"   * - Reset status of group snapshot"},{"line_number":1027,"context_line":"     - | Microversion 3.19"},{"line_number":1028,"context_line":"       | ``POST  /group_snapshots/{group_snapshot_id}/action`` (reset_status)"},{"line_number":1029,"context_line":"     - group:reset_group_snapshot_status"},{"line_number":1030,"context_line":"     - rule:admin_api"},{"line_number":1031,"context_line":"     - no"},{"line_number":1032,"context_line":"     - yes"},{"line_number":1033,"context_line":"     - yes"},{"line_number":1034,"context_line":"     - no"},{"line_number":1035,"context_line":"     - yes"},{"line_number":1036,"context_line":"     - yes"},{"line_number":1037,"context_line":"     - yes"},{"line_number":1038,"context_line":"   * - Delete group"},{"line_number":1039,"context_line":"     - ``POST  /groups/{group_id}/action`` (delete)"},{"line_number":1040,"context_line":"     - group:delete"}],"source_content_type":"text/x-rst","patch_set":14,"id":"2b6188f8_493e7339","line":1037,"range":{"start_line":1026,"start_character":0,"end_line":1037,"end_character":10},"in_reply_to":"44d4b8e7_48d92f5e","updated":"2021-07-20 22:59:32.000000000","message":"That\u0027s a good suggestion, I will move this into the table with the other group_snapshots URLs.","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"27af00957d1457ff5cc96dc2402436d9c2c4689a","unresolved":true,"context_lines":[{"line_number":1369,"context_line":"   * - Failover a backend host.  Secondary check; must also satisfy"},{"line_number":1370,"context_line":"       volume_extension:services:update to make this call."},{"line_number":1371,"context_line":"     - | ``PUT  /os-services/failover_host``"},{"line_number":1372,"context_line":"       | ``PUT  /os-services/failover`` (microversion 3.26)"},{"line_number":1373,"context_line":"     - volume:failover_host"},{"line_number":1374,"context_line":"     - rule:admin_api"},{"line_number":1375,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":14,"id":"ef8b585c_c86b8969","line":1372,"range":{"start_line":1372,"start_character":40,"end_line":1372,"end_character":59},"updated":"2021-07-30 15:20:56.000000000","message":"I understand that this is a new API introduced in MV 3.26 but the policy governing this volume:failover_host has no microversion check and is the same for both APIs[1]\nMaybe the code is right and we should just drop this to avoid confusion\n\n[1] https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L1970","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a78c1428e9e3baf168c60046efd5e79092de7d09","unresolved":true,"context_lines":[{"line_number":1369,"context_line":"   * - Failover a backend host.  Secondary check; must also satisfy"},{"line_number":1370,"context_line":"       volume_extension:services:update to make this call."},{"line_number":1371,"context_line":"     - | ``PUT  /os-services/failover_host``"},{"line_number":1372,"context_line":"       | ``PUT  /os-services/failover`` (microversion 3.26)"},{"line_number":1373,"context_line":"     - volume:failover_host"},{"line_number":1374,"context_line":"     - rule:admin_api"},{"line_number":1375,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":14,"id":"c4809670_4f6cd9b8","line":1372,"range":{"start_line":1372,"start_character":40,"end_line":1372,"end_character":59},"in_reply_to":"ef8b585c_c86b8969","updated":"2021-08-02 20:52:34.000000000","message":"My idea was to mention the mv here because if you make a request to /os-services/failover without specifying mv \u003e\u003d 3.26, you get a 400.  Think about it, and if you still find it confusing, I can change it.","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"d05993855701dfcca7a10bdc2f92db830de3717b","unresolved":true,"context_lines":[{"line_number":1644,"context_line":"     - no"},{"line_number":1645,"context_line":"     - no"},{"line_number":1646,"context_line":"     - no"},{"line_number":1647,"context_line":"     - yes"},{"line_number":1648,"context_line":"     - yes"},{"line_number":1649,"context_line":"     - no"},{"line_number":1650,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":14,"id":"f9caeb34_ab9d860e","line":1647,"range":{"start_line":1647,"start_character":7,"end_line":1647,"end_character":10},"updated":"2021-07-19 15:42:46.000000000","message":"since the previous policy is admin_only, this should be no","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"94d2d5698a6ab73d43802be78c440372fa7af0b7","unresolved":true,"context_lines":[{"line_number":1644,"context_line":"     - no"},{"line_number":1645,"context_line":"     - no"},{"line_number":1646,"context_line":"     - no"},{"line_number":1647,"context_line":"     - yes"},{"line_number":1648,"context_line":"     - yes"},{"line_number":1649,"context_line":"     - no"},{"line_number":1650,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fe5aa23_0338f59f","line":1647,"range":{"start_line":1647,"start_character":7,"end_line":1647,"end_character":10},"in_reply_to":"f9caeb34_ab9d860e","updated":"2021-07-20 22:59:32.000000000","message":"good catch!","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"203baa2f13b0fbd993ddcc45e6d6f2d1d8456d92","unresolved":true,"context_lines":[{"line_number":2153,"context_line":"     - yes"},{"line_number":2154,"context_line":"     - yes"},{"line_number":2155,"context_line":"   * - Update volume admin metadata."},{"line_number":2156,"context_line":"     - | ``POST  /volumes/{volume_id}/action`` (os-update_readonly_flag)"},{"line_number":2157,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-attach)"},{"line_number":2158,"context_line":"     - volume:update_volume_admin_metadata"},{"line_number":2159,"context_line":"     - rule:admin_api"}],"source_content_type":"text/x-rst","patch_set":14,"id":"20f6a5ee_162f3147","line":2156,"range":{"start_line":2156,"start_character":1,"end_line":2156,"end_character":72},"updated":"2021-07-19 16:20:08.000000000","message":"this is governed by a different policy (see volume:update_readonly_flag, above)","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"203baa2f13b0fbd993ddcc45e6d6f2d1d8456d92","unresolved":true,"context_lines":[{"line_number":2154,"context_line":"     - yes"},{"line_number":2155,"context_line":"   * - Update volume admin metadata."},{"line_number":2156,"context_line":"     - | ``POST  /volumes/{volume_id}/action`` (os-update_readonly_flag)"},{"line_number":2157,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-attach)"},{"line_number":2158,"context_line":"     - volume:update_volume_admin_metadata"},{"line_number":2159,"context_line":"     - rule:admin_api"},{"line_number":2160,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":14,"id":"745f4c6f_3b0f9dc7","line":2157,"range":{"start_line":2157,"start_character":1,"end_line":2157,"end_character":58},"updated":"2021-07-19 16:20:08.000000000","message":"this also has its own policy: volume_extension:volume_actions:attach","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"203baa2f13b0fbd993ddcc45e6d6f2d1d8456d92","unresolved":true,"context_lines":[{"line_number":2155,"context_line":"   * - Update volume admin metadata."},{"line_number":2156,"context_line":"     - | ``POST  /volumes/{volume_id}/action`` (os-update_readonly_flag)"},{"line_number":2157,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-attach)"},{"line_number":2158,"context_line":"     - volume:update_volume_admin_metadata"},{"line_number":2159,"context_line":"     - rule:admin_api"},{"line_number":2160,"context_line":"     - no"},{"line_number":2161,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":14,"id":"80085dfd_c6644a7a","line":2158,"updated":"2021-07-19 16:20:08.000000000","message":"This is actually a very strange policy.  The function where it\u0027s checked in cinder/volume/api.py is only called by the functions that perform the above 2 actions.","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"94d2d5698a6ab73d43802be78c440372fa7af0b7","unresolved":true,"context_lines":[{"line_number":2155,"context_line":"   * - Update volume admin metadata."},{"line_number":2156,"context_line":"     - | ``POST  /volumes/{volume_id}/action`` (os-update_readonly_flag)"},{"line_number":2157,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-attach)"},{"line_number":2158,"context_line":"     - volume:update_volume_admin_metadata"},{"line_number":2159,"context_line":"     - rule:admin_api"},{"line_number":2160,"context_line":"     - no"},{"line_number":2161,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3042d4f9_3e9f7bdc","line":2158,"in_reply_to":"80085dfd_c6644a7a","updated":"2021-07-20 22:59:32.000000000","message":"Will rewrite this section to explain the above points.","commit_id":"1759226826804f386ca74e751f50969982859ab8"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"56e800ef43a6382ef937e6954d76ed6987e1f664","unresolved":true,"context_lines":[{"line_number":193,"context_line":"of the personas (project-reader, project-member, and system-admin) are"},{"line_number":194,"context_line":"implemented in the Xena release."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"NOTE: the columns in () will be deleted; they are here for comparison as the"},{"line_number":197,"context_line":"matrix is validated by human beings."},{"line_number":198,"context_line":""},{"line_number":199,"context_line":".. list-table:: Attachments (Microversion 3.27)"},{"line_number":200,"context_line":"   :header-rows: 1"}],"source_content_type":"text/x-rst","patch_set":17,"id":"55815641_4d851181","line":197,"range":{"start_line":196,"start_character":0,"end_line":197,"end_character":36},"updated":"2021-09-03 13:21:37.000000000","message":"we discussed it and we will be keeping it for now since it\u0027s helpful for comparison with old rules.","commit_id":"e429fa9740d6539b94e374af652e929b16d0bcb1"}]}