)]}'
{"cinder/policies/base.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"# General observations"},{"line_number":20,"context_line":"# --------------------"},{"line_number":21,"context_line":"# - This file uses the three \"default roles\" provided by the default Keystone"},{"line_number":22,"context_line":"#   installation.  These are \u0027admin\u0027, \u0027member\u0027, and \u0027reader\u0027."},{"line_number":23,"context_line":"#"},{"line_number":24,"context_line":"# - The default Keystone installation implements an inheritance relation"},{"line_number":25,"context_line":"#   between the roles:"}],"source_content_type":"text/x-python","patch_set":3,"id":"453ffaf7_baf10530","line":22,"range":{"start_line":21,"start_character":54,"end_line":22,"end_character":16},"updated":"2021-08-09 16:31:31.000000000","message":"nit: specifically during bootstrap\n\n  provided by Keystone during ``keystone-manage bootstrap``.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"7db7b8c3d8673aaf9f90249d08b0620ef7a46f48","unresolved":true,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"# General observations"},{"line_number":20,"context_line":"# --------------------"},{"line_number":21,"context_line":"# - This file uses the three \"default roles\" provided by the default Keystone"},{"line_number":22,"context_line":"#   installation.  These are \u0027admin\u0027, \u0027member\u0027, and \u0027reader\u0027."},{"line_number":23,"context_line":"#"},{"line_number":24,"context_line":"# - The default Keystone installation implements an inheritance relation"},{"line_number":25,"context_line":"#   between the roles:"}],"source_content_type":"text/x-python","patch_set":3,"id":"dc13d017_35f0cfaa","line":22,"range":{"start_line":21,"start_character":54,"end_line":22,"end_character":16},"in_reply_to":"453ffaf7_baf10530","updated":"2021-08-10 15:25:58.000000000","message":"good correction, will update.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":24,"context_line":"# - The default Keystone installation implements an inheritance relation"},{"line_number":25,"context_line":"#   between the roles:"},{"line_number":26,"context_line":"#       \u0027admin\u0027 is-a \u0027member\u0027 is-a \u0027reader\u0027"},{"line_number":27,"context_line":"#   More importantly, however, Keystone will actually populate the credentials"},{"line_number":28,"context_line":"#   appropriately.  Thus, someone with the \u0027admin\u0027 role on project X will also"},{"line_number":29,"context_line":"#   have the \u0027member\u0027 and \u0027reader\u0027 roles on project X.  What this means for"},{"line_number":30,"context_line":"#   us is that if we have a policy we want satisfied by someone with any of"}],"source_content_type":"text/x-python","patch_set":3,"id":"8e497822_bb0cab7d","line":27,"range":{"start_line":27,"start_character":67,"end_line":27,"end_character":78},"updated":"2021-08-09 16:31:31.000000000","message":"nit: roles\n\nWhen I think of credentials I automatically start thinking of authentication, where we\u0027re talking about roles and authorization.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"7db7b8c3d8673aaf9f90249d08b0620ef7a46f48","unresolved":true,"context_lines":[{"line_number":24,"context_line":"# - The default Keystone installation implements an inheritance relation"},{"line_number":25,"context_line":"#   between the roles:"},{"line_number":26,"context_line":"#       \u0027admin\u0027 is-a \u0027member\u0027 is-a \u0027reader\u0027"},{"line_number":27,"context_line":"#   More importantly, however, Keystone will actually populate the credentials"},{"line_number":28,"context_line":"#   appropriately.  Thus, someone with the \u0027admin\u0027 role on project X will also"},{"line_number":29,"context_line":"#   have the \u0027member\u0027 and \u0027reader\u0027 roles on project X.  What this means for"},{"line_number":30,"context_line":"#   us is that if we have a policy we want satisfied by someone with any of"}],"source_content_type":"text/x-python","patch_set":3,"id":"d90de496_04da17f5","line":27,"range":{"start_line":27,"start_character":67,"end_line":27,"end_character":78},"in_reply_to":"8e497822_bb0cab7d","updated":"2021-08-10 15:25:58.000000000","message":"thanks, it\u0027s worth being accurate here","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":34,"context_line":"#       \"get-foo-policy\": \"role:reader\""},{"line_number":35,"context_line":"#   because we know that anyone who has been assigned the \u0027admin\u0027 role in"},{"line_number":36,"context_line":"#   Keystone also has the \u0027member\u0027 and \u0027reader\u0027 roles, and anyone assigned"},{"line_number":37,"context_line":"#   the \u0027member\u0027 role *also* has the \u0027reader\u0027 role."},{"line_number":38,"context_line":"#"},{"line_number":39,"context_line":"# - How do I know what string to use?"},{"line_number":40,"context_line":"#   Cinder maintains a policy matrix correlating REST API calls, policy"}],"source_content_type":"text/x-python","patch_set":3,"id":"1fb7c479_51a65935","line":37,"updated":"2021-08-09 16:31:31.000000000","message":"Nice. We do have some of this documented here [0] in case it\u0027s helpful for you to reuse and link to it.\n\n[0] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"7db7b8c3d8673aaf9f90249d08b0620ef7a46f48","unresolved":true,"context_lines":[{"line_number":34,"context_line":"#       \"get-foo-policy\": \"role:reader\""},{"line_number":35,"context_line":"#   because we know that anyone who has been assigned the \u0027admin\u0027 role in"},{"line_number":36,"context_line":"#   Keystone also has the \u0027member\u0027 and \u0027reader\u0027 roles, and anyone assigned"},{"line_number":37,"context_line":"#   the \u0027member\u0027 role *also* has the \u0027reader\u0027 role."},{"line_number":38,"context_line":"#"},{"line_number":39,"context_line":"# - How do I know what string to use?"},{"line_number":40,"context_line":"#   Cinder maintains a policy matrix correlating REST API calls, policy"}],"source_content_type":"text/x-python","patch_set":3,"id":"d2ab7a70_8ee40133","line":37,"in_reply_to":"1fb7c479_51a65935","updated":"2021-08-10 15:25:58.000000000","message":"Thanks.  I\u0027m hoping that a cinder dev who has to write/maintain policies will at least read the comment here.  It will be useful to have the link, though, in case they want to read the full story.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":44,"context_line":"#   using the default Keystone roles and scopes ... but you have to be"},{"line_number":45,"context_line":"#   careful, because for example, a \"system-reader\" persona is NOT simply"},{"line_number":46,"context_line":"#   a read-only administrator (it\u0027s actually less).  See the policy matrix"},{"line_number":47,"context_line":"#   for details."},{"line_number":48,"context_line":"#"},{"line_number":49,"context_line":"# - This is probably obvious, but I\u0027ll say it anyway.  There is nothing"},{"line_number":50,"context_line":"#   magic about the \u0027reader\u0027 role that guarantees that someone with *only*"}],"source_content_type":"text/x-python","patch_set":3,"id":"5d570504_e4f35023","line":47,"updated":"2021-08-09 16:31:31.000000000","message":"Is there a link to this, yet? Or is that coming later?","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"7db7b8c3d8673aaf9f90249d08b0620ef7a46f48","unresolved":true,"context_lines":[{"line_number":44,"context_line":"#   using the default Keystone roles and scopes ... but you have to be"},{"line_number":45,"context_line":"#   careful, because for example, a \"system-reader\" persona is NOT simply"},{"line_number":46,"context_line":"#   a read-only administrator (it\u0027s actually less).  See the policy matrix"},{"line_number":47,"context_line":"#   for details."},{"line_number":48,"context_line":"#"},{"line_number":49,"context_line":"# - This is probably obvious, but I\u0027ll say it anyway.  There is nothing"},{"line_number":50,"context_line":"#   magic about the \u0027reader\u0027 role that guarantees that someone with *only*"}],"source_content_type":"text/x-python","patch_set":3,"id":"c0ffaf40_eee76623","line":47,"in_reply_to":"5d570504_e4f35023","updated":"2021-08-10 15:25:58.000000000","message":"It\u0027s still in review, so the link will have to come in a followup patch.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":52,"context_line":"#   Cinder service team) give it meaning by the way we define our policy"},{"line_number":53,"context_line":"#   rules.  So if as a joke, we were to write rules that allowed someone"},{"line_number":54,"context_line":"#   with only the \u0027reader\u0027 role to delete volumes in any project, there is"},{"line_number":55,"context_line":"#   nothing Keystone could do about it.  So be careful."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"# Private policy checkstrings"}],"source_content_type":"text/x-python","patch_set":3,"id":"9e34e9f2_f1d864ec","line":55,"updated":"2021-08-09 16:31:31.000000000","message":"Yeah - exactly, it\u0027s an agreed upon convention. Role names are just strings.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":115,"context_line":"    f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027)"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"XENA_SYSTEM_READER_OR_PROJECT_READER \u003d ("},{"line_number":118,"context_line":"    f\u0027({_LEGACY_SYSTEM_READER}) or ({_PROJECT_READER})\u0027)"},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"XENA_SYSTEM_ADMIN_ONLY \u003d f\u0027({_LEGACY_SYSTEM_ADMIN})\u0027"},{"line_number":121,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"05e3a253_1cb29c0b","line":118,"updated":"2021-08-09 16:31:31.000000000","message":"nit: This is duplicated from lines 111 - 112.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"7db7b8c3d8673aaf9f90249d08b0620ef7a46f48","unresolved":true,"context_lines":[{"line_number":115,"context_line":"    f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027)"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"XENA_SYSTEM_READER_OR_PROJECT_READER \u003d ("},{"line_number":118,"context_line":"    f\u0027({_LEGACY_SYSTEM_READER}) or ({_PROJECT_READER})\u0027)"},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"XENA_SYSTEM_ADMIN_ONLY \u003d f\u0027({_LEGACY_SYSTEM_ADMIN})\u0027"},{"line_number":121,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"eda79573_07e98d43","line":118,"in_reply_to":"05e3a253_1cb29c0b","updated":"2021-08-10 15:25:58.000000000","message":"Thanks for catching this.  Now I need to remember whether this was a duplicate paste, for a paste I forgot to edit!","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":130,"context_line":"# SYSTEM_ADMIN_OR_PROJECT_MEMBER \u003d _YOGA_SYSTEM_ADMIN_OR_PROJECT_MEMBER"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"SYSTEM_READER_OR_PROJECT_READER \u003d XENA_SYSTEM_READER_OR_PROJECT_READER"},{"line_number":133,"context_line":"# SYSTEM_READER_OR_PROJECT_READER \u003d _YOGA_SYSTEM_READER_OR_PROJECT_READER"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"SYSTEM_ADMIN_ONLY \u003d XENA_SYSTEM_ADMIN_ONLY"},{"line_number":136,"context_line":"# SYSTEM_ADMIN_ONLY \u003d _YOGA_SYSTEM_ADMIN_ONLY"}],"source_content_type":"text/x-python","patch_set":3,"id":"42d4d0e1_e27eee96","line":133,"updated":"2021-08-09 16:31:31.000000000","message":"nit: This is duplicated from lines 126 - 127.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":144,"context_line":"#"},{"line_number":145,"context_line":"# 1. In Xena, the Wallaby checkstrings are moved to DeprecatedRules and"},{"line_number":146,"context_line":"#    new checkstrings (using the three default roles but project scope only)"},{"line_number":147,"context_line":"#    are defined in CinderDocumentedRuleDefaults.  At this point, only the"},{"line_number":148,"context_line":"#    three Cinder personas of system-admin, project-member, and project-reader"},{"line_number":149,"context_line":"#    will be implemented, but to prepare for Yoga, we\u0027ll use the variables"},{"line_number":150,"context_line":"#    defined in the \"Public policy checkstrings expressed as personas\" above."}],"source_content_type":"text/x-python","patch_set":3,"id":"e8b68134_88805e3e","line":147,"range":{"start_line":147,"start_character":17,"end_line":147,"end_character":19},"updated":"2021-08-09 16:31:31.000000000","message":"nit: in or as?","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"55b8dfc1b259401fbe4dd0b9abecdd846df07c1b","unresolved":false,"context_lines":[{"line_number":144,"context_line":"#"},{"line_number":145,"context_line":"# 1. In Xena, the Wallaby checkstrings are moved to DeprecatedRules and"},{"line_number":146,"context_line":"#    new checkstrings (using the three default roles but project scope only)"},{"line_number":147,"context_line":"#    are defined in CinderDocumentedRuleDefaults.  At this point, only the"},{"line_number":148,"context_line":"#    three Cinder personas of system-admin, project-member, and project-reader"},{"line_number":149,"context_line":"#    will be implemented, but to prepare for Yoga, we\u0027ll use the variables"},{"line_number":150,"context_line":"#    defined in the \"Public policy checkstrings expressed as personas\" above."}],"source_content_type":"text/x-python","patch_set":3,"id":"e837ae55_cae07a9d","line":147,"range":{"start_line":147,"start_character":17,"end_line":147,"end_character":19},"in_reply_to":"737c6c53_c3b93304","updated":"2021-08-10 20:52:07.000000000","message":"Ack","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"7db7b8c3d8673aaf9f90249d08b0620ef7a46f48","unresolved":true,"context_lines":[{"line_number":144,"context_line":"#"},{"line_number":145,"context_line":"# 1. In Xena, the Wallaby checkstrings are moved to DeprecatedRules and"},{"line_number":146,"context_line":"#    new checkstrings (using the three default roles but project scope only)"},{"line_number":147,"context_line":"#    are defined in CinderDocumentedRuleDefaults.  At this point, only the"},{"line_number":148,"context_line":"#    three Cinder personas of system-admin, project-member, and project-reader"},{"line_number":149,"context_line":"#    will be implemented, but to prepare for Yoga, we\u0027ll use the variables"},{"line_number":150,"context_line":"#    defined in the \"Public policy checkstrings expressed as personas\" above."}],"source_content_type":"text/x-python","patch_set":3,"id":"737c6c53_c3b93304","line":147,"range":{"start_line":147,"start_character":17,"end_line":147,"end_character":19},"in_reply_to":"e8b68134_88805e3e","updated":"2021-08-10 15:25:58.000000000","message":"I\u0027m thinking of the check_str being a field of the object, so \u0027in\u0027, but that may be my own idiosyncrasy.","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7c5b311fda3ef7edb01c1f19c1eb1d4fbe4db00f","unresolved":true,"context_lines":[{"line_number":161,"context_line":"#"},{"line_number":162,"context_line":"#    The Yoga checkstrings (using the three default roles + system scope) will"},{"line_number":163,"context_line":"#    give us the full five Cinder personas, which operators can activate by"},{"line_number":164,"context_line":"#    setting \u0027enforce_new_defaults\u003dTrue\u0027 and \u0027enforce_scope\u003dTrue\u0027 in the"},{"line_number":165,"context_line":"#    [oslo_policy] section of their cinder configuration file (after they"},{"line_number":166,"context_line":"#    have made appropriate adjustments to the user definitions in their"},{"line_number":167,"context_line":"#    Keystone database)."}],"source_content_type":"text/x-python","patch_set":3,"id":"1fe00977_2c32552d","line":164,"range":{"start_line":164,"start_character":45,"end_line":164,"end_character":65},"updated":"2021-08-09 16:31:31.000000000","message":"Do we want to advise this if cinder doesn\u0027t support system scope, yet?","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"7db7b8c3d8673aaf9f90249d08b0620ef7a46f48","unresolved":true,"context_lines":[{"line_number":161,"context_line":"#"},{"line_number":162,"context_line":"#    The Yoga checkstrings (using the three default roles + system scope) will"},{"line_number":163,"context_line":"#    give us the full five Cinder personas, which operators can activate by"},{"line_number":164,"context_line":"#    setting \u0027enforce_new_defaults\u003dTrue\u0027 and \u0027enforce_scope\u003dTrue\u0027 in the"},{"line_number":165,"context_line":"#    [oslo_policy] section of their cinder configuration file (after they"},{"line_number":166,"context_line":"#    have made appropriate adjustments to the user definitions in their"},{"line_number":167,"context_line":"#    Keystone database)."}],"source_content_type":"text/x-python","patch_set":3,"id":"bb83a43a_a89136e8","line":164,"range":{"start_line":164,"start_character":45,"end_line":164,"end_character":65},"in_reply_to":"1fe00977_2c32552d","updated":"2021-08-10 15:25:58.000000000","message":"This is aimed at cinder devs who have to write/maintain policies, but you\u0027re correct -- anyone can read it.  I want devs to be aware of what the knobs are, but i will rewrite so this doesn\u0027t sound like advice!","commit_id":"8c0f690087ea9ca4c4176d22cb58e2e2e3db55fc"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"69bfeca86bcc729a7d442a0c89e34274f65f21ee","unresolved":true,"context_lines":[{"line_number":47,"context_line":"#   a read-only administrator (it\u0027s actually less).  See the policy matrix"},{"line_number":48,"context_line":"#   for details."},{"line_number":49,"context_line":"#"},{"line_number":50,"context_line":"# - This is probably obvious, but I\u0027ll say it anyway.  There is nothing"},{"line_number":51,"context_line":"#   magic about the \u0027reader\u0027 role that guarantees that someone with *only*"},{"line_number":52,"context_line":"#   that role can only do read-only kind of stuff in a service.  We (as the"},{"line_number":53,"context_line":"#   Cinder service team) give it meaning by the way we define our policy"},{"line_number":54,"context_line":"#   rules.  So if as a joke, we were to write rules that allowed someone"},{"line_number":55,"context_line":"#   with only the \u0027reader\u0027 role to delete volumes in any project, there is"}],"source_content_type":"text/x-python","patch_set":4,"id":"ef9d938e_8893d263","line":52,"range":{"start_line":50,"start_character":0,"end_line":52,"end_character":63},"updated":"2021-08-11 14:23:20.000000000","message":"I think the first sentence could (should?) be dropped, especially in light of my next comment.\n\nI think what you mean is there\u0027s nothing magic about the _name_ \u0027reader\u0027 (the role name). While our intent is that the role be read-only, the role name itself doesn\u0027t preclude it from having the ability to do things that affect the system.","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"cb9add50dff9fbf779f48bddc58cb614f539a036","unresolved":true,"context_lines":[{"line_number":47,"context_line":"#   a read-only administrator (it\u0027s actually less).  See the policy matrix"},{"line_number":48,"context_line":"#   for details."},{"line_number":49,"context_line":"#"},{"line_number":50,"context_line":"# - This is probably obvious, but I\u0027ll say it anyway.  There is nothing"},{"line_number":51,"context_line":"#   magic about the \u0027reader\u0027 role that guarantees that someone with *only*"},{"line_number":52,"context_line":"#   that role can only do read-only kind of stuff in a service.  We (as the"},{"line_number":53,"context_line":"#   Cinder service team) give it meaning by the way we define our policy"},{"line_number":54,"context_line":"#   rules.  So if as a joke, we were to write rules that allowed someone"},{"line_number":55,"context_line":"#   with only the \u0027reader\u0027 role to delete volumes in any project, there is"}],"source_content_type":"text/x-python","patch_set":4,"id":"dce2fcb5_230f9e04","line":52,"range":{"start_line":50,"start_character":0,"end_line":52,"end_character":63},"in_reply_to":"ef9d938e_8893d263","updated":"2021-08-12 17:27:51.000000000","message":"I need you to clarify, I\u0027m not sure how what you say here is different from what\u0027s there currently.","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a075fdba4ef3111cb056e3fdab04ad6725a19b07","unresolved":true,"context_lines":[{"line_number":154,"context_line":"#"},{"line_number":155,"context_line":"#    The Yoga checkstrings (using the three default roles + system scope) will"},{"line_number":156,"context_line":"#    give us the full five Cinder personas.  After operators have made"},{"line_number":157,"context_line":"#    appropriate adjustments to the user definitions in their Keystone"},{"line_number":158,"context_line":"#    database, they will be able to use the new checkstrings by setting"},{"line_number":159,"context_line":"#    the \u0027enforce_new_defaults\u0027 and \u0027enforce_scope\u0027 options to appropriate"},{"line_number":160,"context_line":"#    values in the [oslo_policy] section of their cinder configuration file."}],"source_content_type":"text/x-python","patch_set":4,"id":"b5c88e88_927b5c8e","line":157,"range":{"start_line":157,"start_character":36,"end_line":157,"end_character":52},"updated":"2021-08-10 20:55:14.000000000","message":"This might be a confusing concept for someone trying to do this in keystone since it sounds like I need to PATCH /v3/users/{USER_ID}\n\nMaybe something like?\n\n  After operators have made appropriate adjustments to user and group\n  role assignments in Keystone, ...\n\nThis eludes to the fact that actions that come out of the audit should be remediated using role assignments (e.g., user with the \u0027admin\u0027 role on a project should get the \u0027admin\u0027 role on the system to maintain parity).","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"cb9add50dff9fbf779f48bddc58cb614f539a036","unresolved":false,"context_lines":[{"line_number":154,"context_line":"#"},{"line_number":155,"context_line":"#    The Yoga checkstrings (using the three default roles + system scope) will"},{"line_number":156,"context_line":"#    give us the full five Cinder personas.  After operators have made"},{"line_number":157,"context_line":"#    appropriate adjustments to the user definitions in their Keystone"},{"line_number":158,"context_line":"#    database, they will be able to use the new checkstrings by setting"},{"line_number":159,"context_line":"#    the \u0027enforce_new_defaults\u0027 and \u0027enforce_scope\u0027 options to appropriate"},{"line_number":160,"context_line":"#    values in the [oslo_policy] section of their cinder configuration file."}],"source_content_type":"text/x-python","patch_set":4,"id":"423d818c_bd6a73dd","line":157,"range":{"start_line":157,"start_character":36,"end_line":157,"end_character":52},"in_reply_to":"b5c88e88_927b5c8e","updated":"2021-08-12 17:27:51.000000000","message":"Ack","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"221bc697c92637971b48708a29ca2e6f6a49b8fe","unresolved":true,"context_lines":[{"line_number":167,"context_line":"#    DocumentedRuleDefaults accordingly."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"_XENA_DEPRECATED_REASON \u003d ("},{"line_number":170,"context_line":"    \u0027Default policies now support the three Keystone default roles, namely \u0027"},{"line_number":171,"context_line":"    \"\u0027admin\u0027, \u0027member\u0027, and \u0027reader\u0027 to implement three Cinder \""},{"line_number":172,"context_line":"    \u0027\"personas\". See \"Policy Personas and Permissions\" in the \"Cinder \u0027"},{"line_number":173,"context_line":"    \u0027Service Configuration\" documentation (Xena release) for details.\u0027)"}],"source_content_type":"text/x-python","patch_set":4,"id":"d9cc8899_1a597bf1","line":170,"range":{"start_line":170,"start_character":38,"end_line":170,"end_character":43},"updated":"2021-08-10 21:19:38.000000000","message":"I\u0027m wondering if operators are going to confuse the three here with just the role names below. Should we add the full persona names to distinguish personas (a role and scope combination) from the role?","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"cb9add50dff9fbf779f48bddc58cb614f539a036","unresolved":true,"context_lines":[{"line_number":167,"context_line":"#    DocumentedRuleDefaults accordingly."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"_XENA_DEPRECATED_REASON \u003d ("},{"line_number":170,"context_line":"    \u0027Default policies now support the three Keystone default roles, namely \u0027"},{"line_number":171,"context_line":"    \"\u0027admin\u0027, \u0027member\u0027, and \u0027reader\u0027 to implement three Cinder \""},{"line_number":172,"context_line":"    \u0027\"personas\". See \"Policy Personas and Permissions\" in the \"Cinder \u0027"},{"line_number":173,"context_line":"    \u0027Service Configuration\" documentation (Xena release) for details.\u0027)"}],"source_content_type":"text/x-python","patch_set":4,"id":"e67906e7_b4062c15","line":170,"range":{"start_line":170,"start_character":38,"end_line":170,"end_character":43},"in_reply_to":"485dc3b7_0d5340a3","updated":"2021-08-12 17:27:51.000000000","message":"I agree with Alan that it\u0027s going to be difficult to get this just right, but it\u0027s defined in only one place, so will be simple to change.  Let\u0027s get some more feedback.","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"69bfeca86bcc729a7d442a0c89e34274f65f21ee","unresolved":true,"context_lines":[{"line_number":167,"context_line":"#    DocumentedRuleDefaults accordingly."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"_XENA_DEPRECATED_REASON \u003d ("},{"line_number":170,"context_line":"    \u0027Default policies now support the three Keystone default roles, namely \u0027"},{"line_number":171,"context_line":"    \"\u0027admin\u0027, \u0027member\u0027, and \u0027reader\u0027 to implement three Cinder \""},{"line_number":172,"context_line":"    \u0027\"personas\". See \"Policy Personas and Permissions\" in the \"Cinder \u0027"},{"line_number":173,"context_line":"    \u0027Service Configuration\" documentation (Xena release) for details.\u0027)"}],"source_content_type":"text/x-python","patch_set":4,"id":"485dc3b7_0d5340a3","line":170,"range":{"start_line":170,"start_character":38,"end_line":170,"end_character":43},"in_reply_to":"d9cc8899_1a597bf1","updated":"2021-08-11 14:23:20.000000000","message":"It may be difficult to strike the right balance between text that is comprehensive/complete (i.e. list the full persona names rather than just referring to \"the three Cinder personas\"), versus something a little too wording for a log message.","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"221bc697c92637971b48708a29ca2e6f6a49b8fe","unresolved":true,"context_lines":[{"line_number":176,"context_line":"    \u0027Default policies now support Keystone default roles and system scope to \u0027"},{"line_number":177,"context_line":"    \u0027implement five Cinder \"personas\".  See \"Policy Personas and Permissions\" \u0027"},{"line_number":178,"context_line":"    \u0027in the \"Cinder Service Configuration\" documentation (Yoga release) for \u0027"},{"line_number":179,"context_line":"    \u0027details.\u0027)"},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"# TODO: change these in Yoga, and then to None in AA"},{"line_number":182,"context_line":"DEPRECATED_REASON \u003d _XENA_DEPRECATED_REASON"}],"source_content_type":"text/x-python","patch_set":4,"id":"2e4c09b7_8f82f2e8","line":179,"updated":"2021-08-10 21:19:38.000000000","message":"Same comment here as above.","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"69bfeca86bcc729a7d442a0c89e34274f65f21ee","unresolved":true,"context_lines":[{"line_number":206,"context_line":"# These are used by the deprecated rules in the individual policy files"},{"line_number":207,"context_line":"# in Xena."},{"line_number":208,"context_line":"# TODO: remove in Yoga"},{"line_number":209,"context_line":"RULE_ADMIN_OR_OWNER \u003d \u0027rule:admin_or_owner\u0027"},{"line_number":210,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":213,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":214,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"}],"source_content_type":"text/x-python","patch_set":4,"id":"988ffe07_08d9bfe1","line":211,"range":{"start_line":209,"start_character":0,"end_line":211,"end_character":0},"updated":"2021-08-11 14:23:20.000000000","message":"These names are very specific (they match the rules). If we will have deprecations in both X and Y, is there a way to choose a variable name that won\u0027t require touching the other policy files when the deprecated rules change?\n\nMaybe the current names are meant to be exactly that (i.e. the values will change in Y)?\n\nWould adding a \"DEPRECATED_\" prefix add clarity?","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"cb9add50dff9fbf779f48bddc58cb614f539a036","unresolved":true,"context_lines":[{"line_number":206,"context_line":"# These are used by the deprecated rules in the individual policy files"},{"line_number":207,"context_line":"# in Xena."},{"line_number":208,"context_line":"# TODO: remove in Yoga"},{"line_number":209,"context_line":"RULE_ADMIN_OR_OWNER \u003d \u0027rule:admin_or_owner\u0027"},{"line_number":210,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":213,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":214,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"}],"source_content_type":"text/x-python","patch_set":4,"id":"356c7d00_f8c66a97","line":211,"range":{"start_line":209,"start_character":0,"end_line":211,"end_character":0},"in_reply_to":"988ffe07_08d9bfe1","updated":"2021-08-12 17:27:51.000000000","message":"I tried to come up with a way to do this, but it gets too complicated (for me, anyway).  The problem is that we also have the \"\" checkstring, which we could name, except that it\u0027s used in 2 contexts: unrestricted for reading, (for example, volume_extension:type_get) and undrestricted for writing (for example, backup:create).  Similarly, the \u0027rule:admin_or_owner\u0027 is sometimes used for reading and sometimes writing.  So I think it will be better to just use \"\", RULE_ADMIN_OR_OWNER, and RULE_ADMIN_API in the deprecated rules and we can concentrate on making sure the new rules are correct, and then in Yoga we\u0027ll have to edit the files manually, but it should be a simple change and easy to review.","commit_id":"e819a73b7d76d1174004161f3e8e8ddede654206"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e59aaaddee27c2995249637e5ecb8a6cb6b46a28","unresolved":true,"context_lines":[{"line_number":186,"context_line":"DEPRECATED_SINCE \u003d versionutils.deprecated.XENA"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":""},{"line_number":189,"context_line":"class CinderDeprecatedRule(policy.DeprecatedRule):"},{"line_number":190,"context_line":"    \"\"\"A DeprecatedRule subclass with pre-defined fields.\"\"\""},{"line_number":191,"context_line":"    def __init__(self,"},{"line_number":192,"context_line":"                 name: str,"}],"source_content_type":"text/x-python","patch_set":6,"id":"165c30cf_32b24623","line":189,"updated":"2021-08-18 20:47:28.000000000","message":"Thanks for rolling this in. We should be good to start building on this now, right? Or are we still going to wait for some of Alan\u0027s test changes?","commit_id":"10ac46c9044c6fe5a5c20458805bc7b3039a6c17"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"9a40c6b87bd6f314c67e86c9efdc5dfac9a18708","unresolved":true,"context_lines":[{"line_number":186,"context_line":"DEPRECATED_SINCE \u003d versionutils.deprecated.XENA"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":""},{"line_number":189,"context_line":"class CinderDeprecatedRule(policy.DeprecatedRule):"},{"line_number":190,"context_line":"    \"\"\"A DeprecatedRule subclass with pre-defined fields.\"\"\""},{"line_number":191,"context_line":"    def __init__(self,"},{"line_number":192,"context_line":"                 name: str,"}],"source_content_type":"text/x-python","patch_set":6,"id":"62f7f23b_498c6677","line":189,"in_reply_to":"165c30cf_32b24623","updated":"2021-08-18 20:53:44.000000000","message":"I\u0027m cleaning up my test changes, which I thought I\u0027d submit as a separate patch.","commit_id":"10ac46c9044c6fe5a5c20458805bc7b3039a6c17"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"58c25be17c09752f25c0406b01aea250b1c1f289","unresolved":true,"context_lines":[{"line_number":186,"context_line":"DEPRECATED_SINCE \u003d versionutils.deprecated.XENA"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":""},{"line_number":189,"context_line":"class CinderDeprecatedRule(policy.DeprecatedRule):"},{"line_number":190,"context_line":"    \"\"\"A DeprecatedRule subclass with pre-defined fields.\"\"\""},{"line_number":191,"context_line":"    def __init__(self,"},{"line_number":192,"context_line":"                 name: str,"}],"source_content_type":"text/x-python","patch_set":6,"id":"4835ea1d_99055fdb","line":189,"in_reply_to":"62f7f23b_498c6677","updated":"2021-08-19 16:59:50.000000000","message":"Ack - thanks!\n\nSo - we\u0027re good to get some more reviews on this and open the flood gate for contributors to start refactoring all the things, amiright?!","commit_id":"10ac46c9044c6fe5a5c20458805bc7b3039a6c17"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"73c2048b559bfe535bcf60c29a03cd76acf90d74","unresolved":true,"context_lines":[{"line_number":149,"context_line":"        \u0027xena_system_admin_or_project_reader\u0027,"},{"line_number":150,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_READER})\u0027,"},{"line_number":151,"context_line":"        description\u003d(\"NOTE: this purely role-based rule does not recognize \""},{"line_number":152,"context_line":"                     \"scope\")),"},{"line_number":153,"context_line":"    policy.RuleDefault("},{"line_number":154,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"},{"line_number":155,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027,"}],"source_content_type":"text/x-python","patch_set":7,"id":"65ae2292_a254e003","line":152,"range":{"start_line":152,"start_character":22,"end_line":152,"end_character":27},"updated":"2021-08-20 21:17:53.000000000","message":"I think that\u0027s correct for the admin part, but we\u0027re using project scope for the reader check, which is going to enforce tenancy.","commit_id":"cc5bbde5e059b97a26c153a56c9ad03c9c9f1798"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c173b7505f8fee7d0597f5948ec4f189af3546fc","unresolved":false,"context_lines":[{"line_number":149,"context_line":"        \u0027xena_system_admin_or_project_reader\u0027,"},{"line_number":150,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_READER})\u0027,"},{"line_number":151,"context_line":"        description\u003d(\"NOTE: this purely role-based rule does not recognize \""},{"line_number":152,"context_line":"                     \"scope\")),"},{"line_number":153,"context_line":"    policy.RuleDefault("},{"line_number":154,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"},{"line_number":155,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027,"}],"source_content_type":"text/x-python","patch_set":7,"id":"080b5e01_14b84c87","line":152,"range":{"start_line":152,"start_character":22,"end_line":152,"end_character":27},"in_reply_to":"65ae2292_a254e003","updated":"2021-08-21 12:01:11.000000000","message":"Ack","commit_id":"cc5bbde5e059b97a26c153a56c9ad03c9c9f1798"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"73c2048b559bfe535bcf60c29a03cd76acf90d74","unresolved":true,"context_lines":[{"line_number":152,"context_line":"                     \"scope\")),"},{"line_number":153,"context_line":"    policy.RuleDefault("},{"line_number":154,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"},{"line_number":155,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027,"},{"line_number":156,"context_line":"        description\u003d(\"NOTE: this purely role-based rule does not recognize \""},{"line_number":157,"context_line":"                     \"scope\")),"},{"line_number":158,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":7,"id":"f0c31c63_958a7f40","line":155,"range":{"start_line":155,"start_character":40,"end_line":155,"end_character":55},"updated":"2021-08-20 21:17:53.000000000","message":"Similar comment as above.","commit_id":"cc5bbde5e059b97a26c153a56c9ad03c9c9f1798"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c173b7505f8fee7d0597f5948ec4f189af3546fc","unresolved":true,"context_lines":[{"line_number":152,"context_line":"                     \"scope\")),"},{"line_number":153,"context_line":"    policy.RuleDefault("},{"line_number":154,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"},{"line_number":155,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027,"},{"line_number":156,"context_line":"        description\u003d(\"NOTE: this purely role-based rule does not recognize \""},{"line_number":157,"context_line":"                     \"scope\")),"},{"line_number":158,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":7,"id":"12b6125e_ca2ef935","line":155,"range":{"start_line":155,"start_character":40,"end_line":155,"end_character":55},"in_reply_to":"f0c31c63_958a7f40","updated":"2021-08-21 12:01:11.000000000","message":"Will hit both of these on next PS.","commit_id":"cc5bbde5e059b97a26c153a56c9ad03c9c9f1798"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"63f48273deb7b564f10ebb695b1b39c04add7a94","unresolved":true,"context_lines":[{"line_number":220,"context_line":"    \"\u0027admin\u0027, \u0027member\u0027, and \u0027reader\u0027 to implement three Cinder \""},{"line_number":221,"context_line":"    \u0027\"personas\".  See \"Policy Personas and Permissions\" in the \"Cinder \u0027"},{"line_number":222,"context_line":"    \u0027Service Configuration\" documentation (Xena release) for details.  \u0027"},{"line_number":223,"context_line":"    \u0027NOTE: if you are using the default configuration, you do not need \u0027"},{"line_number":224,"context_line":"    \u0027to take any action about these deprecated policies.\u0027)"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"_YOGA_DEPRECATED_REASON \u003d ("},{"line_number":227,"context_line":"    \u0027Default policies now support Keystone default roles and system scope to \u0027"}],"source_content_type":"text/x-python","patch_set":7,"id":"e21d8fcf_3d50a328","line":224,"range":{"start_line":223,"start_character":4,"end_line":224,"end_character":58},"updated":"2021-08-20 21:40:29.000000000","message":"I\u0027m still concerned that this is going to be confusing of operators.\n\nTraditionally, when we deprecate things, we usually mean it and operators take that as a signal they have something to do, like change a config. Here we\u0027re telling them to ignore that, for now. But, we\u0027re going to have to tell them eventually that deprecation mean business again when they have to update their role assignments to include system-role assignments for their operators to continue doing their jobs, right?\n\nAlso, I don\u0027t think there is a way to opt out of seeing these, is there? These will be persistent while a deployment is running either Xena or Yoga code?","commit_id":"cc5bbde5e059b97a26c153a56c9ad03c9c9f1798"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c173b7505f8fee7d0597f5948ec4f189af3546fc","unresolved":true,"context_lines":[{"line_number":220,"context_line":"    \"\u0027admin\u0027, \u0027member\u0027, and \u0027reader\u0027 to implement three Cinder \""},{"line_number":221,"context_line":"    \u0027\"personas\".  See \"Policy Personas and Permissions\" in the \"Cinder \u0027"},{"line_number":222,"context_line":"    \u0027Service Configuration\" documentation (Xena release) for details.  \u0027"},{"line_number":223,"context_line":"    \u0027NOTE: if you are using the default configuration, you do not need \u0027"},{"line_number":224,"context_line":"    \u0027to take any action about these deprecated policies.\u0027)"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"_YOGA_DEPRECATED_REASON \u003d ("},{"line_number":227,"context_line":"    \u0027Default policies now support Keystone default roles and system scope to \u0027"}],"source_content_type":"text/x-python","patch_set":7,"id":"7d23557e_6994fcbc","line":224,"range":{"start_line":223,"start_character":4,"end_line":224,"end_character":58},"in_reply_to":"e21d8fcf_3d50a328","updated":"2021-08-21 12:01:11.000000000","message":"For this one, there\u0027s nothing to do cinder-side; if you want the project-reader persona, though, you have to make adjustments in user role assignments in the Identity service.  I\u0027ll rephrase and see if that works.  Otherwise, may need to have a reference to a document outlining this (maybe explain this in the \"Implementation Schedule\" part of the policy matrix document).\n\nAs far as seeing these, I thought oslo.policy was handling how often the deprecation messages are logged?  Also, I haven\u0027t experimented to see if you still get deprecation messages when enforce_new_defaults\u003dTrue ... do you know what happens in that case?","commit_id":"cc5bbde5e059b97a26c153a56c9ad03c9c9f1798"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c173b7505f8fee7d0597f5948ec4f189af3546fc","unresolved":true,"context_lines":[{"line_number":228,"context_line":"    \u0027implement five Cinder \"personas\".  See \"Policy Personas and Permissions\" \u0027"},{"line_number":229,"context_line":"    \u0027in the \"Cinder Service Configuration\" documentation (Yoga release) for \u0027"},{"line_number":230,"context_line":"    \u0027details.  \u0027"},{"line_number":231,"context_line":"    \u0027NOTE: if you are using the default configuration, you do not need \u0027"},{"line_number":232,"context_line":"    \u0027to take any action about these deprecated policies.\u0027)"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"# TODO: change these in Yoga"},{"line_number":235,"context_line":"DEPRECATED_REASON \u003d _XENA_DEPRECATED_REASON"}],"source_content_type":"text/x-python","patch_set":7,"id":"a986e93b_54a271c4","line":232,"range":{"start_line":231,"start_character":0,"end_line":232,"end_character":56},"updated":"2021-08-21 12:01:11.000000000","message":"Will revise this one also.","commit_id":"cc5bbde5e059b97a26c153a56c9ad03c9c9f1798"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":37,"context_line":"#       \"get-foo-policy\": \"role:reader\""},{"line_number":38,"context_line":"#   because we know that anyone who has been assigned the \u0027admin\u0027 role in"},{"line_number":39,"context_line":"#   Keystone also has the \u0027member\u0027 and \u0027reader\u0027 roles, and anyone assigned"},{"line_number":40,"context_line":"#   the \u0027member\u0027 role *also* has the \u0027reader\u0027 role."},{"line_number":41,"context_line":"#"},{"line_number":42,"context_line":"# - How do I know what string to use?"},{"line_number":43,"context_line":"#   Cinder maintains a policy matrix correlating REST API calls, policy"}],"source_content_type":"text/x-python","patch_set":8,"id":"fa51c546_a0993d90","line":40,"range":{"start_line":40,"start_character":4,"end_line":40,"end_character":7},"updated":"2021-08-27 15:57:53.000000000","message":"nit: with the","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"499ab4531fca4378dfc41379b44438980e9cb6cf","unresolved":true,"context_lines":[{"line_number":37,"context_line":"#       \"get-foo-policy\": \"role:reader\""},{"line_number":38,"context_line":"#   because we know that anyone who has been assigned the \u0027admin\u0027 role in"},{"line_number":39,"context_line":"#   Keystone also has the \u0027member\u0027 and \u0027reader\u0027 roles, and anyone assigned"},{"line_number":40,"context_line":"#   the \u0027member\u0027 role *also* has the \u0027reader\u0027 role."},{"line_number":41,"context_line":"#"},{"line_number":42,"context_line":"# - How do I know what string to use?"},{"line_number":43,"context_line":"#   Cinder maintains a policy matrix correlating REST API calls, policy"}],"source_content_type":"text/x-python","patch_set":8,"id":"15bdbcee_c3ea3479","line":40,"range":{"start_line":40,"start_character":4,"end_line":40,"end_character":7},"in_reply_to":"fa51c546_a0993d90","updated":"2021-08-31 17:33:15.000000000","message":"I feel the current wording is grammatically correct.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":40,"context_line":"#   the \u0027member\u0027 role *also* has the \u0027reader\u0027 role."},{"line_number":41,"context_line":"#"},{"line_number":42,"context_line":"# - How do I know what string to use?"},{"line_number":43,"context_line":"#   Cinder maintains a policy matrix correlating REST API calls, policy"},{"line_number":44,"context_line":"#   names, and what \"personas\" can perform them.  The \"personas\" are"},{"line_number":45,"context_line":"#   abstract entities whose powers are supposed to be consistent across"},{"line_number":46,"context_line":"#   OpenStack services.  The \"personas\" are implemented by each service"},{"line_number":47,"context_line":"#   using the default Keystone roles and scopes ... but you have to be"},{"line_number":48,"context_line":"#   careful, because for example, a \"system-reader\" persona is NOT simply"},{"line_number":49,"context_line":"#   a read-only administrator (it\u0027s actually less).  See the policy matrix"},{"line_number":50,"context_line":"#   for details."},{"line_number":51,"context_line":"#"},{"line_number":52,"context_line":"# - This is probably obvious, but I\u0027ll say it anyway.  There is nothing"},{"line_number":53,"context_line":"#   magic about the \u0027reader\u0027 role that guarantees that someone with *only*"}],"source_content_type":"text/x-python","patch_set":8,"id":"94625fc6_e35ca0e1","line":50,"range":{"start_line":43,"start_character":0,"end_line":50,"end_character":16},"updated":"2021-08-27 15:57:53.000000000","message":"is it a good idea to also link the policy matrix here?","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":49,"context_line":"#   a read-only administrator (it\u0027s actually less).  See the policy matrix"},{"line_number":50,"context_line":"#   for details."},{"line_number":51,"context_line":"#"},{"line_number":52,"context_line":"# - This is probably obvious, but I\u0027ll say it anyway.  There is nothing"},{"line_number":53,"context_line":"#   magic about the \u0027reader\u0027 role that guarantees that someone with *only*"},{"line_number":54,"context_line":"#   that role can only do read-only kind of stuff in a service.  We (as the"},{"line_number":55,"context_line":"#   Cinder service team) give it meaning by the way we define our policy"},{"line_number":56,"context_line":"#   rules.  So if as a joke, we were to write rules that allowed someone"},{"line_number":57,"context_line":"#   with only the \u0027reader\u0027 role to delete volumes in any project, there is"},{"line_number":58,"context_line":"#   nothing Keystone could do about it.  So be careful."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"# Private policy checkstrings"}],"source_content_type":"text/x-python","patch_set":8,"id":"618f23de_5f05ccf6","line":58,"range":{"start_line":52,"start_character":0,"end_line":58,"end_character":55},"updated":"2021-08-27 15:57:53.000000000","message":"+1, do we have this in documentation too? It could be beneficial for operators dealing with this.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4d9188b659a869f6b1ed47e2a8d5f4cb840dd9bb","unresolved":true,"context_lines":[{"line_number":55,"context_line":"#   Cinder service team) give it meaning by the way we define our policy"},{"line_number":56,"context_line":"#   rules.  So if as a joke, we were to write rules that allowed someone"},{"line_number":57,"context_line":"#   with only the \u0027reader\u0027 role to delete volumes in any project, there is"},{"line_number":58,"context_line":"#   nothing Keystone could do about it.  So be careful."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"# Private policy checkstrings"}],"source_content_type":"text/x-python","patch_set":8,"id":"d3a381bd_752cdaf5","line":58,"updated":"2021-08-24 21:49:53.000000000","message":"Which is apparent in https://bugs.launchpad.net/cinder/+bug/1917795","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":20813,"name":"Sofia Enriquez","email":"lsofia.enriquez@gmail.com","username":"enriquetaso"},"change_message_id":"dd7524530ccfc0cea10c6d2731b330110b640b8b","unresolved":true,"context_lines":[{"line_number":55,"context_line":"#   Cinder service team) give it meaning by the way we define our policy"},{"line_number":56,"context_line":"#   rules.  So if as a joke, we were to write rules that allowed someone"},{"line_number":57,"context_line":"#   with only the \u0027reader\u0027 role to delete volumes in any project, there is"},{"line_number":58,"context_line":"#   nothing Keystone could do about it.  So be careful."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"# Private policy checkstrings"}],"source_content_type":"text/x-python","patch_set":8,"id":"fa81252c_4d7ffb87","line":58,"in_reply_to":"d3a381bd_752cdaf5","updated":"2021-08-27 15:40:01.000000000","message":"I forgot about that bug report. Maybe we can add it somewhere in the etherpad or the trello board.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4d9188b659a869f6b1ed47e2a8d5f4cb840dd9bb","unresolved":true,"context_lines":[{"line_number":71,"context_line":""},{"line_number":72,"context_line":"# Cinder doesn\u0027t plan to use this one.  It doesn\u0027t map to any of our"},{"line_number":73,"context_line":"# supported personas.  It\u0027s only here in case you were wondering ..."},{"line_number":74,"context_line":"# _SYSTEM_MEMBER \u003d \u0027role:member and system_scope:all\u0027"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"# Generic policy check string for the persona we are calling \u0027system-reader\u0027."},{"line_number":77,"context_line":"_SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-python","patch_set":8,"id":"a495db45_64593e06","line":74,"updated":"2021-08-24 21:49:53.000000000","message":"The member role sitting in the middle of the role hierarchy offers operators the ability to push some administrative function \"down\" to members, if they choose, in a somewhat consistent way.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":71,"context_line":""},{"line_number":72,"context_line":"# Cinder doesn\u0027t plan to use this one.  It doesn\u0027t map to any of our"},{"line_number":73,"context_line":"# supported personas.  It\u0027s only here in case you were wondering ..."},{"line_number":74,"context_line":"# _SYSTEM_MEMBER \u003d \u0027role:member and system_scope:all\u0027"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"# Generic policy check string for the persona we are calling \u0027system-reader\u0027."},{"line_number":77,"context_line":"_SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-python","patch_set":8,"id":"cf7c1183_1fbbddfd","line":74,"in_reply_to":"a495db45_64593e06","updated":"2021-08-27 15:57:53.000000000","message":"We didn\u0027t encounter any similar case (at  least for our default policy rules) while going through the support matrix but some operators might have a usecase for this rule in their deployment for any of our APIs","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a582917a1b84fbcd6b83585baaac79b4c5085437","unresolved":true,"context_lines":[{"line_number":77,"context_line":"_SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":78,"context_line":"# Note: In Xena, there isn\u0027t really a system-reader persona so make sure"},{"line_number":79,"context_line":"# the system-admin can do this"},{"line_number":80,"context_line":"_LEGACY_SYSTEM_READER \u003d _LEGACY_SYSTEM_ADMIN"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"# Generic policy check string for the persona we are calling \u0027project-admin\u0027."},{"line_number":83,"context_line":"# Note: We are not implementing this persona in Xena.  (Compare it to the"}],"source_content_type":"text/x-python","patch_set":8,"id":"4d0c0d37_746f9f5c","line":80,"updated":"2021-08-27 14:25:39.000000000","message":"We\u0027re not actually using this either in Xena. This is just here for future use I think?","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"564e2b158cf010f37ec2e781a0d501eb7d174746","unresolved":true,"context_lines":[{"line_number":77,"context_line":"_SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":78,"context_line":"# Note: In Xena, there isn\u0027t really a system-reader persona so make sure"},{"line_number":79,"context_line":"# the system-admin can do this"},{"line_number":80,"context_line":"_LEGACY_SYSTEM_READER \u003d _LEGACY_SYSTEM_ADMIN"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"# Generic policy check string for the persona we are calling \u0027project-admin\u0027."},{"line_number":83,"context_line":"# Note: We are not implementing this persona in Xena.  (Compare it to the"}],"source_content_type":"text/x-python","patch_set":8,"id":"3d6f8859_736b16dd","line":80,"in_reply_to":"4d0c0d37_746f9f5c","updated":"2021-08-27 14:40:39.000000000","message":"Yes, it\u0027s good to point out that there isn\u0027t a use for this in Xena anymore under the current deprecation strategy.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":85,"context_line":"_PROJECT_ADMIN \u003d \u0027role:admin and project_id:%(project_id)s\u0027"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"# Generic policy check string for the persona we are calling \u0027project-member\u0027."},{"line_number":88,"context_line":"# Note: The \u0027and project_id:%(project_id)s\u0027 part makes this a project-scoped"},{"line_number":89,"context_line":"# checkstring."},{"line_number":90,"context_line":"_PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"# Generic policy check string for the persona we are calling \u0027project-reader\u0027."}],"source_content_type":"text/x-python","patch_set":8,"id":"35c11e4e_f9db32c8","line":89,"range":{"start_line":88,"start_character":0,"end_line":89,"end_character":14},"updated":"2021-08-27 15:57:53.000000000","message":"This note is common for all 3 project scope rules so maybe move before _PROJECT_ADMIN definition","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":163,"context_line":"    # \"pure\" Xena rules"},{"line_number":164,"context_line":"    policy.RuleDefault("},{"line_number":165,"context_line":"        \u0027xena_system_admin_or_project_reader\u0027,"},{"line_number":166,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_READER})\u0027,"},{"line_number":167,"context_line":"        description\u003d(\"NOTE: this purely role-based rule recognizes only \""},{"line_number":168,"context_line":"                     \"project scope\")),"},{"line_number":169,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"a48c7aca_0349fc5f","line":166,"range":{"start_line":166,"start_character":12,"end_line":166,"end_character":32},"updated":"2021-08-27 15:57:53.000000000","message":"NOTE: As per my discussion with Brian, we had two legacy policy rules, \u0027admin_api\u0027 and \u0027admin_or_owner\u0027\nfor both we use \"is_admin:True\" which is a way to extend the admin functionality with overriding \"context_is_admin\": \"role:admin\"\nIn Xena, we are keeping this extensibility for SYSTEM_ADMIN_ONLY apis which will be using \"rule:admin_api\" and we won\u0027t support this for \"xena_system_admin_or_project_reader\" and \"xena_system_admin_or_project_member\" rules where system admin is considered as \"role:admin\" (with no \"is_admin:True\" field)\nGood thing to keep in mind for upgrade case where \"context_is_admin\" is overriden and similar functionality change is not seen in some policies mentioned above.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":164,"context_line":"    policy.RuleDefault("},{"line_number":165,"context_line":"        \u0027xena_system_admin_or_project_reader\u0027,"},{"line_number":166,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_READER})\u0027,"},{"line_number":167,"context_line":"        description\u003d(\"NOTE: this purely role-based rule recognizes only \""},{"line_number":168,"context_line":"                     \"project scope\")),"},{"line_number":169,"context_line":"    policy.RuleDefault("},{"line_number":170,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"8d444d5b_073be69a","line":167,"range":{"start_line":167,"start_character":56,"end_line":167,"end_character":66},"updated":"2021-08-27 15:57:53.000000000","message":"nit: and recognizes","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":164,"context_line":"    policy.RuleDefault("},{"line_number":165,"context_line":"        \u0027xena_system_admin_or_project_reader\u0027,"},{"line_number":166,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_READER})\u0027,"},{"line_number":167,"context_line":"        description\u003d(\"NOTE: this purely role-based rule recognizes only \""},{"line_number":168,"context_line":"                     \"project scope\")),"},{"line_number":169,"context_line":"    policy.RuleDefault("},{"line_number":170,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"d7f80dbd_b035622e","line":167,"range":{"start_line":167,"start_character":28,"end_line":167,"end_character":32},"updated":"2021-08-27 15:57:53.000000000","message":"nit: this is","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"499ab4531fca4378dfc41379b44438980e9cb6cf","unresolved":true,"context_lines":[{"line_number":164,"context_line":"    policy.RuleDefault("},{"line_number":165,"context_line":"        \u0027xena_system_admin_or_project_reader\u0027,"},{"line_number":166,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_READER})\u0027,"},{"line_number":167,"context_line":"        description\u003d(\"NOTE: this purely role-based rule recognizes only \""},{"line_number":168,"context_line":"                     \"project scope\")),"},{"line_number":169,"context_line":"    policy.RuleDefault("},{"line_number":170,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"8129bbde_cbd860d5","line":167,"range":{"start_line":167,"start_character":56,"end_line":167,"end_character":66},"in_reply_to":"8d444d5b_073be69a","updated":"2021-08-31 17:33:15.000000000","message":"I think this is OK as is.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"499ab4531fca4378dfc41379b44438980e9cb6cf","unresolved":true,"context_lines":[{"line_number":164,"context_line":"    policy.RuleDefault("},{"line_number":165,"context_line":"        \u0027xena_system_admin_or_project_reader\u0027,"},{"line_number":166,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_READER})\u0027,"},{"line_number":167,"context_line":"        description\u003d(\"NOTE: this purely role-based rule recognizes only \""},{"line_number":168,"context_line":"                     \"project scope\")),"},{"line_number":169,"context_line":"    policy.RuleDefault("},{"line_number":170,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"268e5fca_087b84f3","line":167,"range":{"start_line":167,"start_character":28,"end_line":167,"end_character":32},"in_reply_to":"d7f80dbd_b035622e","updated":"2021-08-31 17:33:15.000000000","message":"ditto","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":169,"context_line":"    policy.RuleDefault("},{"line_number":170,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"},{"line_number":171,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027,"},{"line_number":172,"context_line":"        description\u003d(\"NOTE: this purely role-based rule recognizes only \""},{"line_number":173,"context_line":"                     \"project scope\")),"},{"line_number":174,"context_line":"]"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"fbdadb39_b05f00f2","line":173,"range":{"start_line":172,"start_character":28,"end_line":173,"end_character":36},"updated":"2021-08-27 15:57:53.000000000","message":"same as above","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"499ab4531fca4378dfc41379b44438980e9cb6cf","unresolved":true,"context_lines":[{"line_number":169,"context_line":"    policy.RuleDefault("},{"line_number":170,"context_line":"        \u0027xena_system_admin_or_project_member\u0027,"},{"line_number":171,"context_line":"        f\u0027({_LEGACY_SYSTEM_ADMIN}) or ({_PROJECT_MEMBER})\u0027,"},{"line_number":172,"context_line":"        description\u003d(\"NOTE: this purely role-based rule recognizes only \""},{"line_number":173,"context_line":"                     \"project scope\")),"},{"line_number":174,"context_line":"]"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"cd5b492f_d80a2c5b","line":173,"range":{"start_line":172,"start_character":28,"end_line":173,"end_character":36},"in_reply_to":"fbdadb39_b05f00f2","updated":"2021-08-31 17:33:15.000000000","message":"as above, I think this is OK as is.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4d9188b659a869f6b1ed47e2a8d5f4cb840dd9bb","unresolved":true,"context_lines":[{"line_number":206,"context_line":"#    EXCEPTION: any policies that are currently (i.e., during Xena development)"},{"line_number":207,"context_line":"#    using \"rule:admin_api\" (which shows up in the policy files as"},{"line_number":208,"context_line":"#    \u0027base.RULE_ADMIN_API\u0027) will NOT be deprecated in Xena.  (They will be"},{"line_number":209,"context_line":"#    deprecated in Yoga.)"},{"line_number":210,"context_line":"#"},{"line_number":211,"context_line":"# 2. In Yoga, the Xena checkstrings are moved to the CinderDeprecatedRules."},{"line_number":212,"context_line":"#    For example, if a DocumentedRuleDefault with check_str\u003dSYSTEM_ADMIN_ONLY"}],"source_content_type":"text/x-python","patch_set":8,"id":"19264f3d_110bd216","line":209,"updated":"2021-08-24 21:49:53.000000000","message":"++","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":212,"context_line":"#    For example, if a DocumentedRuleDefault with check_str\u003dSYSTEM_ADMIN_ONLY"},{"line_number":213,"context_line":"#    contains a deprecated_rule, find the definition of that"},{"line_number":214,"context_line":"#    CinderDeprecatedRule in the file and change *its* checkstring to"},{"line_number":215,"context_line":"#    check_str\u003dXENA_SYSTEM_ADMIN_ONLY."},{"line_number":216,"context_line":"#"},{"line_number":217,"context_line":"#    The checkstrings in the DocumentedRuleDefaults will be updated"},{"line_number":218,"context_line":"#    when we change the \"Public policy checkstrings expressed as personas\""}],"source_content_type":"text/x-python","patch_set":8,"id":"c451a1e6_066161a5","line":215,"range":{"start_line":215,"start_character":5,"end_line":215,"end_character":37},"updated":"2021-08-27 15:57:53.000000000","message":"we don\u0027t have any rule associated to this\nsee L#146 # XENA_SYSTEM_ADMIN_ONLY \u003d \"rule:xena_system_admin_only\"\nbut \"xena_system_admin_only\" rule doesn\u0027t exist","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3449356aae6d56400c4bb83cb9e3888d7b6ba5ee","unresolved":true,"context_lines":[{"line_number":229,"context_line":"#    give us the full five Cinder personas.  After operators have made"},{"line_number":230,"context_line":"#    appropriate adjustments to user and group role assignments in Keystone,"},{"line_number":231,"context_line":"#    they will be able to use the new checkstrings by setting the"},{"line_number":232,"context_line":"#    \u0027enforce_new_defaults\u0027 and \u0027enforce_scope\u0027 options to appropriate"},{"line_number":233,"context_line":"#    values in the [oslo_policy] section of their cinder configuration file."},{"line_number":234,"context_line":"#"},{"line_number":235,"context_line":"# 3. In Z, we let the Yoga policy configuration bake to allow operators"},{"line_number":236,"context_line":"#    to time to make the Keystone adjustments mentioned above before they"}],"source_content_type":"text/x-python","patch_set":8,"id":"6e8d39a8_06ba7f8a","line":233,"range":{"start_line":232,"start_character":0,"end_line":233,"end_character":76},"updated":"2021-08-27 15:57:53.000000000","message":"is it worth mentioning that their default is False as of now?","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"499ab4531fca4378dfc41379b44438980e9cb6cf","unresolved":true,"context_lines":[{"line_number":278,"context_line":""},{"line_number":279,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":280,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":281,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"# legacy rules to be removed in Yoga"}],"source_content_type":"text/x-python","patch_set":8,"id":"6fda2a64_e09f8c03","line":281,"updated":"2021-08-31 17:33:15.000000000","message":"How will this work in Xena if enforce_new_defaults is True?\n\n_SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027 (L69), but we don\u0027t support scope in Xena.\n\nI encountered this issue when testing a backup policy that wants to be SYSTEM_ADMIN, and when I tested it with the \"system_admin\" user (which is project scoped in Xena) it failed the policy check.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"de214194c5a50bf1e60ec54bef06e9df5af9b0be","unresolved":false,"context_lines":[{"line_number":278,"context_line":""},{"line_number":279,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":280,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":281,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"# legacy rules to be removed in Yoga"}],"source_content_type":"text/x-python","patch_set":8,"id":"cc99de27_4f50895f","line":281,"in_reply_to":"2cafc1a6_c8a08af7","updated":"2021-08-31 19:12:32.000000000","message":"OK, now I know that Xena policies will stick with RULE_ADMIN_API, and will switch to SYSTEM_ADMIN in Yoga.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"73a5183ad2b3d829cfe281fd25b6749ec18e6aa1","unresolved":true,"context_lines":[{"line_number":278,"context_line":""},{"line_number":279,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":280,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":281,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"# legacy rules to be removed in Yoga"}],"source_content_type":"text/x-python","patch_set":8,"id":"2cafc1a6_c8a08af7","line":281,"in_reply_to":"5e9eae0b_f835addf","updated":"2021-08-31 19:06:57.000000000","message":"I wasn\u0027t clear enough in my note on line 279.  These strings are currently being used by the default_types policy file, so they can\u0027t be removed until it gets updated.  They aren\u0027t here for our current \"secure RBAC\" effort.","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"b7779921af831c117dcb4e537eadabde35e24054","unresolved":true,"context_lines":[{"line_number":278,"context_line":""},{"line_number":279,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":280,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":281,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"# legacy rules to be removed in Yoga"}],"source_content_type":"text/x-python","patch_set":8,"id":"5e9eae0b_f835addf","line":281,"in_reply_to":"6fda2a64_e09f8c03","updated":"2021-08-31 17:48:12.000000000","message":"So maybe this should be _LEGACY_SYSTEM_ADMIN (L70) in Xena?","commit_id":"679dda503202b5c13f8353c9acbb5a532d83d4c5"},{"author":{"_account_id":4523,"name":"Eric Harney","email":"eharney@redhat.com","username":"eharney"},"change_message_id":"1fcfbdbedb368c3b73ba3796e1d67b6721a4e272","unresolved":true,"context_lines":[{"line_number":154,"context_line":"                       description\u003d\"Decides what is required for the \""},{"line_number":155,"context_line":"                                   \"\u0027is_admin:True\u0027 check to succeed.\"),"},{"line_number":156,"context_line":"    policy.RuleDefault(\u0027admin_api\u0027,"},{"line_number":157,"context_line":"                       \u0027is_admin:True or (role:admin and \u0027"},{"line_number":158,"context_line":"                       \u0027is_admin_project:True)\u0027,"},{"line_number":159,"context_line":"                       # FIXME: In Yoga, point out that is_admin_project"},{"line_number":160,"context_line":"                       # is deprecated and operators should use system"}],"source_content_type":"text/x-python","patch_set":9,"id":"9bf655d7_d9c24938","line":157,"updated":"2021-09-03 13:58:06.000000000","message":"This would be more readable if indented like line 165 is.","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d146f39b63f49ab98831e4f0f112280e4d15ebfe","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                 check_str: str,"},{"line_number":272,"context_line":"                 *,"},{"line_number":273,"context_line":"                 deprecated_reason: Optional[str] \u003d DEPRECATED_REASON,"},{"line_number":274,"context_line":"                 deprecated_since: Optional[str] \u003d DEPRECATED_SINCE,"},{"line_number":275,"context_line":"                 ):"},{"line_number":276,"context_line":"        super().__init__("},{"line_number":277,"context_line":"            name, check_str, deprecated_reason\u003ddeprecated_reason,"}],"source_content_type":"text/x-python","patch_set":9,"id":"27b0bb12_4ac33f96","line":274,"updated":"2021-08-30 21:42:12.000000000","message":"I\u0027m just noticing this now, but isn\u0027t this going to change out from underneath use when Yoga opens for development?\n\nFor example if we deprecate \u0027foo\u0027 now using:\n\n  deprecated_foo \u003d base.CinderDeprecatedRule(\n    name\u003d\u0027foo\u0027,\n    check_str\u003d\u0027role:bar\u0027,\n  )\n\n\nand then we update:\n\n  DEPRECATED_SINCE \u003d versionutils.deprecated.YOGA\n\nwhen we start working on system-scope things next release isn\u0027t that going to change the deprecation warning out from under us?\n\nAt that point, won\u0027t we have to go back anyway and add deprecated_reason to everything we\u0027ve done in Xena before we can update DEPRECATED_SINCE?","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d793622d0afdc4e0b6c7a914532deb4ec9e5244a","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                 check_str: str,"},{"line_number":272,"context_line":"                 *,"},{"line_number":273,"context_line":"                 deprecated_reason: Optional[str] \u003d DEPRECATED_REASON,"},{"line_number":274,"context_line":"                 deprecated_since: Optional[str] \u003d DEPRECATED_SINCE,"},{"line_number":275,"context_line":"                 ):"},{"line_number":276,"context_line":"        super().__init__("},{"line_number":277,"context_line":"            name, check_str, deprecated_reason\u003ddeprecated_reason,"}],"source_content_type":"text/x-python","patch_set":9,"id":"6dfb70a1_e7a6460a","line":274,"in_reply_to":"1990c2a3_5d0b8007","updated":"2021-09-01 21:43:45.000000000","message":"I think my concern is this:\n\n  # DEPRECATED\n  # \"volume:attachment_create\":\"\" has been deprecated since X in favor\n  # of \"volume:attachment_create\":\"rule:xena_system_admin_or_project_mem\n  # ber\".\n\nAnd then in the next release:\n\n  # DEPRECATED\n  # \"volume:attachment_create\":\"rule:xena_system_admin_or_project_member\n  # \" has been deprecated since Y in favor of\n\nWe\u0027re saying the volume:attachment_create was deprecated in X, but then we\u0027re saying it was deprecated in X? Or is that because we\u0027re treating it as an entirely separate deprecation?\n\nI just say the default value being passed into the CinderDeprecatedRule object and that raised a concern is we change the default value and then accidentally change the messaging to operators.","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e37044e8fa4ce819b0a22aa56e5510d93644dded","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                 check_str: str,"},{"line_number":272,"context_line":"                 *,"},{"line_number":273,"context_line":"                 deprecated_reason: Optional[str] \u003d DEPRECATED_REASON,"},{"line_number":274,"context_line":"                 deprecated_since: Optional[str] \u003d DEPRECATED_SINCE,"},{"line_number":275,"context_line":"                 ):"},{"line_number":276,"context_line":"        super().__init__("},{"line_number":277,"context_line":"            name, check_str, deprecated_reason\u003ddeprecated_reason,"}],"source_content_type":"text/x-python","patch_set":9,"id":"9144c797_1e006afa","line":274,"in_reply_to":"1be2c58f_6473cc68","updated":"2021-09-03 14:23:28.000000000","message":"Ok - so these are treated as two separate deprecations? In Xena it will be:\n\n  deprecated: \"\"\n  new: \"role:admin or (role:member and project_id:%(project_id)s)\"\n\nIn Yoga it will be:\n\n  deprecated: \"role:admin or (role:member and project_id:%(project_id)s)\"\n  new: \"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)\"\n\n\nTo clarify, if operators are 1.) using the defaults and 2.) allowing people with custom roles to create things in cinder, they must update those role assignments before they deploy Yoga\u0027s default policies otherwise their users will have broken flows, right?","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"73a5183ad2b3d829cfe281fd25b6749ec18e6aa1","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                 check_str: str,"},{"line_number":272,"context_line":"                 *,"},{"line_number":273,"context_line":"                 deprecated_reason: Optional[str] \u003d DEPRECATED_REASON,"},{"line_number":274,"context_line":"                 deprecated_since: Optional[str] \u003d DEPRECATED_SINCE,"},{"line_number":275,"context_line":"                 ):"},{"line_number":276,"context_line":"        super().__init__("},{"line_number":277,"context_line":"            name, check_str, deprecated_reason\u003ddeprecated_reason,"}],"source_content_type":"text/x-python","patch_set":9,"id":"d7db9bad_f7bf40ee","line":274,"in_reply_to":"27b0bb12_4ac33f96","updated":"2021-08-31 19:06:57.000000000","message":"Well, once Yoga opens, all current CinderDeprecatedRules will either be deleted or have their check_str updated (at which point since-Yoga will be accurate), or they will be new CinderDeprecatedRules (for all the \"rule:admin_api\" policies, which were not deprecated in Xena), and since-Yoga will be accurate for them also.  I think the Yoga deprecated reason above will be accurate for everything as well.","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"42c193af41f967a6f8c0f2cfd9a4361788c6b8d1","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                 check_str: str,"},{"line_number":272,"context_line":"                 *,"},{"line_number":273,"context_line":"                 deprecated_reason: Optional[str] \u003d DEPRECATED_REASON,"},{"line_number":274,"context_line":"                 deprecated_since: Optional[str] \u003d DEPRECATED_SINCE,"},{"line_number":275,"context_line":"                 ):"},{"line_number":276,"context_line":"        super().__init__("},{"line_number":277,"context_line":"            name, check_str, deprecated_reason\u003ddeprecated_reason,"}],"source_content_type":"text/x-python","patch_set":9,"id":"1990c2a3_5d0b8007","line":274,"in_reply_to":"606344a8_ab9af205","updated":"2021-09-01 13:33:53.000000000","message":"Sorry to be obtuse.  I think that everything will be fine. 😊  These sample policy files were generated using the strategy outlined here and I think they look OK?\n\nxena: https://paste.opendev.org/show/808268/\nyoga: https://paste.opendev.org/show/808269/","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"13451bd943312b3a2ec504758c7376bec7e6b900","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                 check_str: str,"},{"line_number":272,"context_line":"                 *,"},{"line_number":273,"context_line":"                 deprecated_reason: Optional[str] \u003d DEPRECATED_REASON,"},{"line_number":274,"context_line":"                 deprecated_since: Optional[str] \u003d DEPRECATED_SINCE,"},{"line_number":275,"context_line":"                 ):"},{"line_number":276,"context_line":"        super().__init__("},{"line_number":277,"context_line":"            name, check_str, deprecated_reason\u003ddeprecated_reason,"}],"source_content_type":"text/x-python","patch_set":9,"id":"1be2c58f_6473cc68","line":274,"in_reply_to":"6dfb70a1_e7a6460a","updated":"2021-09-02 18:34:01.000000000","message":"OK, thanks, now I have a better handle on your concern.\n\nTo answer your question, we\u0027re treating these as two separate deprecations, and the indicator for this is the change in deprecated_since.\n\n(I think in the context of the \"Implementation Schedule\" in the policy matrix [0] that this will make sense to operators, namely, that we\u0027re making a change in X and another change in Y as part of a change that\u0027s happening over multiple cycles.)\n\nSo basically what\u0027s going on is that an operator looks at the X sample file you quoted above, and what we\u0027re saying is:\n\n\u003e Since the X release, we are preferring that you use\n\u003e \"volume:attachment_create\":\"rule:xena_system_admin_or_project_member\",\n\u003e instead of\n\u003e \"volume:attachment_create\":\"\"\n\u003e and further, while \"volume:attachment_create\" may work for unrestricted users in X, it\u0027s not guaranteed to work that way in Y.  Instead, it will follow the \"xena_system_admin_or_project_member\" rule.\n\nThe next release happens.  The operator looks at the Y sample file you quoted above, and now what we\u0027re saying is:\n\n\u003e Since the Y release, we are preferring that you use\n\u003e \"volume:attachment_create\":\"rule:system_admin_or_project_member\"\n\u003e instead of\n\u003e \"volume:attachment_create\":\"rule:xena_system_admin_or_project_member\",\n\u003e and that second rule is not guaranteed to be defined in the next release (Z).\n\nI think what\u0027s kind of  confusing here is that we have two different kinds of deprecation happening:\n\n(1) The default value of a policy has changed, and you need to be aware of this (though you may not need to do anything).  This is what\u0027s happening in the X example above.\n\n(2) A rule we provide (e.g., \"rule:volume_extension:volume_type_encryption\" or \"rule:admin_api\") will not be defined in the next release.\nThe only way I could see how to do this is a roll-your-own strategy [1] which gives you a sample config that seems pretty clear: https://paste.opendev.org/show/808414/\n\nI think I need to add these roll-your-own deprecations (in X, i.e., now) to the RuleDefaults we no longer intend to include in Y.\n\n[0] https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_8a2/763306/17/check/openstack-tox-docs/8a20a3d/docs/configuration/block-storage/policy-personas.html#implementation-schedule\n[1] https://review.opendev.org/c/openstack/cinder/+/760197/6/cinder/policies/volume_type.py#190","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5569a78625b39279e25002f417cacbb39bac0e54","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                 check_str: str,"},{"line_number":272,"context_line":"                 *,"},{"line_number":273,"context_line":"                 deprecated_reason: Optional[str] \u003d DEPRECATED_REASON,"},{"line_number":274,"context_line":"                 deprecated_since: Optional[str] \u003d DEPRECATED_SINCE,"},{"line_number":275,"context_line":"                 ):"},{"line_number":276,"context_line":"        super().__init__("},{"line_number":277,"context_line":"            name, check_str, deprecated_reason\u003ddeprecated_reason,"}],"source_content_type":"text/x-python","patch_set":9,"id":"606344a8_ab9af205","line":274,"in_reply_to":"d7db9bad_f7bf40ee","updated":"2021-08-31 20:58:18.000000000","message":"I think the deprecated reasons are fine. I\u0027m wondering about the deprecated_since default parameter.\n\nIf we generate a sample policy file, is it going to say foo is deprecated since Xena, and then say it\u0027s deprecated as of Yoga when we updated DEPRECATED_SINCE to versionutils.deprecated.YOGA?","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a8ec01fc2c62009fd2d11901848c84c3d3ffeb52","unresolved":true,"context_lines":[{"line_number":286,"context_line":""},{"line_number":287,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":288,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":289,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"# legacy rules to be removed in Yoga"}],"source_content_type":"text/x-python","patch_set":9,"id":"26701696_eafab68e","line":289,"range":{"start_line":289,"start_character":0,"end_line":289,"end_character":12},"updated":"2021-08-30 21:30:12.000000000","message":"This isn\u0027t supposed to be invoked directly since it has system_scope:all right?","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"73a5183ad2b3d829cfe281fd25b6749ec18e6aa1","unresolved":true,"context_lines":[{"line_number":286,"context_line":""},{"line_number":287,"context_line":"# FIXME: remove these when cinder.policies.default_types is updated"},{"line_number":288,"context_line":"SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN \u003d \u0027rule:system_or_domain_or_project_admin\u0027"},{"line_number":289,"context_line":"SYSTEM_ADMIN \u003d _SYSTEM_ADMIN"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"# legacy rules to be removed in Yoga"}],"source_content_type":"text/x-python","patch_set":9,"id":"528d5878_7eeacfcd","line":289,"range":{"start_line":289,"start_character":0,"end_line":289,"end_character":12},"in_reply_to":"26701696_eafab68e","updated":"2021-08-31 19:06:57.000000000","message":"correct, lines 288 and 289 are here only because these strings are being used by the default_types policies (until they are revised).","commit_id":"7fb4f272cdebbf9773c561d340c237b849e48501"}]}