)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6011651c199468eabf29bc4232ce0a395b5c7076","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"15b88d9f_da30dd73","updated":"2022-03-30 15:44:10.000000000","message":"This is a big document to review.  If you only have time to review part of it, we\u0027re keeping track in this etherpad: https://etherpad.opendev.org/p/cinder-zed-policies","commit_id":"b8344a358aec3824ff836be53303ca1801bc6e65"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"da09ae89_09da6cd2","updated":"2022-06-07 21:12:45.000000000","message":"Thanks for the feedback, Alan.  Some replies inline, and a new patch set is on the way.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8f8061fa5b154f0fb2559e2c27f3113a43ac1546","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"37488bc9_f3202f3c","updated":"2022-06-06 21:32:34.000000000","message":"The TC is making an effort to get operator feedback at the summit this week; it\u0027s possible that the community goal will be revised.  Let this sit until it\u0027s more clear where we should be going.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"}],"doc/source/configuration/block-storage/policy-personas.rst":[{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":"   The justification for this change is that we want the default configuration"},{"line_number":112,"context_line":"   to allow for the principle of least privilege in the sense that someone"},{"line_number":113,"context_line":"   who maintains the Cinder *system* does not need to be able to mess with"},{"line_number":114,"context_line":"   the resources owned by any particular project.  Likewise, a support person"},{"line_number":115,"context_line":"   who needs to make changes to a project\u0027s resources to correct a problem"},{"line_number":116,"context_line":"   or to act on behalf of a user does not need to be able to modify the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d67303c5_0fb6b96c","line":113,"range":{"start_line":113,"start_character":65,"end_line":113,"end_character":74},"updated":"2022-06-01 19:28:57.000000000","message":"This phrase is an English colloquialism that may not be readily understood by all readers. Perhaps replace with \"access or modify...\"","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":"   The justification for this change is that we want the default configuration"},{"line_number":112,"context_line":"   to allow for the principle of least privilege in the sense that someone"},{"line_number":113,"context_line":"   who maintains the Cinder *system* does not need to be able to mess with"},{"line_number":114,"context_line":"   the resources owned by any particular project.  Likewise, a support person"},{"line_number":115,"context_line":"   who needs to make changes to a project\u0027s resources to correct a problem"},{"line_number":116,"context_line":"   or to act on behalf of a user does not need to be able to modify the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9475bc0f_fd8f9930","line":113,"range":{"start_line":113,"start_character":65,"end_line":113,"end_character":74},"in_reply_to":"d67303c5_0fb6b96c","updated":"2022-06-07 21:12:45.000000000","message":"Done","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":127,"context_line":"   * Cinder does not recognize the ``domain`` scope at all.  So even if you"},{"line_number":128,"context_line":"     successfully request a \"domain-scoped\" token from the Identity service,"},{"line_number":129,"context_line":"     you won\u0027t be able to use it with Cinder.  Instead, request a"},{"line_number":130,"context_line":"     \"project-scoped\" token for the particular project in your domain"},{"line_number":131,"context_line":"     that you want to act upon."},{"line_number":132,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":133,"context_line":"     a user with the ``member`` role on a ``system``.  Likewise, cinder"}],"source_content_type":"text/x-rst","patch_set":3,"id":"81e496d4_258e0c7e","line":130,"range":{"start_line":130,"start_character":5,"end_line":130,"end_character":27},"updated":"2022-06-01 19:28:57.000000000","message":"or a \"system-scoped\" token to act upon the Cinder system itself.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":false,"context_lines":[{"line_number":127,"context_line":"   * Cinder does not recognize the ``domain`` scope at all.  So even if you"},{"line_number":128,"context_line":"     successfully request a \"domain-scoped\" token from the Identity service,"},{"line_number":129,"context_line":"     you won\u0027t be able to use it with Cinder.  Instead, request a"},{"line_number":130,"context_line":"     \"project-scoped\" token for the particular project in your domain"},{"line_number":131,"context_line":"     that you want to act upon."},{"line_number":132,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":133,"context_line":"     a user with the ``member`` role on a ``system``.  Likewise, cinder"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1225a8eb_a7d02a56","line":130,"range":{"start_line":130,"start_character":5,"end_line":130,"end_character":27},"in_reply_to":"81e496d4_258e0c7e","updated":"2022-06-07 21:12:45.000000000","message":"Done","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":130,"context_line":"     \"project-scoped\" token for the particular project in your domain"},{"line_number":131,"context_line":"     that you want to act upon."},{"line_number":132,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":133,"context_line":"     a user with the ``member`` role on a ``system``.  Likewise, cinder"},{"line_number":134,"context_line":"     does not recognize a \"system-reader\" persona, that is, a user with"},{"line_number":135,"context_line":"     the ``reader`` role on a ``system``."},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"   More information about roles and scope is available in the `Keystone"}],"source_content_type":"text/x-rst","patch_set":3,"id":"caf5b706_d92df3e1","line":134,"range":{"start_line":133,"start_character":65,"end_line":134,"end_character":49},"updated":"2022-06-01 19:28:57.000000000","message":"This one catches me off guard.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"eb31d69a2a1372782eddf619e9820bc8f7eb861b","unresolved":true,"context_lines":[{"line_number":130,"context_line":"     \"project-scoped\" token for the particular project in your domain"},{"line_number":131,"context_line":"     that you want to act upon."},{"line_number":132,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":133,"context_line":"     a user with the ``member`` role on a ``system``.  Likewise, cinder"},{"line_number":134,"context_line":"     does not recognize a \"system-reader\" persona, that is, a user with"},{"line_number":135,"context_line":"     the ``reader`` role on a ``system``."},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"   More information about roles and scope is available in the `Keystone"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a12000e7_12c06162","line":134,"range":{"start_line":133,"start_character":65,"end_line":134,"end_character":49},"in_reply_to":"5b599fa3_a96a5756","updated":"2022-06-07 22:09:34.000000000","message":"yeah, until we enable scope by default and that is not configurable then we can introduce more persona in system scope like system_reader, system_member etc","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":130,"context_line":"     \"project-scoped\" token for the particular project in your domain"},{"line_number":131,"context_line":"     that you want to act upon."},{"line_number":132,"context_line":"   * Cinder does not recognize a \"system-member\" persona, that is,"},{"line_number":133,"context_line":"     a user with the ``member`` role on a ``system``.  Likewise, cinder"},{"line_number":134,"context_line":"     does not recognize a \"system-reader\" persona, that is, a user with"},{"line_number":135,"context_line":"     the ``reader`` role on a ``system``."},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"   More information about roles and scope is available in the `Keystone"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5b599fa3_a96a5756","line":134,"range":{"start_line":133,"start_character":65,"end_line":134,"end_character":49},"in_reply_to":"caf5b706_d92df3e1","updated":"2022-06-07 21:12:45.000000000","message":"Well, this is for Zed.  The Zed policies need to work whether enforce_scope is enabled or not; if it\u0027s not enabled, a user with the \u0027reader\u0027 role would be able to read system-scoped stuff.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":170,"context_line":"(and throughout OpenStack) in multiple phases.  This section describes the"},{"line_number":171,"context_line":"personas implemented during the Zed development cycle."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":".. list-table:: The 5 Zed Personas"},{"line_number":174,"context_line":"   :header-rows: 1"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"   * - who"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2585be64_fd95ab9f","line":173,"range":{"start_line":173,"start_character":16,"end_line":173,"end_character":34},"updated":"2022-06-01 19:28:57.000000000","message":"Just a quick thought, for consideration. You could add another column to indicate whether the persona was implemented in Xena or if it\u0027s new for Zed.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":170,"context_line":"(and throughout OpenStack) in multiple phases.  This section describes the"},{"line_number":171,"context_line":"personas implemented during the Zed development cycle."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":".. list-table:: The 5 Zed Personas"},{"line_number":174,"context_line":"   :header-rows: 1"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"   * - who"}],"source_content_type":"text/x-rst","patch_set":3,"id":"720b6bdd_5e1d40c3","line":173,"range":{"start_line":173,"start_character":16,"end_line":173,"end_character":34},"in_reply_to":"2585be64_fd95ab9f","updated":"2022-06-07 21:12:45.000000000","message":"I actually started to do this, but the problem is that the system-admin persona is introduced in Xena, but will have different powers in Zed if we proceed with the strong system API/project API split, so I think the \"release introduced\" column would be more misleading than helpful.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":271,"context_line":"     - system-admin"},{"line_number":272,"context_line":"   * - List messages"},{"line_number":273,"context_line":"     - ``GET  /messages``"},{"line_number":274,"context_line":"     - Project"},{"line_number":275,"context_line":"     - message:get_all"},{"line_number":276,"context_line":"     - yes"},{"line_number":277,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"033cf461_3d9360ae","line":274,"updated":"2022-06-01 19:28:57.000000000","message":"So this is an interesting situation. Looking at [1], it does seem the User Messages are project-oriented. Are we concluding User Messages won\u0027t ever be associated with the Cinder system?\n\n[1] https://opendev.org/openstack/cinder/src/branch/master/cinder/message/message_field.py","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":271,"context_line":"     - system-admin"},{"line_number":272,"context_line":"   * - List messages"},{"line_number":273,"context_line":"     - ``GET  /messages``"},{"line_number":274,"context_line":"     - Project"},{"line_number":275,"context_line":"     - message:get_all"},{"line_number":276,"context_line":"     - yes"},{"line_number":277,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"08367e63_953cff80","line":274,"in_reply_to":"033cf461_3d9360ae","updated":"2022-06-07 21:12:45.000000000","message":"Yes, the User Messages are explicitly designed for communication with end users (the idea being that a cinder administrator has access to the logs, where there is more detailed info).","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":458,"context_line":"   * - List (in detail) of snapshots which are available to manage"},{"line_number":459,"context_line":"     - | ``GET  /manageable_snapshots``"},{"line_number":460,"context_line":"       | ``GET  /manageable_snapshots/detail``"},{"line_number":461,"context_line":"     - System"},{"line_number":462,"context_line":"     - snapshot_extension:list_manageable"},{"line_number":463,"context_line":"     - no"},{"line_number":464,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bb0a4650_170ca100","line":461,"updated":"2022-06-01 19:28:57.000000000","message":"What\u0027s the thinking here?\n- It seems odd that a system-admin can list them, but cannot do anything with them.\n- Conversely, it seems odd that a project-admin can manage a snapshot, but cannot find out it\u0027s manageable (by listing the ones available to manage).\n\nMaybe this just means the system-admin and project-admin (assuming they\u0027re not the same person) are forced to collaborate?","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":458,"context_line":"   * - List (in detail) of snapshots which are available to manage"},{"line_number":459,"context_line":"     - | ``GET  /manageable_snapshots``"},{"line_number":460,"context_line":"       | ``GET  /manageable_snapshots/detail``"},{"line_number":461,"context_line":"     - System"},{"line_number":462,"context_line":"     - snapshot_extension:list_manageable"},{"line_number":463,"context_line":"     - no"},{"line_number":464,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"25fe0414_f3122d8f","line":461,"in_reply_to":"bb0a4650_170ca100","updated":"2022-06-07 21:12:45.000000000","message":"Yes, it\u0027s a forced collaboration.  The system-admin can list them, since they\u0027re not associated with any project, but a project-admin will have to actually manage them into a project.  (Not sure how workable that will be in practice.)","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":775,"context_line":"       | ``GET  /group_types/default``"},{"line_number":776,"context_line":"       | ``GET  /group_types/{group_type_id}``"},{"line_number":777,"context_line":"       | These calls are not governed by a policy."},{"line_number":778,"context_line":"     - Mixed"},{"line_number":779,"context_line":"     - group:access_group_types_specs"},{"line_number":780,"context_line":"     - no"},{"line_number":781,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a5400f4b_eb4cf76c","line":778,"range":{"start_line":778,"start_character":7,"end_line":778,"end_character":12},"updated":"2022-06-01 19:28:57.000000000","message":"The use of \"Mixed\" is a good way for readers, and reviewers of this patch, to locate the \"interesting\" policies. It conveys the need to pay attention when the policy\u0027s scope is mixed.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":false,"context_lines":[{"line_number":775,"context_line":"       | ``GET  /group_types/default``"},{"line_number":776,"context_line":"       | ``GET  /group_types/{group_type_id}``"},{"line_number":777,"context_line":"       | These calls are not governed by a policy."},{"line_number":778,"context_line":"     - Mixed"},{"line_number":779,"context_line":"     - group:access_group_types_specs"},{"line_number":780,"context_line":"     - no"},{"line_number":781,"context_line":"     - no"}],"source_content_type":"text/x-rst","patch_set":3,"id":"55c757a7_090eebd2","line":778,"range":{"start_line":778,"start_character":7,"end_line":778,"end_character":12},"in_reply_to":"a5400f4b_eb4cf76c","updated":"2022-06-07 21:12:45.000000000","message":"Ack","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":1150,"context_line":"     - yes"},{"line_number":1151,"context_line":"     - yes"},{"line_number":1152,"context_line":"     - both system- and project-admin should be able to update"},{"line_number":1153,"context_line":"       these for a project (??)"},{"line_number":1154,"context_line":"   * - Delete project quota"},{"line_number":1155,"context_line":"     - ``DELETE  /os-quota-sets/{project_id}``"},{"line_number":1156,"context_line":"     - Mixed"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa9921a7_440f84b6","line":1153,"range":{"start_line":1153,"start_character":27,"end_line":1153,"end_character":31},"updated":"2022-06-01 19:28:57.000000000","message":"Hmm, yeah. Does a project\u0027s quota affect the system? If it does then this feels like a system-admin thing. But if it only affects quotas *within* a project, then it would only seem to be a project-admin\u0027s business.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":1150,"context_line":"     - yes"},{"line_number":1151,"context_line":"     - yes"},{"line_number":1152,"context_line":"     - both system- and project-admin should be able to update"},{"line_number":1153,"context_line":"       these for a project (??)"},{"line_number":1154,"context_line":"   * - Delete project quota"},{"line_number":1155,"context_line":"     - ``DELETE  /os-quota-sets/{project_id}``"},{"line_number":1156,"context_line":"     - Mixed"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b63cf157_e6bae42e","line":1153,"range":{"start_line":1153,"start_character":27,"end_line":1153,"end_character":31},"in_reply_to":"fa9921a7_440f84b6","updated":"2022-06-07 21:12:45.000000000","message":"Yeah, I\u0027m really not sure about this or the next one.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":1161,"context_line":"     - yes"},{"line_number":1162,"context_line":"     - yes"},{"line_number":1163,"context_line":"     - both system- and project-admin should be able to delete"},{"line_number":1164,"context_line":"       these for a project (??)"},{"line_number":1165,"context_line":""},{"line_number":1166,"context_line":".. list-table:: Capabilities"},{"line_number":1167,"context_line":"   :header-rows: 1"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c1b56d15_4d36cba3","line":1164,"range":{"start_line":1164,"start_character":27,"end_line":1164,"end_character":31},"updated":"2022-06-01 19:28:57.000000000","message":"ditto.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":1336,"context_line":"     - no"},{"line_number":1337,"context_line":"     - no"},{"line_number":1338,"context_line":"     - no"},{"line_number":1339,"context_line":"     - no"},{"line_number":1340,"context_line":"     - yes"},{"line_number":1341,"context_line":"     -"},{"line_number":1342,"context_line":"   * - Manage existing volumes"},{"line_number":1343,"context_line":"     - ``POST  /manageable_volumes``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"146dc829_f93a38c7","line":1340,"range":{"start_line":1339,"start_character":0,"end_line":1340,"end_character":10},"updated":"2022-06-01 19:28:57.000000000","message":"See my previous comments about manageable snapshots. Something feels off to me when a system-admin can list which volumes can be managed, but they cannot manage any of them (L1350). Conversely, a project-admin can manage a volume (L1349), but they cannot get a list of ones that are manageable. As I noted before, is this a way to force the two admins to collaborate?","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":1336,"context_line":"     - no"},{"line_number":1337,"context_line":"     - no"},{"line_number":1338,"context_line":"     - no"},{"line_number":1339,"context_line":"     - no"},{"line_number":1340,"context_line":"     - yes"},{"line_number":1341,"context_line":"     -"},{"line_number":1342,"context_line":"   * - Manage existing volumes"},{"line_number":1343,"context_line":"     - ``POST  /manageable_volumes``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"617ca021_16d2b46b","line":1340,"range":{"start_line":1339,"start_character":0,"end_line":1340,"end_character":10},"in_reply_to":"146dc829_f93a38c7","updated":"2022-06-07 21:12:45.000000000","message":"Yeah, the idea is that the system-admin will hand a project-admin a list of volumes to manage for the project(s) of which that person is a project-admin.  (Not sure it\u0027s a *good* idea, though.)","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":1527,"context_line":"       | The ability to make these API calls is governed by other policies."},{"line_number":1528,"context_line":"     - Mixed"},{"line_number":1529,"context_line":"     - volume_extension:volume_type_access"},{"line_number":1530,"context_line":"     - no (should be \u0027yes\u0027?)"},{"line_number":1531,"context_line":"     - yes"},{"line_number":1532,"context_line":"     - yes"},{"line_number":1533,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d186a0d1_4dd98946","line":1530,"range":{"start_line":1530,"start_character":11,"end_line":1530,"end_character":27},"updated":"2022-06-01 19:28:57.000000000","message":"That\u0027s a good question. The legacy rule was \"admin or owner,\" and I don\u0027t recall why we would preclude a project-reader from seeing this.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":1527,"context_line":"       | The ability to make these API calls is governed by other policies."},{"line_number":1528,"context_line":"     - Mixed"},{"line_number":1529,"context_line":"     - volume_extension:volume_type_access"},{"line_number":1530,"context_line":"     - no (should be \u0027yes\u0027?)"},{"line_number":1531,"context_line":"     - yes"},{"line_number":1532,"context_line":"     - yes"},{"line_number":1533,"context_line":"     - yes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ddad0e48_b9677fbf","line":1530,"range":{"start_line":1530,"start_character":11,"end_line":1530,"end_character":27},"in_reply_to":"d186a0d1_4dd98946","updated":"2022-06-07 21:12:45.000000000","message":"Yeah, I can\u0027t remember whether we had a reason for this, or just missed it in Xena.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":1542,"context_line":"     - no"},{"line_number":1543,"context_line":"     - no"},{"line_number":1544,"context_line":"     - no"},{"line_number":1545,"context_line":"     - yes"},{"line_number":1546,"context_line":"     - no"},{"line_number":1547,"context_line":"     -"},{"line_number":1548,"context_line":"   * - Add volume type access for project"},{"line_number":1549,"context_line":"     - ``POST  /types/{type_id}/action`` (addProjectAccess)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0dbe772a_16b858e3","line":1546,"range":{"start_line":1545,"start_character":0,"end_line":1546,"end_character":9},"updated":"2022-06-01 19:28:57.000000000","message":"What\u0027s the benefit to a project-admin to see the list of projects that have access to this type?\n\nAnd if a system-admin has no business knowing which projects have access to a type, then I guess I\u0027ve lost track of the use cases for this API method. Who does it serve?","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":1542,"context_line":"     - no"},{"line_number":1543,"context_line":"     - no"},{"line_number":1544,"context_line":"     - no"},{"line_number":1545,"context_line":"     - yes"},{"line_number":1546,"context_line":"     - no"},{"line_number":1547,"context_line":"     -"},{"line_number":1548,"context_line":"   * - Add volume type access for project"},{"line_number":1549,"context_line":"     - ``POST  /types/{type_id}/action`` (addProjectAccess)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7bc1d8b4_06e6ee31","line":1546,"range":{"start_line":1545,"start_character":0,"end_line":1546,"end_character":9},"in_reply_to":"0dbe772a_16b858e3","updated":"2022-06-07 21:12:45.000000000","message":"Good question, and I am not sure.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":2094,"context_line":"     - yes"},{"line_number":2095,"context_line":"     - yes"},{"line_number":2096,"context_line":"     - no"},{"line_number":2097,"context_line":"     - Should this be \u0027Mixed\u0027?  The system-admin might need to know, for"},{"line_number":2098,"context_line":"       example, what volumes are on some host, or how many volumes some"},{"line_number":2099,"context_line":"       project owns."},{"line_number":2100,"context_line":"   * - Update volume or update a volume\u0027s bootable status"},{"line_number":2101,"context_line":"     - | ``PUT  /volumes``"},{"line_number":2102,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-set_bootable)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5eccdf60_31444833","line":2099,"range":{"start_line":2097,"start_character":7,"end_line":2099,"end_character":20},"updated":"2022-06-01 19:28:57.000000000","message":"Maybe we need to handle this in a manner similar to \"user visible extra-specs.\" It\u0027s reasonable for a system-admin to have some knowledge of the volumes, but /detail will return a lot of the data that\u0027s clearly project specific. Conceptually, we could filter the data in the response when the context is system scoped. Not sure if it should be coded that way, or if we should add another policy to control whether project specific details are returned.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":2094,"context_line":"     - yes"},{"line_number":2095,"context_line":"     - yes"},{"line_number":2096,"context_line":"     - no"},{"line_number":2097,"context_line":"     - Should this be \u0027Mixed\u0027?  The system-admin might need to know, for"},{"line_number":2098,"context_line":"       example, what volumes are on some host, or how many volumes some"},{"line_number":2099,"context_line":"       project owns."},{"line_number":2100,"context_line":"   * - Update volume or update a volume\u0027s bootable status"},{"line_number":2101,"context_line":"     - | ``PUT  /volumes``"},{"line_number":2102,"context_line":"       | ``POST  /volumes/{volume_id}/action`` (os-set_bootable)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"42b4b098_ab6c94d3","line":2099,"range":{"start_line":2097,"start_character":7,"end_line":2099,"end_character":20},"in_reply_to":"5eccdf60_31444833","updated":"2022-06-07 21:12:45.000000000","message":"Yes, this is a place where the pure system-scoped vs. pure project-scoped breaks down.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":2153,"context_line":"     - yes"},{"line_number":2154,"context_line":"     - yes"},{"line_number":2155,"context_line":"     - no"},{"line_number":2156,"context_line":"     - Should be Mixed?  It\u0027s useful to the project-admin, because"},{"line_number":2157,"context_line":"       ``?all_tenants\u003dTrue`` will list all volumes for all projects in"},{"line_number":2158,"context_line":"       their domain.  Could be useful to system-admin (if they\u0027re allowed"},{"line_number":2159,"context_line":"       to list volumes)."},{"line_number":2160,"context_line":"   * - List or show volume with migration status attribute"},{"line_number":2161,"context_line":"     - | Adds ``os-vol-mig-status-attr:migstat`` to the following responses:"},{"line_number":2162,"context_line":"       | ``GET  /volumes/{volume_id}``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3f2e867d_10067f59","line":2159,"range":{"start_line":2156,"start_character":5,"end_line":2159,"end_character":24},"updated":"2022-06-01 19:28:57.000000000","message":"This is another aspect of the same consideration. It\u0027s reasonable for a system-admin to have access to *some* volume information, just not all of the the project specific details.\n\nMaybe the topic should be highlighted in a note?","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":2153,"context_line":"     - yes"},{"line_number":2154,"context_line":"     - yes"},{"line_number":2155,"context_line":"     - no"},{"line_number":2156,"context_line":"     - Should be Mixed?  It\u0027s useful to the project-admin, because"},{"line_number":2157,"context_line":"       ``?all_tenants\u003dTrue`` will list all volumes for all projects in"},{"line_number":2158,"context_line":"       their domain.  Could be useful to system-admin (if they\u0027re allowed"},{"line_number":2159,"context_line":"       to list volumes)."},{"line_number":2160,"context_line":"   * - List or show volume with migration status attribute"},{"line_number":2161,"context_line":"     - | Adds ``os-vol-mig-status-attr:migstat`` to the following responses:"},{"line_number":2162,"context_line":"       | ``GET  /volumes/{volume_id}``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b8ef0011_e616713e","line":2159,"range":{"start_line":2156,"start_character":5,"end_line":2159,"end_character":24},"in_reply_to":"3f2e867d_10067f59","updated":"2022-06-07 21:12:45.000000000","message":"Yes, I meant it as a comment for reviewers to discuss so we can decide what to do.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":2180,"context_line":"     - yes"},{"line_number":2181,"context_line":"     - yes"},{"line_number":2182,"context_line":"     - no"},{"line_number":2183,"context_line":"     - Does it make sense that we allow this but don\u0027t allow project-level"},{"line_number":2184,"context_line":"       read access to the volume type encryption specs?"},{"line_number":2185,"context_line":"   * - Create multiattach capable volume"},{"line_number":2186,"context_line":"     - | Indirectly affects the success of these API calls:"},{"line_number":2187,"context_line":"       | ``POST  /volumes``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"058929aa_74189ad3","line":2184,"range":{"start_line":2183,"start_character":7,"end_line":2184,"end_character":55},"updated":"2022-06-01 19:28:57.000000000","message":"I don\u0027t have an answer, but we need to decide. It\u0027s an interesting question, but for expediency we might just kick the can down the road and leave the question for another day.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":2228,"context_line":"     - volume_extension:default_get"},{"line_number":2229,"context_line":"     - no"},{"line_number":2230,"context_line":"     - no"},{"line_number":2231,"context_line":"     - yes"},{"line_number":2232,"context_line":"     - yes"},{"line_number":2233,"context_line":"     - no"},{"line_number":2234,"context_line":"     -"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2e18784e_fcdc94ca","line":2231,"range":{"start_line":2231,"start_character":7,"end_line":2231,"end_character":10},"updated":"2022-06-01 19:28:57.000000000","message":"What\u0027s the response when a project-admin specifies another project_id? I assume a project-admin should only be able to query their own project, so a 403 response seems correct to me.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":2239,"context_line":"     - no"},{"line_number":2240,"context_line":"     - no"},{"line_number":2241,"context_line":"     - no"},{"line_number":2242,"context_line":"     - yes"},{"line_number":2243,"context_line":"     - yes"},{"line_number":2244,"context_line":"     - The system-admin should be able to see what volume types are"},{"line_number":2245,"context_line":"       currently being used as project-level defaults."}],"source_content_type":"text/x-rst","patch_set":3,"id":"acbace12_34407c12","line":2242,"range":{"start_line":2242,"start_character":7,"end_line":2242,"end_character":10},"updated":"2022-06-01 19:28:57.000000000","message":"Why should a project-admin see the default volume types for other projects?","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":true,"context_lines":[{"line_number":2239,"context_line":"     - no"},{"line_number":2240,"context_line":"     - no"},{"line_number":2241,"context_line":"     - no"},{"line_number":2242,"context_line":"     - yes"},{"line_number":2243,"context_line":"     - yes"},{"line_number":2244,"context_line":"     - The system-admin should be able to see what volume types are"},{"line_number":2245,"context_line":"       currently being used as project-level defaults."}],"source_content_type":"text/x-rst","patch_set":3,"id":"47e7f42e_fd3fbb94","line":2242,"range":{"start_line":2242,"start_character":7,"end_line":2242,"end_character":10},"in_reply_to":"acbace12_34407c12","updated":"2022-06-07 21:12:45.000000000","message":"I was thinking maybe to see what the popular types are?  Maybe this should be a \u0027no\u0027?","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"77056707f1578087fe959c0039f338a5f3d35b05","unresolved":true,"context_lines":[{"line_number":2241,"context_line":"     - no"},{"line_number":2242,"context_line":"     - yes"},{"line_number":2243,"context_line":"     - yes"},{"line_number":2244,"context_line":"     - The system-admin should be able to see what volume types are"},{"line_number":2245,"context_line":"       currently being used as project-level defaults."},{"line_number":2246,"context_line":"   * - Unset default type for a project"},{"line_number":2247,"context_line":"     - ``DELETE  /default-types/{project-id}``"},{"line_number":2248,"context_line":"     - Project"}],"source_content_type":"text/x-rst","patch_set":3,"id":"394e5e00_ad3e3296","line":2245,"range":{"start_line":2244,"start_character":7,"end_line":2245,"end_character":54},"updated":"2022-06-01 19:28:57.000000000","message":"I agree, a system-admin should be able to see this.","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"80897ee96a7d580646d35ca125c67cc35f2a903f","unresolved":false,"context_lines":[{"line_number":2241,"context_line":"     - no"},{"line_number":2242,"context_line":"     - yes"},{"line_number":2243,"context_line":"     - yes"},{"line_number":2244,"context_line":"     - The system-admin should be able to see what volume types are"},{"line_number":2245,"context_line":"       currently being used as project-level defaults."},{"line_number":2246,"context_line":"   * - Unset default type for a project"},{"line_number":2247,"context_line":"     - ``DELETE  /default-types/{project-id}``"},{"line_number":2248,"context_line":"     - Project"}],"source_content_type":"text/x-rst","patch_set":3,"id":"20d29d58_b492d59d","line":2245,"range":{"start_line":2244,"start_character":7,"end_line":2245,"end_character":54},"in_reply_to":"394e5e00_ad3e3296","updated":"2022-06-07 21:12:45.000000000","message":"Ack","commit_id":"416bb56d6dc2929e0bc48a8d2bcc814feaa4ead0"}]}