)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"change_message_id":"1fd5a7c2eb93301d871b3687163523023aa5ab5a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"4b19b1a8_68ed595c","updated":"2025-03-13 18:12:50.000000000","message":"I think we can improve this message by indicating that it is enough to use the service role without admin, we talk about tomorrow.","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"change_message_id":"ded3c435742df641c4e3e785ee415ef2692f4c66","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"abdc6453_899b5e03","updated":"2025-03-13 18:12:11.000000000","message":"I think we can improve this message by indicating that it is enough to use the service role without admin.","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"change_message_id":"4428002ac45f0c45d3d4ab33cc590983139bcbee","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"492b44be_4d1bd4e7","in_reply_to":"4b19b1a8_68ed595c","updated":"2025-04-12 20:45:32.000000000","message":"Done","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f1c8b95c6335a07c835289a4f55cdca1fb8ec6d8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f1b5dfef_e1b159f5","updated":"2025-04-30 18:36:34.000000000","message":"Thanks for taking the time to improve our documentation! Question inline.","commit_id":"df5547ca7ff630eacebd4e02ba283c1ea5e1238f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"966a69798e97de5e38f60da9b8595f15534b72ad","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"c019b7cb_71d4210d","updated":"2025-10-17 16:22:48.000000000","message":"Sorry to have taken so long to get back to this.  Typo noted inline, but also, I\u0027m still not clear on what\u0027s missing from the current doc, so even with the typo fixed, I\u0027m not sure this is an improvement.  But obviously you ran into an issue and want to make sure other people don\u0027t have the same problem, so I\u0027m probably missing something.  See comment inline.","commit_id":"9d2937612d6c5426036c4dad6f795bb054e2d20a"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"ba24199358a18838d886d50bd9b96ffcf0319a6e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"2871bb93_2198f0ce","updated":"2025-05-05 14:21:33.000000000","message":"recheck","commit_id":"9d2937612d6c5426036c4dad6f795bb054e2d20a"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"cd56e732b4aaa362056ab90f38a31971e27552f6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"28efd64f_83f0ac98","updated":"2025-05-04 07:19:31.000000000","message":"recheck","commit_id":"9d2937612d6c5426036c4dad6f795bb054e2d20a"}],"doc/source/configuration/block-storage/service-token.rst":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"503afb5c75f8b26522c1b347df59392bfa430b27","unresolved":true,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."}],"source_content_type":"text/x-rst","patch_set":2,"id":"2c2417c4_22c9b567","line":75,"range":{"start_line":75,"start_character":10,"end_line":75,"end_character":28},"updated":"2025-03-17 10:01:50.000000000","message":"Because we expect that the default `service` role is used, rather than having multiple roles, `the service role` (singular) would make better sense.","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"503afb5c75f8b26522c1b347df59392bfa430b27","unresolved":true,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."}],"source_content_type":"text/x-rst","patch_set":2,"id":"e0db5b84_6fd11f79","line":75,"range":{"start_line":75,"start_character":43,"end_line":75,"end_character":69},"updated":"2025-03-17 10:01:50.000000000","message":"assigned between a service user and the service project","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"91a3e7c8d561ec31847656f7c21bf81a1bdb77bb","unresolved":true,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."}],"source_content_type":"text/x-rst","patch_set":2,"id":"4919cf03_03e64869","line":75,"range":{"start_line":75,"start_character":10,"end_line":75,"end_character":28},"in_reply_to":"12c646c4_d79eb0f1","updated":"2025-03-20 00:05:18.000000000","message":"Nova still requires admin role to interact with neutron. My point is that this section is specifically talking about service role, and this specific feature does not require the admin role (and is supposed to require the service role in the future).","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"b80edaa0890d9c1aef14a852ecbf0c2ecbf167bd","unresolved":true,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."}],"source_content_type":"text/x-rst","patch_set":2,"id":"4fcd1e2a_55416fec","line":75,"range":{"start_line":75,"start_character":10,"end_line":75,"end_character":28},"in_reply_to":"2c2417c4_22c9b567","updated":"2025-03-18 18:49:16.000000000","message":"Thank for your reply.\nSo, why f.e. for nova and cinder admin roles are given in service project?\nhttps://docs.openstack.org/nova/2024.2/install/controller-install-rdo.html\nhttps://docs.openstack.org/cinder/2024.2/install/cinder-controller-install-rdo.html","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"3cd6658f17ec9a566f1149debc955516fe5594b7","unresolved":false,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."}],"source_content_type":"text/x-rst","patch_set":2,"id":"77a1e130_2587dfc9","line":75,"range":{"start_line":75,"start_character":10,"end_line":75,"end_character":28},"in_reply_to":"4919cf03_03e64869","updated":"2025-03-23 23:22:10.000000000","message":"Done","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"2ed80ba28363ac38ad608e29c59f5cb3c3d44971","unresolved":true,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."}],"source_content_type":"text/x-rst","patch_set":2,"id":"12c646c4_d79eb0f1","line":75,"range":{"start_line":75,"start_character":10,"end_line":75,"end_character":28},"in_reply_to":"4fcd1e2a_55416fec","updated":"2025-03-19 17:19:24.000000000","message":"Also if we look at this review https://review.opendev.org/c/openstack/neutron/+/861169, I can suppose that\nnova should be still unable to function correctly withou an admin role.","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"3cd6658f17ec9a566f1149debc955516fe5594b7","unresolved":false,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."}],"source_content_type":"text/x-rst","patch_set":2,"id":"6b597dd2_cb076306","line":75,"range":{"start_line":75,"start_character":43,"end_line":75,"end_character":69},"in_reply_to":"e0db5b84_6fd11f79","updated":"2025-03-23 23:22:10.000000000","message":"Done","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"503afb5c75f8b26522c1b347df59392bfa430b27","unresolved":true,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"353b0718_7af01f01","line":76,"range":{"start_line":76,"start_character":3,"end_line":76,"end_character":75},"updated":"2025-03-17 10:01:50.000000000","message":"This is not really true, because the service role is not yet widely implemented.\n\nThe main reason why you need service role here is that keystonemiddelware may later require the role to use service token.","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"3cd6658f17ec9a566f1149debc955516fe5594b7","unresolved":false,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that service roles are correctly set in the service project cause"},{"line_number":76,"context_line":"   it is essential for seamless communication between OpenStack components."},{"line_number":77,"context_line":"   Misconfigurations can lead to authentication failures and"},{"line_number":78,"context_line":"   disrupted service interactions."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f5dcf46b_dd6d3e8a","line":76,"range":{"start_line":76,"start_character":3,"end_line":76,"end_character":75},"in_reply_to":"353b0718_7af01f01","updated":"2025-03-23 23:22:10.000000000","message":"Done","commit_id":"410c513402077943226deaed3079abbc5d255747"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f1c8b95c6335a07c835289a4f55cdca1fb8ec6d8","unresolved":true,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that the service role is properly assigned between a service user"},{"line_number":76,"context_line":"   and the service project, as keystonemiddleware may require this role"},{"line_number":77,"context_line":"   for using a service token. Misconfigurations can lead to authentication"},{"line_number":78,"context_line":"   failures and disrupted service interactions."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"e4223f51_3dfc7af9","line":76,"range":{"start_line":75,"start_character":3,"end_line":76,"end_character":27},"updated":"2025-04-30 18:36:34.000000000","message":"Could you please explain this some more, or give a reference to the keystone docs?  My understanding is that Keystone allows you to assign a roles to users, but you cannot assign roles to projects, so I\u0027m not clear on what exactly an operator is supposed to do here.\n\nAlso, is this already covered in lines 212-217 in the \"Troubleshooting\" section of this document?","commit_id":"df5547ca7ff630eacebd4e02ba283c1ea5e1238f"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"d0060aa58fd812ab784a2b0283b436c6e4d82626","unresolved":false,"context_lines":[{"line_number":72,"context_line":"   appropriately on reception."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note::"},{"line_number":75,"context_line":"   Ensure that the service role is properly assigned between a service user"},{"line_number":76,"context_line":"   and the service project, as keystonemiddleware may require this role"},{"line_number":77,"context_line":"   for using a service token. Misconfigurations can lead to authentication"},{"line_number":78,"context_line":"   failures and disrupted service interactions."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"8ade83f2_af447c46","line":76,"range":{"start_line":75,"start_character":3,"end_line":76,"end_character":27},"in_reply_to":"e4223f51_3dfc7af9","updated":"2025-05-03 20:02:27.000000000","message":"Thanks, Brian, for your reply.\nIn this section the question was about roles for service in service project, not for project itself. Although, you were right, that in lines 212-217 this process was already described, I\u0027ve just added a little more details in it.","commit_id":"df5547ca7ff630eacebd4e02ba283c1ea5e1238f"},{"author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"change_message_id":"c0b5ea3bec6c0f22fffbc4340cf8e7c2ac994b07","unresolved":true,"context_lines":[{"line_number":201,"context_line":"       requires Keystone validation (for example, the Swift backend) and the"},{"line_number":202,"context_line":"       user token has expired."},{"line_number":203,"context_line":""},{"line_number":204,"context_line":"2.  There are several things to pay attention to in Keystone:"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    * When ``service_token_roles_required`` is enabled you must make sure that"},{"line_number":207,"context_line":"      any service user who will be contacting that receiving service (and for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d001e3d7_e63435cc","line":204,"updated":"2025-05-03 20:35:15.000000000","message":"may be bold?","commit_id":"9d2937612d6c5426036c4dad6f795bb054e2d20a"},{"author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"change_message_id":"d654fb61829682379d2dbf19e1127cd76fbd0f4a","unresolved":true,"context_lines":[{"line_number":201,"context_line":"       requires Keystone validation (for example, the Swift backend) and the"},{"line_number":202,"context_line":"       user token has expired."},{"line_number":203,"context_line":""},{"line_number":204,"context_line":"2.  There are several things to pay attention to in Keystone:"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    * When ``service_token_roles_required`` is enabled you must make sure that"},{"line_number":207,"context_line":"      any service user who will be contacting that receiving service (and for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"83ee185a_7f3d9e11","line":204,"in_reply_to":"d001e3d7_e63435cc","updated":"2025-05-05 14:55:47.000000000","message":"@dcu995@gmail.com","commit_id":"9d2937612d6c5426036c4dad6f795bb054e2d20a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"966a69798e97de5e38f60da9b8595f15534b72ad","unresolved":true,"context_lines":[{"line_number":208,"context_line":"      whom you want to enable \"service token\" usage) has one of the roles"},{"line_number":209,"context_line":"      specified in the receiving services\u0027s ``service_token_roles`` setting."},{"line_number":210,"context_line":"      (This is a matter of creating and assigning roles using the Identity"},{"line_number":211,"context_line":"      Service API cause keystonemiddleware may require this role"},{"line_number":212,"context_line":"      for using a service token, it\u0027s not a configuration file issue.)"},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"    * Even with a service token, an expired user token cannot be used"},{"line_number":215,"context_line":"      indefinitely.  There\u0027s a Keystone configuration setting that controls"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1ec4299a_b20ec582","line":212,"range":{"start_line":211,"start_character":18,"end_line":212,"end_character":31},"updated":"2025-10-17 16:22:48.000000000","message":"s/cause/because/\n\nThe point of this parenthetical comment was just to point out that an operator has to fix it using the Identity API, not the config file, so I wouldn\u0027t add this here.   \n\nI think we are already making the point you mention at line 169 (and possibly also in the paragraph before that)?","commit_id":"9d2937612d6c5426036c4dad6f795bb054e2d20a"},{"author":{"_account_id":37632,"name":"Dmitriy Chubinidze","email":"dcu995@gmail.com","username":"chubinidzedr"},"change_message_id":"4e26c2a07ea08d357f7ae4076b3072d89f547f3e","unresolved":false,"context_lines":[{"line_number":208,"context_line":"      whom you want to enable \"service token\" usage) has one of the roles"},{"line_number":209,"context_line":"      specified in the receiving services\u0027s ``service_token_roles`` setting."},{"line_number":210,"context_line":"      (This is a matter of creating and assigning roles using the Identity"},{"line_number":211,"context_line":"      Service API cause keystonemiddleware may require this role"},{"line_number":212,"context_line":"      for using a service token, it\u0027s not a configuration file issue.)"},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"    * Even with a service token, an expired user token cannot be used"},{"line_number":215,"context_line":"      indefinitely.  There\u0027s a Keystone configuration setting that controls"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a1393674_e2ae761f","line":212,"range":{"start_line":211,"start_character":18,"end_line":212,"end_character":31},"in_reply_to":"1ec4299a_b20ec582","updated":"2025-10-20 16:25:17.000000000","message":"Thanks for reply. So in this case I think it\u0027s better to leave it as it is, these line are pretty identical.","commit_id":"9d2937612d6c5426036c4dad6f795bb054e2d20a"}]}