)]}'
{"specs/ussuri/approved/policy-defaults-refresh.rst":[{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":16,"context_line":"built up to track policy refresh for all projects, where Keystone was the lead."},{"line_number":17,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"},{"line_number":18,"context_line":"default roles[#default-roles], as well as a reclarification of system-scoped"},{"line_number":19,"context_line":"and project-scoped RBAC [#system-scope]. As a member of this popup_team, Cyborg"},{"line_number":20,"context_line":"is also going to follow up policy default refresh."},{"line_number":21,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_57843eb2","line":18,"range":{"start_line":18,"start_character":13,"end_line":18,"end_character":14},"updated":"2020-01-21 09:21:21.000000000","message":"white space.","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6f3782dd9ac62b6bf9675e7eac6a4437440a6b04","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":16,"context_line":"built up to track policy refresh for all projects, where Keystone was the lead."},{"line_number":17,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"},{"line_number":18,"context_line":"default roles[#default-roles], as well as a reclarification of system-scoped"},{"line_number":19,"context_line":"and project-scoped RBAC [#system-scope]. As a member of this popup_team, Cyborg"},{"line_number":20,"context_line":"is also going to follow up policy default refresh."},{"line_number":21,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_62b713fa","line":18,"range":{"start_line":18,"start_character":13,"end_line":18,"end_character":14},"in_reply_to":"3fa7e38b_57843eb2","updated":"2020-01-23 09:07:02.000000000","message":"Done","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current default policy in cyborg is incomplete and not good enough."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"1)Since cyborg V2 API is newly implemented in Train, RBAC check for V2 API is"},{"line_number":28,"context_line":"incomplete and needs improvement."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_77813aa0","line":25,"range":{"start_line":25,"start_character":30,"end_line":25,"end_character":31},"updated":"2020-01-21 09:21:21.000000000","message":"C","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6f3782dd9ac62b6bf9675e7eac6a4437440a6b04","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current default policy in cyborg is incomplete and not good enough."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"1)Since cyborg V2 API is newly implemented in Train, RBAC check for V2 API is"},{"line_number":28,"context_line":"incomplete and needs improvement."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_82bc8fdb","line":25,"range":{"start_line":25,"start_character":30,"end_line":25,"end_character":31},"in_reply_to":"3fa7e38b_77813aa0","updated":"2020-01-23 09:07:02.000000000","message":"Done","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current default policy in cyborg is incomplete and not good enough."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"1)Since cyborg V2 API is newly implemented in Train, RBAC check for V2 API is"},{"line_number":28,"context_line":"incomplete and needs improvement."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"2)Now cyborg mainly has three policy rules:"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_d7b90e7c","line":27,"range":{"start_line":27,"start_character":8,"end_line":27,"end_character":9},"updated":"2020-01-21 09:21:21.000000000","message":"C","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6f3782dd9ac62b6bf9675e7eac6a4437440a6b04","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current default policy in cyborg is incomplete and not good enough."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"1)Since cyborg V2 API is newly implemented in Train, RBAC check for V2 API is"},{"line_number":28,"context_line":"incomplete and needs improvement."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"2)Now cyborg mainly has three policy rules:"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_22ad9ba3","line":27,"range":{"start_line":27,"start_character":8,"end_line":27,"end_character":9},"in_reply_to":"3fa7e38b_d7b90e7c","updated":"2020-01-23 09:07:02.000000000","message":"Done","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":27,"context_line":"1)Since cyborg V2 API is newly implemented in Train, RBAC check for V2 API is"},{"line_number":28,"context_line":"incomplete and needs improvement."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"2)Now cyborg mainly has three policy rules:"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* allow"},{"line_number":33,"context_line":"* admin_only"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_97af162c","line":30,"range":{"start_line":30,"start_character":6,"end_line":30,"end_character":7},"updated":"2020-01-21 09:21:21.000000000","message":"C","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6f3782dd9ac62b6bf9675e7eac6a4437440a6b04","unresolved":false,"context_lines":[{"line_number":27,"context_line":"1)Since cyborg V2 API is newly implemented in Train, RBAC check for V2 API is"},{"line_number":28,"context_line":"incomplete and needs improvement."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"2)Now cyborg mainly has three policy rules:"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* allow"},{"line_number":33,"context_line":"* admin_only"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_e2ca236d","line":30,"range":{"start_line":30,"start_character":6,"end_line":30,"end_character":7},"in_reply_to":"3fa7e38b_97af162c","updated":"2020-01-23 09:07:02.000000000","message":"Done","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":50,"context_line":"With all the above policy rules, there still some cases which are not well"},{"line_number":51,"context_line":"covered. For example, it is impossible to allow a user to retrieve/update"},{"line_number":52,"context_line":"devices which are shared by multiple projects from a system level without"},{"line_number":53,"context_line":"being given the global admin role. In addition, cyborg now doesn\u0027t have a"},{"line_number":54,"context_line":"\"reader\" role."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Keystone comes with member, admin and reader roles by default. We should"},{"line_number":57,"context_line":"use these default roles:"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_374e6290","line":54,"range":{"start_line":53,"start_character":35,"end_line":54,"end_character":14},"updated":"2020-01-21 09:21:21.000000000","message":"yeah, \"reader\" role useful.","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":74,"context_line":"  deployables)"},{"line_number":75,"context_line":"* Add Project Scoped Member (Create device_profiles, arqs)"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"The role needed for each CURD API operation for each object is defined in"},{"line_number":78,"context_line":"[#cyborg-policy]."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"In introducing the above new default permissions, we must ensure:"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5a0ea533","line":77,"range":{"start_line":77,"start_character":25,"end_line":77,"end_character":29},"updated":"2020-01-21 09:21:21.000000000","message":"CURD means current define?","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6f3782dd9ac62b6bf9675e7eac6a4437440a6b04","unresolved":false,"context_lines":[{"line_number":74,"context_line":"  deployables)"},{"line_number":75,"context_line":"* Add Project Scoped Member (Create device_profiles, arqs)"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"The role needed for each CURD API operation for each object is defined in"},{"line_number":78,"context_line":"[#cyborg-policy]."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"In introducing the above new default permissions, we must ensure:"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_c2928755","line":77,"range":{"start_line":77,"start_character":25,"end_line":77,"end_character":29},"in_reply_to":"3fa7e38b_5a0ea533","updated":"2020-01-23 09:07:02.000000000","message":"CRUD stands for Create, Read, Update, and Delete.","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":93,"context_line":"oslo.policy\u0027s \"scope_types\", \u0027system\u0027 and \u0027project\u0027 in cyborg case. And we will"},{"line_number":94,"context_line":"use the DocumentedRuleDefault to update policy and follow the oslo.policy"},{"line_number":95,"context_line":"deprecation workflow, where both old and new policy check strings are active"},{"line_number":96,"context_line":"during the deprecation period."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"* Add system scoped admin policy"},{"line_number":99,"context_line":"  This policy will be useful for situations where devices are shared by"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_fae99118","line":96,"updated":"2020-01-21 09:21:21.000000000","message":"In U release I think we should keep the old policy work well, and we can consider deprecating the older policy in V release or later.\n\nIn order to compatible older polify, maybe we should add a configuration of this new policy, such as in Nova if we want to use the new policy we should config enforce_scope in nova.conf:\n\n\"enforce_scope config option default value is False which means if token scope does not matches, only a warning is logged. This feature can be enabled via config option nova.conf [oslo_policy] enforce_scope\u003dTrue\"\n\nI think we also need add \"enforce_scope\" option via cyborg.conf [oslo_policy].","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"4b7ce60d97ce54791ad45278c74da3c9584b88a7","unresolved":false,"context_lines":[{"line_number":93,"context_line":"oslo.policy\u0027s \"scope_types\", \u0027system\u0027 and \u0027project\u0027 in cyborg case. And we will"},{"line_number":94,"context_line":"use the DocumentedRuleDefault to update policy and follow the oslo.policy"},{"line_number":95,"context_line":"deprecation workflow, where both old and new policy check strings are active"},{"line_number":96,"context_line":"during the deprecation period."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"* Add system scoped admin policy"},{"line_number":99,"context_line":"  This policy will be useful for situations where devices are shared by"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_35ef131d","line":96,"in_reply_to":"3fa7e38b_fae99118","updated":"2020-01-23 09:53:23.000000000","message":"Good suggestion. Done.","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":95,"context_line":"deprecation workflow, where both old and new policy check strings are active"},{"line_number":96,"context_line":"during the deprecation period."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"* Add system scoped admin policy"},{"line_number":99,"context_line":"  This policy will be useful for situations where devices are shared by"},{"line_number":100,"context_line":"  multiple projects, and we want a system-level admin to operator the devices"},{"line_number":101,"context_line":"  like programming or firmware upgrade. In addition, a system admin is required"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7a1a8118","line":98,"range":{"start_line":98,"start_character":2,"end_line":98,"end_character":32},"updated":"2020-01-21 09:21:21.000000000","message":"Can we clarify the display form of the system scoped admin policy?","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6f3782dd9ac62b6bf9675e7eac6a4437440a6b04","unresolved":false,"context_lines":[{"line_number":95,"context_line":"deprecation workflow, where both old and new policy check strings are active"},{"line_number":96,"context_line":"during the deprecation period."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"* Add system scoped admin policy"},{"line_number":99,"context_line":"  This policy will be useful for situations where devices are shared by"},{"line_number":100,"context_line":"  multiple projects, and we want a system-level admin to operator the devices"},{"line_number":101,"context_line":"  like programming or firmware upgrade. In addition, a system admin is required"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_159c57bc","line":98,"range":{"start_line":98,"start_character":2,"end_line":98,"end_character":32},"in_reply_to":"3fa7e38b_7a1a8118","updated":"2020-01-23 09:07:02.000000000","message":"emmm.. policy will be associated with each specific API operation.pls see the example here:https://github.com/openstack/nova/blob/3e7e2530f1d0470323916349e01a1f5b11686421/nova/policies/services.py#L49","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":100,"context_line":"  multiple projects, and we want a system-level admin to operator the devices"},{"line_number":101,"context_line":"  like programming or firmware upgrade. In addition, a system admin is required"},{"line_number":102,"context_line":"  to do the service disable/enable things."},{"line_number":103,"context_line":"* Add system scoped reader policy"},{"line_number":104,"context_line":"  This policy will be useful for situations where a read-only role is required"},{"line_number":105,"context_line":"  for a more secure access to devices that are shared by multiple projects in"},{"line_number":106,"context_line":"  a system."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_1a134d04","line":103,"range":{"start_line":103,"start_character":2,"end_line":103,"end_character":33},"updated":"2020-01-21 09:21:21.000000000","message":"ditto","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":104,"context_line":"  This policy will be useful for situations where a read-only role is required"},{"line_number":105,"context_line":"  for a more secure access to devices that are shared by multiple projects in"},{"line_number":106,"context_line":"  a system."},{"line_number":107,"context_line":"* Add project scoped reader policy"},{"line_number":108,"context_line":"  Similarly, this policy will be useful for situations where a read-only role"},{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_dace158e","line":107,"range":{"start_line":107,"start_character":2,"end_line":107,"end_character":34},"updated":"2020-01-21 09:21:21.000000000","message":"ditto","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"034a298d047cbe5af7897264add534d6663500f9","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Alternatives"},{"line_number":114,"context_line":"------------"},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_dad85525","line":112,"updated":"2020-01-21 09:21:21.000000000","message":"IMO, need to add a Scope to the role:\nI suggestion we can define the role such as:\n\n# just only has the system role, if we are *system_* role, we # can get all projects resource.\nSYSTEM_ADMIN \u003d \u0027rule:admin_api and system_scope:all\u0027\nSYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027\n\n# if we are *project_* role, we just can get his own project\u0027s # resource\nPROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027\nPROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027\n\nPROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d PROJECT_MEMBER + \u0027or\u0027 + SYSTEM_ADMIN\nPROJECT_READER_OR_SYSTEM_READER \u003d PROJECT_READER + \u0027or\u0027 + SYSTEM_READER\n\nYou can review http://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6f3782dd9ac62b6bf9675e7eac6a4437440a6b04","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Alternatives"},{"line_number":114,"context_line":"------------"},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_35539317","line":112,"in_reply_to":"3fa7e38b_dad85525","updated":"2020-01-23 09:07:02.000000000","message":"yes, that\u0027ll be found in the policy code:\nhttps://review.opendev.org/#/c/699102/6/cyborg/common/policy.py","commit_id":"b8c0a991a0414ad3aafb974a88f568fc064a453b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"11368238513543e24bc3a225cb1eadeffb8fccdb","unresolved":false,"context_lines":[{"line_number":34,"context_line":"* admin_or_owner"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Firstly \"allow\" means any access will be passed. Now \"allow\" rule is used by"},{"line_number":37,"context_line":"cyborg:arq:create, and this needs further discussion whether this is too"},{"line_number":38,"context_line":"slack. [#role-reassess-discussion]"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Secondly \"admin_only\" is used for the global admin that is able to make almost"},{"line_number":41,"context_line":"any change to cyborg, and see all details of the cyborg system."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_56fb7546","line":38,"range":{"start_line":37,"start_character":19,"end_line":38,"end_character":6},"updated":"2020-01-28 22:58:51.000000000","message":"This is indeed not strict enough, because it means users with the \"reader\" role will be able to use the cyborg:arq:create API, which should not be allowed. I think this should be captured here in this spec, not left for further discussion.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":34,"context_line":"* admin_or_owner"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Firstly \"allow\" means any access will be passed. Now \"allow\" rule is used by"},{"line_number":37,"context_line":"cyborg:arq:create, and this needs further discussion whether this is too"},{"line_number":38,"context_line":"slack. [#role-reassess-discussion]"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Secondly \"admin_only\" is used for the global admin that is able to make almost"},{"line_number":41,"context_line":"any change to cyborg, and see all details of the cyborg system."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_b5c8f84c","line":38,"range":{"start_line":37,"start_character":19,"end_line":38,"end_character":6},"in_reply_to":"3fa7e38b_56fb7546","updated":"2020-02-10 21:13:32.000000000","message":"Done","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9af55f5d5b1606cc2ab41ab5d68e6ca361796094","unresolved":false,"context_lines":[{"line_number":69,"context_line":"* Add System Scoped Admin (disable/enable devices)"},{"line_number":70,"context_line":"* Add System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Add Project Scoped Reader (list devices,list device_profiles,list arqs etc.)"},{"line_number":72,"context_line":"* Refresh existed admin to Project Scoped Admin (create and delete"},{"line_number":73,"context_line":"  device_profiles, create update and delete arqs, patch devices and"},{"line_number":74,"context_line":"  deployables)"},{"line_number":75,"context_line":"* Add Project Scoped Member (Create device_profiles, arqs)"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"The role needed for each CURD API operation for each object is defined in"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_0c10904b","line":74,"range":{"start_line":72,"start_character":0,"end_line":74,"end_character":14},"updated":"2020-01-29 01:01:16.000000000","message":"this is not clear to me. do we need project admin now? if cyborg handles resource at the user level or want to restrict operation at user levels then having project admin is more useful otherwise I think project members should work fine for existing admin.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"0920eef214f116bf29939f1fd31646454a8c59c3","unresolved":false,"context_lines":[{"line_number":69,"context_line":"* Add System Scoped Admin (disable/enable devices)"},{"line_number":70,"context_line":"* Add System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Add Project Scoped Reader (list devices,list device_profiles,list arqs etc.)"},{"line_number":72,"context_line":"* Refresh existed admin to Project Scoped Admin (create and delete"},{"line_number":73,"context_line":"  device_profiles, create update and delete arqs, patch devices and"},{"line_number":74,"context_line":"  deployables)"},{"line_number":75,"context_line":"* Add Project Scoped Member (Create device_profiles, arqs)"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"The role needed for each CURD API operation for each object is defined in"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_d213ee00","line":74,"range":{"start_line":72,"start_character":0,"end_line":74,"end_character":14},"in_reply_to":"3fa7e38b_0c10904b","updated":"2020-01-29 04:30:18.000000000","message":"I think project member is suitable.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":69,"context_line":"* Add System Scoped Admin (disable/enable devices)"},{"line_number":70,"context_line":"* Add System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Add Project Scoped Reader (list devices,list device_profiles,list arqs etc.)"},{"line_number":72,"context_line":"* Refresh existed admin to Project Scoped Admin (create and delete"},{"line_number":73,"context_line":"  device_profiles, create update and delete arqs, patch devices and"},{"line_number":74,"context_line":"  deployables)"},{"line_number":75,"context_line":"* Add Project Scoped Member (Create device_profiles, arqs)"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"The role needed for each CURD API operation for each object is defined in"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_6752c813","line":74,"range":{"start_line":72,"start_character":0,"end_line":74,"end_character":14},"in_reply_to":"3fa7e38b_0c10904b","updated":"2020-02-10 21:13:32.000000000","message":"Thanks for pointing this good question.\nAfter reassessing with the team, we reached some agreement and updated this table in the following link, pls check: https://wiki.openstack.org/wiki/Cyborg/Policy\nIn this table, we do need a project_admin to patch the deployable because that operation is user sensitive.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9af55f5d5b1606cc2ab41ab5d68e6ca361796094","unresolved":false,"context_lines":[{"line_number":108,"context_line":"  Similarly, this policy will be useful for situations where a read-only role"},{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_4c38c8c9","line":111,"range":{"start_line":111,"start_character":32,"end_line":111,"end_character":33},"updated":"2020-01-29 01:01:16.000000000","message":"how about project member? you mentioned that in use case section","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":108,"context_line":"  Similarly, this policy will be useful for situations where a read-only role"},{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_a7752099","line":111,"range":{"start_line":111,"start_character":32,"end_line":111,"end_character":33},"in_reply_to":"3fa7e38b_4c38c8c9","updated":"2020-02-10 21:13:32.000000000","message":"ditto.pls check the table.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"11368238513543e24bc3a225cb1eadeffb8fccdb","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_566e15fe","line":112,"updated":"2020-01-28 22:58:51.000000000","message":"This is provided by oslo.policy\u0027s config loader, it doesn\u0027t need to be explicitly added to cyborg.\n\nhttps://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"31477cede83e2becd75c23d50992190fbcd1e621","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_4352c712","line":112,"in_reply_to":"3fa7e38b_127ae623","updated":"2020-01-29 19:47:52.000000000","message":"I\u0027m not saying it\u0027s not necessary. I\u0027m saying you get it for free when you use oslo.policy, you don\u0027t need to take action to add it.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"566e0997eb548a6733cb4536a7e42daecf2b314a","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_7ebbd8e2","line":112,"in_reply_to":"3fa7e38b_4352c712","updated":"2020-01-29 21:19:15.000000000","message":"true.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"0920eef214f116bf29939f1fd31646454a8c59c3","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_92b816e8","line":112,"in_reply_to":"3fa7e38b_566e15fe","updated":"2020-01-29 04:30:18.000000000","message":"Why not? I think it is necessary to verify that the scopes match. Right now, even if it\u0027s not available, I think we need to reserve this configuration item.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_41d3fc36","line":112,"in_reply_to":"3fa7e38b_566e15fe","updated":"2020-02-10 21:13:32.000000000","message":"removed.\nand Thanks for the explanation!","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"a72bfdf8d716c859aca5528daeab1f8d1ca70899","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_655f9d10","line":112,"in_reply_to":"3fa7e38b_7ebbd8e2","updated":"2020-02-03 03:02:20.000000000","message":"Thanks, ++","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"9a99f042b89fb7a2310ae5319ab17ea13ab2ec59","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_127ae623","line":112,"in_reply_to":"3fa7e38b_92b816e8","updated":"2020-01-29 04:34:16.000000000","message":"Emm...limited to the Cyborg version upgrade, I also think that it is reasonable not to have this configuration. In any case, it is good for me.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"a72bfdf8d716c859aca5528daeab1f8d1ca70899","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"},{"line_number":116,"context_line":"  enforcement system in a somewhat graceful way. The enforce_scope config"},{"line_number":117,"context_line":"  option helps us with that by giving operators a toggle to enforce scope"},{"line_number":118,"context_line":"  checking when they’re ready and they’ve audited their users and assignments."},{"line_number":119,"context_line":"  enforce_scope config option default value is False which means if token"},{"line_number":120,"context_line":"  scope does not matches, only a warning is logged. This feature can be enabled"},{"line_number":121,"context_line":"  via config option nova.conf [oslo_policy] enforce_scope\u003dTrue"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"POC: https://review.opendev.org/#/c/699102/, https://review.opendev.org/#/c/700765/"},{"line_number":124,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_055ca918","line":121,"range":{"start_line":112,"start_character":1,"end_line":121,"end_character":62},"updated":"2020-02-03 03:02:20.000000000","message":"As above discuss, we don\u0027t need this sencence, and I think we just need to make a simple statement in this SPEC.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"0920eef214f116bf29939f1fd31646454a8c59c3","unresolved":false,"context_lines":[{"line_number":118,"context_line":"  checking when they’re ready and they’ve audited their users and assignments."},{"line_number":119,"context_line":"  enforce_scope config option default value is False which means if token"},{"line_number":120,"context_line":"  scope does not matches, only a warning is logged. This feature can be enabled"},{"line_number":121,"context_line":"  via config option nova.conf [oslo_policy] enforce_scope\u003dTrue"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"POC: https://review.opendev.org/#/c/699102/, https://review.opendev.org/#/c/700765/"},{"line_number":124,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_b2bbd2e1","line":121,"range":{"start_line":121,"start_character":20,"end_line":121,"end_character":24},"updated":"2020-01-29 04:30:18.000000000","message":"cyborg","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":109,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":110,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":111,"context_line":"  shouldn\u0027t update the resources."},{"line_number":112,"context_line":"* Add config option: /etc/cyborg.conf [oslo_policy] enforce_scope\u003dFalse"},{"line_number":113,"context_line":"  Since all cyborg policy rules will be covered with appropriate oslo.policy’s"},{"line_number":114,"context_line":"  “scope_types”, ‘system’ or ‘project’ in the future. During the migration"},{"line_number":115,"context_line":"  steps, we need to allow for operators to migrate off of the old policy"},{"line_number":116,"context_line":"  enforcement system in a somewhat graceful way. The enforce_scope config"},{"line_number":117,"context_line":"  option helps us with that by giving operators a toggle to enforce scope"},{"line_number":118,"context_line":"  checking when they’re ready and they’ve audited their users and assignments."},{"line_number":119,"context_line":"  enforce_scope config option default value is False which means if token"},{"line_number":120,"context_line":"  scope does not matches, only a warning is logged. This feature can be enabled"},{"line_number":121,"context_line":"  via config option nova.conf [oslo_policy] enforce_scope\u003dTrue"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"POC: https://review.opendev.org/#/c/699102/, https://review.opendev.org/#/c/700765/"},{"line_number":124,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_6157185b","line":121,"range":{"start_line":112,"start_character":1,"end_line":121,"end_character":62},"in_reply_to":"3fa7e38b_055ca918","updated":"2020-02-10 21:13:32.000000000","message":"Done","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9af55f5d5b1606cc2ab41ab5d68e6ca361796094","unresolved":false,"context_lines":[{"line_number":158,"context_line":"* System Admin check"},{"line_number":159,"context_line":"  PATCH /v2/devices"},{"line_number":160,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"One of the current policy defaults will have to change. For example, the rule"},{"line_number":163,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":164,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ace5bc3f","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":0},"updated":"2020-01-29 01:01:16.000000000","message":"it will be good if you can add project member mapping also.\n\nor a table to map the existing defaults to new defaults but as cyborg policies are not so many so listing them under new defaults is enough.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":158,"context_line":"* System Admin check"},{"line_number":159,"context_line":"  PATCH /v2/devices"},{"line_number":160,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"One of the current policy defaults will have to change. For example, the rule"},{"line_number":163,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":164,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ac9427e8","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":0},"in_reply_to":"3fa7e38b_929d766d","updated":"2020-02-10 21:13:32.000000000","message":"Hi Brin, please the table here:https://wiki.openstack.org/wiki/Cyborg/Policy","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":158,"context_line":"* System Admin check"},{"line_number":159,"context_line":"  PATCH /v2/devices"},{"line_number":160,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"One of the current policy defaults will have to change. For example, the rule"},{"line_number":163,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":164,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_e1d9c880","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":0},"in_reply_to":"3fa7e38b_ace5bc3f","updated":"2020-02-10 21:13:32.000000000","message":"Please see the update in this table: https://wiki.openstack.org/wiki/Cyborg/Policy\nI\u0027ve added the legacy policies to compare with future policies. Project member mapping is also included.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"0920eef214f116bf29939f1fd31646454a8c59c3","unresolved":false,"context_lines":[{"line_number":158,"context_line":"* System Admin check"},{"line_number":159,"context_line":"  PATCH /v2/devices"},{"line_number":160,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"One of the current policy defaults will have to change. For example, the rule"},{"line_number":163,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":164,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_929d766d","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":0},"in_reply_to":"3fa7e38b_ace5bc3f","updated":"2020-01-29 04:30:18.000000000","message":"agree, add a table to map the existing defaults will be clear, that we can see the new policy mapping which existing policy.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"11368238513543e24bc3a225cb1eadeffb8fccdb","unresolved":false,"context_lines":[{"line_number":162,"context_line":"One of the current policy defaults will have to change. For example, the rule"},{"line_number":163,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":164,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"},{"line_number":165,"context_line":"this operation). Instead it should be \"role:member\" with scope_type [\"project\"]"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":".. note::"},{"line_number":168,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_164dfd91","line":165,"updated":"2020-01-28 22:58:51.000000000","message":"++","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":162,"context_line":"One of the current policy defaults will have to change. For example, the rule"},{"line_number":163,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":164,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"},{"line_number":165,"context_line":"this operation). Instead it should be \"role:member\" with scope_type [\"project\"]"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":".. note::"},{"line_number":168,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_8c5dab55","line":165,"in_reply_to":"3fa7e38b_164dfd91","updated":"2020-02-10 21:13:32.000000000","message":"Hi Colleen, please see the updated table here:https://wiki.openstack.org/wiki/Cyborg/Policy","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"11368238513543e24bc3a225cb1eadeffb8fccdb","unresolved":false,"context_lines":[{"line_number":208,"context_line":"---------------------"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"Deployers will need to look through the new policies"},{"line_number":211,"context_line":"(communicated via release notes?) to make sure they can adopt them."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Openstack devstack(or other deployment tools) not yet implemented"},{"line_number":214,"context_line":"the implied role create, cyborg may need to add \"implied role creation\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_9636cd00","line":211,"range":{"start_line":211,"start_character":1,"end_line":211,"end_character":32},"updated":"2020-01-28 22:58:51.000000000","message":"++","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":208,"context_line":"---------------------"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"Deployers will need to look through the new policies"},{"line_number":211,"context_line":"(communicated via release notes?) to make sure they can adopt them."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Openstack devstack(or other deployment tools) not yet implemented"},{"line_number":214,"context_line":"the implied role create, cyborg may need to add \"implied role creation\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_01d504b8","line":211,"range":{"start_line":211,"start_character":1,"end_line":211,"end_character":32},"in_reply_to":"3fa7e38b_9636cd00","updated":"2020-02-10 21:13:32.000000000","message":"Done","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"11368238513543e24bc3a225cb1eadeffb8fccdb","unresolved":false,"context_lines":[{"line_number":210,"context_line":"Deployers will need to look through the new policies"},{"line_number":211,"context_line":"(communicated via release notes?) to make sure they can adopt them."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Openstack devstack(or other deployment tools) not yet implemented"},{"line_number":214,"context_line":"the implied role create, cyborg may need to add \"implied role creation\""},{"line_number":215,"context_line":"into devstack/lib/cyborg by itself for now if we want to use implied role."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"Developer impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_d619a586","line":214,"range":{"start_line":213,"start_character":46,"end_line":214,"end_character":23},"updated":"2020-01-28 22:58:51.000000000","message":"devstack uses the keystone-manage bootstrap command which creates the implied roles. Other deployers can also re-run the bootstrap command on an existing deployment and the implied role relationships will be created on the existing roles. There should be no additions needed to devstack/lib/cyborg for this.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":210,"context_line":"Deployers will need to look through the new policies"},{"line_number":211,"context_line":"(communicated via release notes?) to make sure they can adopt them."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Openstack devstack(or other deployment tools) not yet implemented"},{"line_number":214,"context_line":"the implied role create, cyborg may need to add \"implied role creation\""},{"line_number":215,"context_line":"into devstack/lib/cyborg by itself for now if we want to use implied role."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"Developer impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_9bb44ad5","line":214,"range":{"start_line":213,"start_character":46,"end_line":214,"end_character":23},"in_reply_to":"3fa7e38b_d619a586","updated":"2020-02-10 21:13:32.000000000","message":"ok. remove this.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9af55f5d5b1606cc2ab41ab5d68e6ca361796094","unresolved":false,"context_lines":[{"line_number":238,"context_line":"* Add new roles to cyborg policy including Project-Reader, Project-Member,"},{"line_number":239,"context_line":"  System-Reader, System-Admin."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"* Update APIs and unit tests that are using the above new roles."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"* Update APIs and unit tests that are using other roles such as Project-Admin,"},{"line_number":244,"context_line":"  Admin_or_user etc."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"* Refactor cyborg policy file."},{"line_number":247,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_cc835854","line":244,"range":{"start_line":241,"start_character":0,"end_line":244,"end_character":20},"updated":"2020-01-29 01:01:16.000000000","message":"this is very important to make sure we do nor break existing deployment. Nova did not have powerful policy tests to make sure existing behaviour works fine or not. For that we decided to improve the existing tests to test with all the possible context.\n\nand while making the changes in policies as per this spec, we modify those tests and check what all things are working and not working. \n\nExample from nova (1 set of policy change):\n1. Add tests with all context\n- https://review.opendev.org/#/c/669181/\n2. Adding scope and changing tests to reflect that \n- https://review.opendev.org/#/c/645427/\n3. Modify check_str for new defaults (reader roles)\n- https://review.opendev.org/#/c/645452/","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":238,"context_line":"* Add new roles to cyborg policy including Project-Reader, Project-Member,"},{"line_number":239,"context_line":"  System-Reader, System-Admin."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"* Update APIs and unit tests that are using the above new roles."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"* Update APIs and unit tests that are using other roles such as Project-Admin,"},{"line_number":244,"context_line":"  Admin_or_user etc."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"* Refactor cyborg policy file."},{"line_number":247,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_2180409c","line":244,"range":{"start_line":241,"start_character":0,"end_line":244,"end_character":20},"in_reply_to":"3fa7e38b_cc835854","updated":"2020-02-10 21:13:32.000000000","message":"Thanks a lot for providing the reference, Ghanshyam! They are very helpful for Cyborg.","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9af55f5d5b1606cc2ab41ab5d68e6ca361796094","unresolved":false,"context_lines":[{"line_number":243,"context_line":"* Update APIs and unit tests that are using other roles such as Project-Admin,"},{"line_number":244,"context_line":"  Admin_or_user etc."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"* Refactor cyborg policy file."},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"Dependencies"},{"line_number":249,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_2c946c8b","line":246,"range":{"start_line":246,"start_character":0,"end_line":246,"end_character":30},"updated":"2020-01-29 01:01:16.000000000","message":"cyborg use policy in code right?","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a24f1f4a9e5959ba41f57c502766996970e0f1a7","unresolved":false,"context_lines":[{"line_number":243,"context_line":"* Update APIs and unit tests that are using other roles such as Project-Admin,"},{"line_number":244,"context_line":"  Admin_or_user etc."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"* Refactor cyborg policy file."},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"Dependencies"},{"line_number":249,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_a1bd1068","line":246,"range":{"start_line":246,"start_character":0,"end_line":246,"end_character":30},"in_reply_to":"3fa7e38b_2c946c8b","updated":"2020-02-10 21:13:32.000000000","message":"yes, exactly!","commit_id":"6df50f92423614c7543fc7d8fcf1fe378e29c2ae"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"4966e76b8328fc0a2cc7438f3ec0b197463e8244","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Firstly \"allow\" means any access will be passed. Now \"allow\" rule is used by"},{"line_number":37,"context_line":"cyborg:arq:create, which is too slack. We\u0027ve reached an agreement that this"},{"line_number":38,"context_line":"should not be open for all users[#arq-create-discussion]_. As for the new"},{"line_number":39,"context_line":"rule, please see that in the next Use Cases part in [#cyborg-policy-table]_."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"Secondly \"admin_only\" is used for the global admin that is able to make almost"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_229b5bc7","line":38,"range":{"start_line":38,"start_character":27,"end_line":38,"end_character":57},"updated":"2020-02-11 02:56:50.000000000","message":"Add a white space between users[#arq-create-discussion]_, otherwise it is an invalid reference.","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"397cbebc52e842a8cc97710c4b33e599ff9eec3b","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Firstly \"allow\" means any access will be passed. Now \"allow\" rule is used by"},{"line_number":37,"context_line":"cyborg:arq:create, which is too slack. We\u0027ve reached an agreement that this"},{"line_number":38,"context_line":"should not be open for all users[#arq-create-discussion]_. As for the new"},{"line_number":39,"context_line":"rule, please see that in the next Use Cases part in [#cyborg-policy-table]_."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"Secondly \"admin_only\" is used for the global admin that is able to make almost"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_ee1bec19","line":38,"range":{"start_line":38,"start_character":27,"end_line":38,"end_character":57},"in_reply_to":"3fa7e38b_229b5bc7","updated":"2020-02-11 09:49:00.000000000","message":"Done","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"4966e76b8328fc0a2cc7438f3ec0b197463e8244","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Cyborg V2 APIs need RBAC check. Objects of V2 APIs are listed in the following:"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"* device_profile[#device_profile]_, as the \"flavor\" in accelerator request,"},{"line_number":79,"context_line":"  is generally supposed to be a system-level resource especially for public"},{"line_number":80,"context_line":"  cloud, where billing is based on the device_profile. So we reached an"},{"line_number":81,"context_line":"  agreement [#agreement-on-device_profile]_ that sys_admin is required for"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_42a0d7f2","line":78,"range":{"start_line":78,"start_character":2,"end_line":78,"end_character":34},"updated":"2020-02-11 02:56:50.000000000","message":"ditto","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"4966e76b8328fc0a2cc7438f3ec0b197463e8244","unresolved":false,"context_lines":[{"line_number":83,"context_line":"  private cloud providers, they can change the policy by themselves if they"},{"line_number":84,"context_line":"  want other users to create device_profiles."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* devices and deployables[#device-and-deployable-data-model]_ are objects that"},{"line_number":87,"context_line":"  are used to describe a hardware accelerator, where deployables are derived"},{"line_number":88,"context_line":"  from a device. Generally, a device refers to a hardware shared by multiple"},{"line_number":89,"context_line":"  projects such as smart NICs. Operators can update the firmware/shell image"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_a2ae6be2","line":86,"range":{"start_line":86,"start_character":14,"end_line":86,"end_character":61},"updated":"2020-02-11 02:56:50.000000000","message":"ditto","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"4966e76b8328fc0a2cc7438f3ec0b197463e8244","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  arq:patch and arq:delete admin_or_owner should make sense."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"To be clear, the roles needed for all Cyborg V2 APIs\u0027 operations are defined"},{"line_number":102,"context_line":"in the table[#cyborg-policy-table]."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"In introducing the above new default permissions, we must ensure:"},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_2266fbf1","line":102,"range":{"start_line":102,"start_character":12,"end_line":102,"end_character":34},"updated":"2020-02-11 02:56:50.000000000","message":"Invalid reference. It should be \"table [#cyborg-policy-table]_\"","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"397cbebc52e842a8cc97710c4b33e599ff9eec3b","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  arq:patch and arq:delete admin_or_owner should make sense."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"To be clear, the roles needed for all Cyborg V2 APIs\u0027 operations are defined"},{"line_number":102,"context_line":"in the table[#cyborg-policy-table]."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"In introducing the above new default permissions, we must ensure:"},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_4e232058","line":102,"range":{"start_line":102,"start_character":12,"end_line":102,"end_character":34},"in_reply_to":"3fa7e38b_2266fbf1","updated":"2020-02-11 09:49:00.000000000","message":"Done","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"4966e76b8328fc0a2cc7438f3ec0b197463e8244","unresolved":false,"context_lines":[{"line_number":112,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"According to the discussions above, we will try to make the changes as less"},{"line_number":115,"context_line":"as possible to meet the requrements. For the current stage, there should be at"},{"line_number":116,"context_line":"least the following changes. Each policy rules will be covered with appropriate"},{"line_number":117,"context_line":"oslo.policy\u0027s \"scope_types\", \u0027system\u0027 and \u0027project\u0027 in cyborg case. And we will"},{"line_number":118,"context_line":"use the DocumentedRuleDefault to update policy and follow the oslo.policy"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_3f361403","line":115,"range":{"start_line":115,"start_character":24,"end_line":115,"end_character":35},"updated":"2020-02-11 02:56:50.000000000","message":"s/requrements/requirements","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"397cbebc52e842a8cc97710c4b33e599ff9eec3b","unresolved":false,"context_lines":[{"line_number":112,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"According to the discussions above, we will try to make the changes as less"},{"line_number":115,"context_line":"as possible to meet the requrements. For the current stage, there should be at"},{"line_number":116,"context_line":"least the following changes. Each policy rules will be covered with appropriate"},{"line_number":117,"context_line":"oslo.policy\u0027s \"scope_types\", \u0027system\u0027 and \u0027project\u0027 in cyborg case. And we will"},{"line_number":118,"context_line":"use the DocumentedRuleDefault to update policy and follow the oslo.policy"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3fa7e38b_0e19a821","line":115,"range":{"start_line":115,"start_character":24,"end_line":115,"end_character":35},"in_reply_to":"3fa7e38b_3f361403","updated":"2020-02-11 09:49:00.000000000","message":"Done","commit_id":"38ff95b873365f325da2b8552423f72c840dc6bc"}],"specs/ussuri/policy-defaults-refresh.rst":[{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"2e4072ee979bbe744ac1c20b25b20dc8510cf442","unresolved":false,"context_lines":[{"line_number":81,"context_line":""},{"line_number":82,"context_line":"According to the disscussions above, we will try to make the changes as less"},{"line_number":83,"context_line":"as possible to meet the requrements. For the current stage, there should be at"},{"line_number":84,"context_line":"least the following changes. Each policy rules will be covered with appropriate "},{"line_number":85,"context_line":"oslo.policy\u0027s \"scope_types\", \u0027system\u0027 and \u0027project\u0027 in cyborg case."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"* Add system scoped admin policy"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_6b2232a9","line":84,"range":{"start_line":84,"start_character":79,"end_line":84,"end_character":80},"updated":"2019-12-15 06:43:00.000000000","message":"nit","commit_id":"fabebab2261b7a2cba9a249c6e44ba07784407c1"},{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"2e4072ee979bbe744ac1c20b25b20dc8510cf442","unresolved":false,"context_lines":[{"line_number":92,"context_line":"* Add system scoped reader policy"},{"line_number":93,"context_line":"  This policy will be useful for situations where a read-only role is required"},{"line_number":94,"context_line":"  for a more secure access to devices that are shared by multiple projects in"},{"line_number":95,"context_line":"  a system. "},{"line_number":96,"context_line":"* Add project scoped reader policy"},{"line_number":97,"context_line":"  Similarly, this policy will be useful for situations where a read-only role"},{"line_number":98,"context_line":"  is required for a more secure access at a project level. For example, some"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_cb132659","line":95,"range":{"start_line":95,"start_character":11,"end_line":95,"end_character":12},"updated":"2019-12-15 06:43:00.000000000","message":"space.","commit_id":"fabebab2261b7a2cba9a249c6e44ba07784407c1"},{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"2e4072ee979bbe744ac1c20b25b20dc8510cf442","unresolved":false,"context_lines":[{"line_number":223,"context_line":""},{"line_number":224,"context_line":"   * - Release Name"},{"line_number":225,"context_line":"     - Description"},{"line_number":226,"context_line":"   * - Pike"},{"line_number":227,"context_line":"     - Introduced"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_0b0a9e1d","line":226,"range":{"start_line":226,"start_character":7,"end_line":226,"end_character":11},"updated":"2019-12-15 06:43:00.000000000","message":"U?","commit_id":"fabebab2261b7a2cba9a249c6e44ba07784407c1"},{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"3c22e314a27732f92ca5561eb56d0708a3c45f04","unresolved":false,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"The current default policy in cyborg is incomplete and not good enough."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"1)Since cyborg V2 API is newly implemented in Train, RBAC check for api v2 is"},{"line_number":27,"context_line":"incomplete and needs improvement."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"2)Now cyborg mainly has three policy rules:"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_3f09d0db","line":26,"range":{"start_line":26,"start_character":68,"end_line":26,"end_character":74},"updated":"2019-12-16 07:20:54.000000000","message":"V2 API.","commit_id":"a644f8323055820bb5515705eff2769868f9bc74"},{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"3c22e314a27732f92ca5561eb56d0708a3c45f04","unresolved":false,"context_lines":[{"line_number":34,"context_line":""},{"line_number":35,"context_line":"Firstly \"allow\" means any access will be passed. Now \"allow\" rule is used by"},{"line_number":36,"context_line":"cyborg:arq:create, and this needs further discussion whether this is too"},{"line_number":37,"context_line":"slack?"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Secondly \"admin_only\" is used for the global admin that is able to make almost"},{"line_number":40,"context_line":"any change to Cyborg, and see all details of the cyborg system."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_fff258e4","line":37,"range":{"start_line":37,"start_character":5,"end_line":37,"end_character":6},"updated":"2019-12-16 07:20:54.000000000","message":"??","commit_id":"a644f8323055820bb5515705eff2769868f9bc74"},{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"3c22e314a27732f92ca5561eb56d0708a3c45f04","unresolved":false,"context_lines":[{"line_number":37,"context_line":"slack?"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Secondly \"admin_only\" is used for the global admin that is able to make almost"},{"line_number":40,"context_line":"any change to Cyborg, and see all details of the cyborg system."},{"line_number":41,"context_line":"The rule actually passes for any user with an admin role, it doesn\u0027t matter"},{"line_number":42,"context_line":"which project is used, any user with the ``admin`` role gets this global"},{"line_number":43,"context_line":"access."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_bffce0b6","line":40,"range":{"start_line":40,"start_character":14,"end_line":40,"end_character":20},"updated":"2019-12-16 07:20:54.000000000","message":"cyborg","commit_id":"a644f8323055820bb5515705eff2769868f9bc74"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"3018a22079098fa4e8652d5217e6166a83229e00","unresolved":false,"context_lines":[{"line_number":65,"context_line":""},{"line_number":66,"context_line":"The following user roles should be supported by the default configuration:"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* System Scoped Administrator (live-migrate accelerators, disable services etc)"},{"line_number":69,"context_line":"* System Scoped Reader (list devices)"},{"line_number":70,"context_line":"* Project Scoped Reader (list devices, list device_profiles, list arqs etc)"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_9fb7a4d8","line":68,"range":{"start_line":68,"start_character":31,"end_line":68,"end_character":56},"updated":"2019-12-16 07:22:29.000000000","message":"not sure we can do accelerator live migration from point of view of physical level.","commit_id":"a644f8323055820bb5515705eff2769868f9bc74"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"3018a22079098fa4e8652d5217e6166a83229e00","unresolved":false,"context_lines":[{"line_number":85,"context_line":"oslo.policy\u0027s \"scope_types\", \u0027system\u0027 and \u0027project\u0027 in cyborg case."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"* Add system scoped admin policy"},{"line_number":88,"context_line":"  This policy will be usful for situations where devices are shared by multiple"},{"line_number":89,"context_line":"  projects, and we want a system-level admin to operator the devices like"},{"line_number":90,"context_line":"  programming or firmware uograde. In addition, a system admin is required to"},{"line_number":91,"context_line":"  do the service disable/enable things."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_3fac7087","line":88,"range":{"start_line":88,"start_character":22,"end_line":88,"end_character":27},"updated":"2019-12-16 07:22:29.000000000","message":"useful","commit_id":"a644f8323055820bb5515705eff2769868f9bc74"},{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"3c22e314a27732f92ca5561eb56d0708a3c45f04","unresolved":false,"context_lines":[{"line_number":130,"context_line":""},{"line_number":131,"context_line":"* System Admin check"},{"line_number":132,"context_line":"  PATCH /v2/devices"},{"line_number":133,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":134,"context_line":"Security impact"},{"line_number":135,"context_line":"---------------"},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_7fb2e8ea","line":133,"range":{"start_line":133,"start_character":0,"end_line":133,"end_character":30},"updated":"2019-12-16 07:20:54.000000000","message":"nit: one space line.","commit_id":"a644f8323055820bb5515705eff2769868f9bc74"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"3018a22079098fa4e8652d5217e6166a83229e00","unresolved":false,"context_lines":[{"line_number":221,"context_line":".. list-table:: Revisions"},{"line_number":222,"context_line":"   :header-rows: 1"},{"line_number":223,"context_line":""},{"line_number":224,"context_line":"   * - Release Name"},{"line_number":225,"context_line":"     - Description"},{"line_number":226,"context_line":"   * - Pike"},{"line_number":227,"context_line":"     - Introduced"},{"line_number":228,"context_line":"   * - Ussuri"},{"line_number":229,"context_line":"     - Re-proposed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_bf986076","line":229,"range":{"start_line":224,"start_character":0,"end_line":229,"end_character":18},"updated":"2019-12-16 07:22:29.000000000","message":"This is the first time you propose this spec.  This part should be update.","commit_id":"a644f8323055820bb5515705eff2769868f9bc74"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"a1977f89b140d911f90ce87def404dcf3c3c421e","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":100,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":101,"context_line":"  shouldn\u0027t update the resources."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Alternatives"},{"line_number":104,"context_line":"------------"},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_f34fb732","line":102,"updated":"2019-12-19 03:51:57.000000000","message":"In addition to adding new rule names, the existing policy rules should deprecate their old check strings and use the new rules as defaults. Here\u0027s how policy deprecation works in oslo.policy: https://specs.openstack.org/openstack/oslo-specs/specs/queens/policy-deprecation.html#proposed-change\n\nIt\u0027s recommended to use oslo.policy\u0027s DocumentedRuleDefault (instead of RuleDefault) so that the deprecated rules are properly documented and it\u0027s clear to operators how the rules are changing.","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"a1977f89b140d911f90ce87def404dcf3c3c421e","unresolved":false,"context_lines":[{"line_number":122,"context_line":"  GET /v2/device_profiles/{device_profiles_uuid}"},{"line_number":123,"context_line":"  GET /v2/accelerator_requests"},{"line_number":124,"context_line":"  GET /v2/accelerator_requests/{accelerator_request_uuid}"},{"line_number":125,"context_line":"  GET /v2/devices"},{"line_number":126,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"* System Reader check"},{"line_number":129,"context_line":"  GET /v2/devices"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_b35b7ff7","line":126,"range":{"start_line":125,"start_character":2,"end_line":126,"end_character":31},"updated":"2019-12-19 03:51:57.000000000","message":"Are these devices that are owned by a project?","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"78fe9e90f265e3ba967f11c13d0112fa8bd0a102","unresolved":false,"context_lines":[{"line_number":122,"context_line":"  GET /v2/device_profiles/{device_profiles_uuid}"},{"line_number":123,"context_line":"  GET /v2/accelerator_requests"},{"line_number":124,"context_line":"  GET /v2/accelerator_requests/{accelerator_request_uuid}"},{"line_number":125,"context_line":"  GET /v2/devices"},{"line_number":126,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"* System Reader check"},{"line_number":129,"context_line":"  GET /v2/devices"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_291de20f","line":126,"range":{"start_line":125,"start_character":2,"end_line":126,"end_character":31},"in_reply_to":"3fa7e38b_b35b7ff7","updated":"2019-12-19 13:07:11.000000000","message":"yes!","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"a1977f89b140d911f90ce87def404dcf3c3c421e","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"* System Reader check"},{"line_number":129,"context_line":"  GET /v2/devices"},{"line_number":130,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"* System Admin check"},{"line_number":133,"context_line":"  PATCH /v2/devices"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_d35e3be7","line":130,"range":{"start_line":129,"start_character":2,"end_line":130,"end_character":31},"updated":"2019-12-19 03:51:57.000000000","message":"Are these devices across multiple projects?","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"78fe9e90f265e3ba967f11c13d0112fa8bd0a102","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"* System Reader check"},{"line_number":129,"context_line":"  GET /v2/devices"},{"line_number":130,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"* System Admin check"},{"line_number":133,"context_line":"  PATCH /v2/devices"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_c92c4e4b","line":130,"range":{"start_line":129,"start_character":2,"end_line":130,"end_character":31},"in_reply_to":"3fa7e38b_d35e3be7","updated":"2019-12-19 13:07:11.000000000","message":"yes","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"a1977f89b140d911f90ce87def404dcf3c3c421e","unresolved":false,"context_lines":[{"line_number":132,"context_line":"* System Admin check"},{"line_number":133,"context_line":"  PATCH /v2/devices"},{"line_number":134,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Security impact"},{"line_number":137,"context_line":"---------------"},{"line_number":138,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_1364d3b2","line":135,"updated":"2019-12-19 03:51:57.000000000","message":"Other policy defaults will have to change. For example, the rule \"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is much too permissive (it would allow a user with the \"reader\" role to perform this operation). Instead it should be \"role:member\" with scope_type [\"project\"].","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"a1977f89b140d911f90ce87def404dcf3c3c421e","unresolved":false,"context_lines":[{"line_number":187,"context_line":"Testing"},{"line_number":188,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Tempest tests for scope and default roles are necessary, but that depends on"},{"line_number":191,"context_line":"the new APIs. So we can implement policies first, once V2 APIs are well"},{"line_number":192,"context_line":"implemented, we can update tempest tests for policy check later."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"Unit tests for policy rules and APIs should be added."}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_f3e1f72c","line":191,"range":{"start_line":190,"start_character":66,"end_line":191,"end_character":12},"updated":"2019-12-19 03:51:57.000000000","message":"There shouldn\u0027t be new APIs. This goal is about updating the existing APIs to have more restrictive default policies.","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"78fe9e90f265e3ba967f11c13d0112fa8bd0a102","unresolved":false,"context_lines":[{"line_number":187,"context_line":"Testing"},{"line_number":188,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Tempest tests for scope and default roles are necessary, but that depends on"},{"line_number":191,"context_line":"the new APIs. So we can implement policies first, once V2 APIs are well"},{"line_number":192,"context_line":"implemented, we can update tempest tests for policy check later."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"Unit tests for policy rules and APIs should be added."}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_b8483662","line":191,"range":{"start_line":190,"start_character":66,"end_line":191,"end_character":12},"in_reply_to":"3fa7e38b_f3e1f72c","updated":"2019-12-19 13:07:11.000000000","message":"right. seems no tempest is needed for now.\nthe unit test is enough.\nremoved.","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"a1977f89b140d911f90ce87def404dcf3c3c421e","unresolved":false,"context_lines":[{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Tempest tests for scope and default roles are necessary, but that depends on"},{"line_number":191,"context_line":"the new APIs. So we can implement policies first, once V2 APIs are well"},{"line_number":192,"context_line":"implemented, we can update tempest tests for policy check later."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"Unit tests for policy rules and APIs should be added."},{"line_number":195,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_13ddb36c","line":192,"range":{"start_line":192,"start_character":13,"end_line":192,"end_character":63},"updated":"2019-12-19 03:51:57.000000000","message":"I would recommend creating tests at the same time as the new policies are implemented, that way they can be validated at the same time.","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"78fe9e90f265e3ba967f11c13d0112fa8bd0a102","unresolved":false,"context_lines":[{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Tempest tests for scope and default roles are necessary, but that depends on"},{"line_number":191,"context_line":"the new APIs. So we can implement policies first, once V2 APIs are well"},{"line_number":192,"context_line":"implemented, we can update tempest tests for policy check later."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"Unit tests for policy rules and APIs should be added."},{"line_number":195,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_d84bb25b","line":192,"range":{"start_line":192,"start_character":13,"end_line":192,"end_character":63},"in_reply_to":"3fa7e38b_13ddb36c","updated":"2019-12-19 13:07:11.000000000","message":"ditto","commit_id":"4baeeda7dff53a99ec487e5d1ac4f351277ac054"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Policy Default Refresh"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Policy in OpenStack has long been the forefront of operator concerns and pain."},{"line_number":12,"context_line":"The implementation is complicated to understand, inconsistent across projects,"},{"line_number":13,"context_line":"and lacks secure defaults. To improve the existing default policy of OpenStack,"},{"line_number":14,"context_line":"the Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d0a5b802","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":6},"updated":"2019-12-20 14:08:58.000000000","message":"Better to say \"Role Based Access Control (RBAC) policies\". This provides more context to the reader.","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Policy Default Refresh"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Policy in OpenStack has long been the forefront of operator concerns and pain."},{"line_number":12,"context_line":"The implementation is complicated to understand, inconsistent across projects,"},{"line_number":13,"context_line":"and lacks secure defaults. To improve the existing default policy of OpenStack,"},{"line_number":14,"context_line":"the Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_e1525d12","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":6},"in_reply_to":"3fa7e38b_d0a5b802","updated":"2019-12-23 08:20:23.000000000","message":"Done","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":12,"context_line":"The implementation is complicated to understand, inconsistent across projects,"},{"line_number":13,"context_line":"and lacks secure defaults. To improve the existing default policy of OpenStack,"},{"line_number":14,"context_line":"the Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":15,"context_line":"built up to track policy refresh for all projects, where keystone was the lead."},{"line_number":16,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"},{"line_number":17,"context_line":"default roles[#default-roles], as well as a reclarification of system-scoped"},{"line_number":18,"context_line":"and project-scoped RBAC [#system-scope]. As a member of this popup_team, Cyborg"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_90af40df","line":15,"range":{"start_line":15,"start_character":57,"end_line":15,"end_character":65},"updated":"2019-12-20 14:08:58.000000000","message":"Nit: Keystone","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":12,"context_line":"The implementation is complicated to understand, inconsistent across projects,"},{"line_number":13,"context_line":"and lacks secure defaults. To improve the existing default policy of OpenStack,"},{"line_number":14,"context_line":"the Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":15,"context_line":"built up to track policy refresh for all projects, where keystone was the lead."},{"line_number":16,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"},{"line_number":17,"context_line":"default roles[#default-roles], as well as a reclarification of system-scoped"},{"line_number":18,"context_line":"and project-scoped RBAC [#system-scope]. As a member of this popup_team, Cyborg"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_01569906","line":15,"range":{"start_line":15,"start_character":57,"end_line":15,"end_character":65},"in_reply_to":"3fa7e38b_90af40df","updated":"2019-12-23 08:20:23.000000000","message":"Done","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":15,"context_line":"built up to track policy refresh for all projects, where keystone was the lead."},{"line_number":16,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"},{"line_number":17,"context_line":"default roles[#default-roles], as well as a reclarification of system-scoped"},{"line_number":18,"context_line":"and project-scoped RBAC [#system-scope]. As a member of this popup_team, Cyborg"},{"line_number":19,"context_line":"is also going to follow up policy default refresh."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_50830856","line":18,"range":{"start_line":18,"start_character":19,"end_line":18,"end_character":23},"updated":"2019-12-20 14:08:58.000000000","message":"Acronym used without explanation: please see previous comment.","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":15,"context_line":"built up to track policy refresh for all projects, where keystone was the lead."},{"line_number":16,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"},{"line_number":17,"context_line":"default roles[#default-roles], as well as a reclarification of system-scoped"},{"line_number":18,"context_line":"and project-scoped RBAC [#system-scope]. As a member of this popup_team, Cyborg"},{"line_number":19,"context_line":"is also going to follow up policy default refresh."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_a13c65c0","line":18,"range":{"start_line":18,"start_character":19,"end_line":18,"end_character":23},"in_reply_to":"3fa7e38b_50830856","updated":"2019-12-23 08:20:23.000000000","message":"Done","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":33,"context_line":"* admin_or_owner"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"Firstly \"allow\" means any access will be passed. Now \"allow\" rule is used by"},{"line_number":36,"context_line":"cyborg:arq:create, and this needs further discussion whether this is too"},{"line_number":37,"context_line":"slack. [#role-reassess-discussion]"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Secondly \"admin_only\" is used for the global admin that is able to make almost"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b0935ca4","line":36,"range":{"start_line":36,"start_character":23,"end_line":36,"end_character":52},"updated":"2019-12-20 14:08:58.000000000","message":"Yes. That discussion should complete and be included here, before this spec merges.","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Thirdly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":46,"context_line":"project. However, for most APIs we use the default target which means this"},{"line_number":47,"context_line":"rule will pass for any authenticated user."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"With all the above policy rules, there still some cases which are not well"},{"line_number":50,"context_line":"covered. For example, it is impossible to allow a user to retrieve/update"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_70e2c432","line":47,"range":{"start_line":47,"start_character":19,"end_line":47,"end_character":41},"updated":"2019-12-20 14:08:58.000000000","message":"If a user creates an ARQ, then he is the owner of that specific ARQ, right? So, if PATCH ARQ requires admin_or_owner, only the user who created that ARQ can invoke PATCH, not any authenticated user, right?","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Thirdly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":46,"context_line":"project. However, for most APIs we use the default target which means this"},{"line_number":47,"context_line":"rule will pass for any authenticated user."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"With all the above policy rules, there still some cases which are not well"},{"line_number":50,"context_line":"covered. For example, it is impossible to allow a user to retrieve/update"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_41757196","line":47,"range":{"start_line":47,"start_character":19,"end_line":47,"end_character":41},"in_reply_to":"3fa7e38b_70e2c432","updated":"2019-12-23 08:20:23.000000000","message":"yes, the owner means the user who created that ARQ, not an authenticated user. and the admin should also have the rights to PATCH ARQ. let\u0027s say admin or owner can PATCH an ARQ.","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":49,"context_line":"With all the above policy rules, there still some cases which are not well"},{"line_number":50,"context_line":"covered. For example, it is impossible to allow a user to retrieve/update"},{"line_number":51,"context_line":"devices which are shared by multiple projects from a system level without"},{"line_number":52,"context_line":"being given the global admin role. In addition, cyborg now doesn\u0027t have a"},{"line_number":53,"context_line":"\"reader\" role."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Keystone comes with member, admin and reader roles by default. We should"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f0c79497","line":52,"range":{"start_line":52,"start_character":48,"end_line":52,"end_character":54},"updated":"2019-12-20 14:08:58.000000000","message":"Nit: Cyborg","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":65,"context_line":""},{"line_number":66,"context_line":"The following user roles should be supported by the default configuration:"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* System Scoped Admin (disable services mainly for now. maybe live-migrate"},{"line_number":69,"context_line":"  accelerators in the future?)"},{"line_number":70,"context_line":"* System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Project Scoped Reader (list devices, list device_profiles, list arqs etc)"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b0f4bcd1","line":68,"range":{"start_line":68,"start_character":23,"end_line":68,"end_character":46},"updated":"2019-12-20 14:08:58.000000000","message":"Sorry, I don\u0027t understand this. This should be the role that does most admin tasks for configuration and devices, like setting/updating cyborg.conf, enable/disable devices, etc. She is also the one that ensures system-wide aspects, e.g. Cyborg devices do not conflict with Nova PCI white list.","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":65,"context_line":""},{"line_number":66,"context_line":"The following user roles should be supported by the default configuration:"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* System Scoped Admin (disable services mainly for now. maybe live-migrate"},{"line_number":69,"context_line":"  accelerators in the future?)"},{"line_number":70,"context_line":"* System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Project Scoped Reader (list devices, list device_profiles, list arqs etc)"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_c16081d3","line":68,"range":{"start_line":68,"start_character":23,"end_line":68,"end_character":46},"in_reply_to":"3fa7e38b_b0f4bcd1","updated":"2019-12-23 08:20:23.000000000","message":"Hi Sundar, IMHO 1) updating cyborg.conf is a service configuration, it should belong to the task of a Linux user, not the admin we talked here. 2) the \"disable services mainly\" I mentioned here refers to \"enable/disable device\": https://review.opendev.org/#/c/696012/5/specs/ussuri/approved/cyborg-api.rst  line354 and line378. I will update here to make it more clear. 3)system admin we talked here cannot ensure \"cyborg devices do not conflict with Nova PCI white list\" for 2 reasons: firstly, it cannot read nova.conf so it has no idea which devices are already in the nova PCI white list; secondly, the operator can make sure this manually, which is an economical way to achieve this goal.","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":68,"context_line":"* System Scoped Admin (disable services mainly for now. maybe live-migrate"},{"line_number":69,"context_line":"  accelerators in the future?)"},{"line_number":70,"context_line":"* System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Project Scoped Reader (list devices, list device_profiles, list arqs etc)"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"In introducing the above new default permissions, we must ensure:"},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f0231457","line":71,"updated":"2019-12-20 14:08:58.000000000","message":"What about project-scoped admin and member roles?","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":68,"context_line":"* System Scoped Admin (disable services mainly for now. maybe live-migrate"},{"line_number":69,"context_line":"  accelerators in the future?)"},{"line_number":70,"context_line":"* System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Project Scoped Reader (list devices, list device_profiles, list arqs etc)"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"In introducing the above new default permissions, we must ensure:"},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_9c466e22","line":71,"in_reply_to":"3fa7e38b_f0231457","updated":"2019-12-23 08:20:23.000000000","message":"Done","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":80,"context_line":"Proposed change"},{"line_number":81,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"According to the disscussions above, we will try to make the changes as less"},{"line_number":84,"context_line":"as possible to meet the requrements. For the current stage, there should be at"},{"line_number":85,"context_line":"least the following changes. Each policy rules will be covered with appropriate"},{"line_number":86,"context_line":"oslo.policy\u0027s \"scope_types\", \u0027system\u0027 and \u0027project\u0027 in cyborg case."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_9012e0fc","line":83,"range":{"start_line":83,"start_character":17,"end_line":83,"end_character":29},"updated":"2019-12-20 14:08:58.000000000","message":"Nit: typo","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":100,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":101,"context_line":"  shouldn\u0027t update the resources."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Alternatives"},{"line_number":104,"context_line":"------------"},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_10b590ed","line":102,"updated":"2019-12-20 14:08:58.000000000","message":"I suggest we define the role for each CRUD action for each object in this spec. E.g.\n\n* List devices: system-scoped (or project-scoped?) admin, proj reader?\n* Enable/disable devices: sys admin\n* List device profiles: sys/proj admin, sys/proj reader\n* Create device profiles: sys admin\netc.\n\nThis is what we actually do in RBAC usage. The details can be discussed as part of this spec. \n\nDo you aim to implement this in Ussuri? if so, shouldn\u0027t those changes be called out?","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  is required for a more secure access at a project level. For example, some"},{"line_number":100,"context_line":"  users should only have the permission to check and use the resources but"},{"line_number":101,"context_line":"  shouldn\u0027t update the resources."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Alternatives"},{"line_number":104,"context_line":"------------"},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_9c1d0e12","line":102,"in_reply_to":"3fa7e38b_10b590ed","updated":"2019-12-23 08:20:23.000000000","message":"Done. Added a link here.\nAnd yes, planning to implement this in Ussuri.","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"40006b972635a90c2e436ff606bab7049b6c3102","unresolved":false,"context_lines":[{"line_number":235,"context_line":"   * - Release Name"},{"line_number":236,"context_line":"     - Description"},{"line_number":237,"context_line":"   * - Ussuri"},{"line_number":238,"context_line":"     - Updated"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d0c29835","line":238,"range":{"start_line":238,"start_character":7,"end_line":238,"end_character":14},"updated":"2019-12-20 14:08:58.000000000","message":"\u0027Introduced\u0027","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"5f636263f4454c4fc910b911506bfe01fc26da39","unresolved":false,"context_lines":[{"line_number":235,"context_line":"   * - Release Name"},{"line_number":236,"context_line":"     - Description"},{"line_number":237,"context_line":"   * - Ussuri"},{"line_number":238,"context_line":"     - Updated"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_1ccfde8b","line":238,"range":{"start_line":238,"start_character":7,"end_line":238,"end_character":14},"in_reply_to":"3fa7e38b_d0c29835","updated":"2019-12-23 08:20:23.000000000","message":"Done","commit_id":"5bbd3d26a43ba18217dd97da7f408bc3970d624b"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"64564947b50e335f99a673bb592f0ce6dfba5fc3","unresolved":false,"context_lines":[{"line_number":11,"context_line":"Role Based Access Control (RBAC) policies in OpenStack has long been the"},{"line_number":12,"context_line":"forefront of operator concerns and pain. The implementation is complicated to"},{"line_number":13,"context_line":"understand, inconsistent across projects, and lacks secure defaults. To"},{"line_number":14,"context_line":"improve the existing default policy of OpenStack, the "},{"line_number":15,"context_line":"Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":16,"context_line":"built up to track policy refresh for all projects, where Keystone was the lead."},{"line_number":17,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_0af8a6be","line":14,"range":{"start_line":14,"start_character":53,"end_line":14,"end_character":54},"updated":"2020-01-07 09:15:34.000000000","message":"redundant white space.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":11,"context_line":"Role Based Access Control (RBAC) policies in OpenStack has long been the"},{"line_number":12,"context_line":"forefront of operator concerns and pain. The implementation is complicated to"},{"line_number":13,"context_line":"understand, inconsistent across projects, and lacks secure defaults. To"},{"line_number":14,"context_line":"improve the existing default policy of OpenStack, the "},{"line_number":15,"context_line":"Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":16,"context_line":"built up to track policy refresh for all projects, where Keystone was the lead."},{"line_number":17,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_c8167a4b","line":14,"range":{"start_line":14,"start_character":53,"end_line":14,"end_character":54},"in_reply_to":"3fa7e38b_0af8a6be","updated":"2020-01-17 10:01:45.000000000","message":"Done","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"86e927d9b2c5117b664bd70d2dd30ce6f5b3c5f7","unresolved":false,"context_lines":[{"line_number":11,"context_line":"Role Based Access Control (RBAC) policies in OpenStack has long been the"},{"line_number":12,"context_line":"forefront of operator concerns and pain. The implementation is complicated to"},{"line_number":13,"context_line":"understand, inconsistent across projects, and lacks secure defaults. To"},{"line_number":14,"context_line":"improve the existing default policy of OpenStack, the "},{"line_number":15,"context_line":"Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":16,"context_line":"built up to track policy refresh for all projects, where Keystone was the lead."},{"line_number":17,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_25c27387","line":14,"range":{"start_line":14,"start_character":53,"end_line":14,"end_character":54},"in_reply_to":"3fa7e38b_0af8a6be","updated":"2020-01-07 09:51:57.000000000","message":"Why the pep8 check not failed? I think it\u0027s belong to pep8 check.\n\nTODO: Fix the pep8 check in Cyborg-specs\u0027s docs.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":11,"context_line":"Role Based Access Control (RBAC) policies in OpenStack has long been the"},{"line_number":12,"context_line":"forefront of operator concerns and pain. The implementation is complicated to"},{"line_number":13,"context_line":"understand, inconsistent across projects, and lacks secure defaults. To"},{"line_number":14,"context_line":"improve the existing default policy of OpenStack, the "},{"line_number":15,"context_line":"Consistent_and_Secure_Default_Policies_Popup_Team [#policy_popup_team] was"},{"line_number":16,"context_line":"built up to track policy refresh for all projects, where Keystone was the lead."},{"line_number":17,"context_line":"Keystone defined ongoing policy goals and roadmaps [#policy-goals-and-roadmap],"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_605f84e4","line":14,"range":{"start_line":14,"start_character":53,"end_line":14,"end_character":54},"in_reply_to":"3fa7e38b_25c27387","updated":"2020-01-17 10:01:45.000000000","message":"Fixed in this patch:https://review.opendev.org/#/c/702819/. The reason is that the current pep8 only contains flake8 check, while flake8 only does the trailing whitespace check for .py file but not for .rst file. And doc8 can detect trailing whitespace for .rst file, so we should add doc8 check.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"64564947b50e335f99a673bb592f0ce6dfba5fc3","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* Add System Scoped Admin (disable/enable devices)"},{"line_number":70,"context_line":"* Add System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Add Project Scoped Reader (list devices, list device_profiles, list arqs etc)"},{"line_number":72,"context_line":"* Refresh existed admin to Project Scoped Admin (create and delete"},{"line_number":73,"context_line":"  device_profiles, create update and delete arqs, patch devices and"},{"line_number":74,"context_line":"  deployables)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_2a7a4224","line":71,"range":{"start_line":71,"start_character":75,"end_line":71,"end_character":78},"updated":"2020-01-07 09:15:34.000000000","message":"s/etc/etc./","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* Add System Scoped Admin (disable/enable devices)"},{"line_number":70,"context_line":"* Add System Scoped Reader (list devices)"},{"line_number":71,"context_line":"* Add Project Scoped Reader (list devices, list device_profiles, list arqs etc)"},{"line_number":72,"context_line":"* Refresh existed admin to Project Scoped Admin (create and delete"},{"line_number":73,"context_line":"  device_profiles, create update and delete arqs, patch devices and"},{"line_number":74,"context_line":"  deployables)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_685426fe","line":71,"range":{"start_line":71,"start_character":75,"end_line":71,"end_character":78},"in_reply_to":"3fa7e38b_2a7a4224","updated":"2020-01-17 10:01:45.000000000","message":"Done","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"64564947b50e335f99a673bb592f0ce6dfba5fc3","unresolved":false,"context_lines":[{"line_number":95,"context_line":"* Add system scoped admin policy"},{"line_number":96,"context_line":"  This policy will be useful for situations where devices are shared by multiple"},{"line_number":97,"context_line":"  projects, and we want a system-level admin to operator the devices like"},{"line_number":98,"context_line":"  programming or firmware uograde. In addition, a system admin is required to"},{"line_number":99,"context_line":"  do the service disable/enable things."},{"line_number":100,"context_line":"* Add system scoped reader policy"},{"line_number":101,"context_line":"  This policy will be useful for situations where a read-only role is required"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_4a669e57","line":98,"range":{"start_line":98,"start_character":26,"end_line":98,"end_character":33},"updated":"2020-01-07 09:15:34.000000000","message":"s/uograde/upgrade/","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":95,"context_line":"* Add system scoped admin policy"},{"line_number":96,"context_line":"  This policy will be useful for situations where devices are shared by multiple"},{"line_number":97,"context_line":"  projects, and we want a system-level admin to operator the devices like"},{"line_number":98,"context_line":"  programming or firmware uograde. In addition, a system admin is required to"},{"line_number":99,"context_line":"  do the service disable/enable things."},{"line_number":100,"context_line":"* Add system scoped reader policy"},{"line_number":101,"context_line":"  This policy will be useful for situations where a read-only role is required"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_887082a9","line":98,"range":{"start_line":98,"start_character":26,"end_line":98,"end_character":33},"in_reply_to":"3fa7e38b_4a669e57","updated":"2020-01-17 10:01:45.000000000","message":"Done","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"64564947b50e335f99a673bb592f0ce6dfba5fc3","unresolved":false,"context_lines":[{"line_number":110,"context_line":"Alternatives"},{"line_number":111,"context_line":"------------"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"None"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"Data model impact"},{"line_number":116,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_ca960ef0","line":113,"range":{"start_line":113,"start_character":0,"end_line":113,"end_character":4},"updated":"2020-01-07 09:15:34.000000000","message":"I think the alternative is keep the old policy mechanism, but as time goes on, more and more features will be added, and then the verification of policies will become more and more complicated.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":110,"context_line":"Alternatives"},{"line_number":111,"context_line":"------------"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"None"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"Data model impact"},{"line_number":116,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_686d06ca","line":113,"range":{"start_line":113,"start_character":0,"end_line":113,"end_character":4},"in_reply_to":"3fa7e38b_ca960ef0","updated":"2020-01-17 10:01:45.000000000","message":"Done","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"64564947b50e335f99a673bb592f0ce6dfba5fc3","unresolved":false,"context_lines":[{"line_number":117,"context_line":""},{"line_number":118,"context_line":"None"},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"REST API impact"},{"line_number":121,"context_line":"---------------"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"Operations for each API should be reassessed and associated which scope, or"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_c5003f03","line":120,"range":{"start_line":120,"start_character":0,"end_line":120,"end_character":15},"updated":"2020-01-07 09:15:34.000000000","message":"This change will be add in the v2 version, and I think this need a microversion for this change, so maybe this change should a new microversion (v2.1) to these APIs.\n\nIn the `api microversion changes`_, that will be deprecated v1, and start the 2.0 microversion:\n\n_api microversion change: https://review.opendev.org/#/c/699149/","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":117,"context_line":""},{"line_number":118,"context_line":"None"},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"REST API impact"},{"line_number":121,"context_line":"---------------"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"Operations for each API should be reassessed and associated which scope, or"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_e8fc960e","line":120,"range":{"start_line":120,"start_character":0,"end_line":120,"end_character":15},"in_reply_to":"3fa7e38b_c5003f03","updated":"2020-01-17 10:01:45.000000000","message":"Thanks Brin for this point.\nThis policy refresh only improves the RBAC and will not affect the V2 API compatibility, so I don\u0027t think it needs a microversion.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"336ed93ab286943bc99e629a2dafdf8703b94a68","unresolved":false,"context_lines":[{"line_number":130,"context_line":"  GET /v2/accelerator_requests"},{"line_number":131,"context_line":"  GET /v2/accelerator_requests/{accelerator_request_uuid}"},{"line_number":132,"context_line":"  GET /v2/devices"},{"line_number":133,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"* System Reader check"},{"line_number":136,"context_line":"  GET /v2/devices"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_bb44691a","line":133,"range":{"start_line":133,"start_character":2,"end_line":133,"end_character":31},"updated":"2020-01-02 15:24:45.000000000","message":"Can devices in cyborg be associated to specific projects? If so, this check should ensure the user has reader authorization on the project in addition to the \u0027reader\u0027 role, correct?","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":130,"context_line":"  GET /v2/accelerator_requests"},{"line_number":131,"context_line":"  GET /v2/accelerator_requests/{accelerator_request_uuid}"},{"line_number":132,"context_line":"  GET /v2/devices"},{"line_number":133,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"* System Reader check"},{"line_number":136,"context_line":"  GET /v2/devices"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_f31c88c4","line":133,"range":{"start_line":133,"start_character":2,"end_line":133,"end_character":31},"in_reply_to":"3fa7e38b_bb44691a","updated":"2020-01-17 10:01:45.000000000","message":"Hi Lance, thanks for raising this good question.\n1)In cyborg, a device can be shared across different projects, we had a discussion about your question, pls check[0].\n2)And for the GET API, not only the \"reader\" role has reader authorization, the \"member\"\u0026\"admin\" role can also have reader authorization without demonstrating anywhere, because of the \"implied roles\" usage[1].\n\n[0]http://eavesdrop.openstack.org/meetings/openstack_cyborg/2020/openstack_cyborg.2020-01-09-03.03.log.html#l-30\n[1]https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0fc1d5d292a33c8502f5238b40e58aa9e34634a8","unresolved":false,"context_lines":[{"line_number":130,"context_line":"  GET /v2/accelerator_requests"},{"line_number":131,"context_line":"  GET /v2/accelerator_requests/{accelerator_request_uuid}"},{"line_number":132,"context_line":"  GET /v2/devices"},{"line_number":133,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"* System Reader check"},{"line_number":136,"context_line":"  GET /v2/devices"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_fd305908","line":133,"range":{"start_line":133,"start_character":2,"end_line":133,"end_character":31},"in_reply_to":"3fa7e38b_f31c88c4","updated":"2020-01-27 18:06:46.000000000","message":"Ok - that makes sense. Thank you for taking the time to clarify.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"336ed93ab286943bc99e629a2dafdf8703b94a68","unresolved":false,"context_lines":[{"line_number":134,"context_line":""},{"line_number":135,"context_line":"* System Reader check"},{"line_number":136,"context_line":"  GET /v2/devices"},{"line_number":137,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"* System Admin check"},{"line_number":140,"context_line":"  PATCH /v2/devices"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_5b4d353a","line":137,"range":{"start_line":137,"start_character":2,"end_line":137,"end_character":31},"updated":"2020-01-02 15:24:45.000000000","message":"Is this going to list all devices regardless of the project they\u0027re associated to?","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":134,"context_line":""},{"line_number":135,"context_line":"* System Reader check"},{"line_number":136,"context_line":"  GET /v2/devices"},{"line_number":137,"context_line":"  GET /v2/devices/{device_uuid}"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"* System Admin check"},{"line_number":140,"context_line":"  PATCH /v2/devices"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_25c5f75d","line":137,"range":{"start_line":137,"start_character":2,"end_line":137,"end_character":31},"in_reply_to":"3fa7e38b_5b4d353a","updated":"2020-01-17 10:01:45.000000000","message":"yes,exactly.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"64564947b50e335f99a673bb592f0ce6dfba5fc3","unresolved":false,"context_lines":[{"line_number":140,"context_line":"  PATCH /v2/devices"},{"line_number":141,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"One of the current policy defaults will have to change. For example, the rule "},{"line_number":144,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":145,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"},{"line_number":146,"context_line":"this operation). Instead it should be \"role:member\" with scope_type [\"project\"]"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_aa2ab22b","line":143,"range":{"start_line":143,"start_character":77,"end_line":143,"end_character":78},"updated":"2020-01-07 09:15:34.000000000","message":"redundant whit space","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":140,"context_line":"  PATCH /v2/devices"},{"line_number":141,"context_line":"  PATCH /v2/deployables/{uuid}"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"One of the current policy defaults will have to change. For example, the rule "},{"line_number":144,"context_line":"\"cyborg:arq:create\" has default \"rule:allow\" which equates to \"@\" which is"},{"line_number":145,"context_line":"much too permissive (it would allow a user with the \"reader\" role to perform"},{"line_number":146,"context_line":"this operation). Instead it should be \"role:member\" with scope_type [\"project\"]"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_a8021eb8","line":143,"range":{"start_line":143,"start_character":77,"end_line":143,"end_character":78},"in_reply_to":"3fa7e38b_aa2ab22b","updated":"2020-01-17 10:01:45.000000000","message":"Done","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"336ed93ab286943bc99e629a2dafdf8703b94a68","unresolved":false,"context_lines":[{"line_number":168,"context_line":"Other deployer impact"},{"line_number":169,"context_line":"---------------------"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"None"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Developer impact"},{"line_number":174,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_1b5d7deb","line":171,"range":{"start_line":171,"start_character":0,"end_line":171,"end_character":4},"updated":"2020-01-02 15:24:45.000000000","message":"Deployers will need to look through the new policies (communicated via release notes?) to make sure they can adopt them, right?","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":168,"context_line":"Other deployer impact"},{"line_number":169,"context_line":"---------------------"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"None"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Developer impact"},{"line_number":174,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_4599131c","line":171,"range":{"start_line":171,"start_character":0,"end_line":171,"end_character":4},"in_reply_to":"3fa7e38b_1b5d7deb","updated":"2020-01-17 10:01:45.000000000","message":"aha, yes. thanks for the reminder!","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"64564947b50e335f99a673bb592f0ce6dfba5fc3","unresolved":false,"context_lines":[{"line_number":186,"context_line":""},{"line_number":187,"context_line":"Work Items"},{"line_number":188,"context_line":"----------"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"In order to make sure existed policies run normally when every changes happen,"},{"line_number":191,"context_line":"we will propose changes in the following order:"},{"line_number":192,"context_line":"* Add new roles to cyborg policy including Project-Reader, Project-Member,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_ea78aac2","line":189,"updated":"2020-01-07 09:15:34.000000000","message":"I am not sure does it need to supplementary functional tests.\nIn Cyborg we lack of some functional tests [1] with the exist feature, I think it\u0027s necessary to add some functional tests for a new feature.\n\n[1]https://github.com/openstack/cyborg/tree/master/cyborg/tests/functional","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":186,"context_line":""},{"line_number":187,"context_line":"Work Items"},{"line_number":188,"context_line":"----------"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"In order to make sure existed policies run normally when every changes happen,"},{"line_number":191,"context_line":"we will propose changes in the following order:"},{"line_number":192,"context_line":"* Add new roles to cyborg policy including Project-Reader, Project-Member,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_c853da39","line":189,"in_reply_to":"3fa7e38b_ea78aac2","updated":"2020-01-17 10:01:45.000000000","message":"yeah, nice to have functional tests. But AFAIC, we can implement unit tests and cyborg-tempest-plugin first, and then functional tests. Now we still have work to improve in unit test and cyborg-tempest-plugin test.","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"336ed93ab286943bc99e629a2dafdf8703b94a68","unresolved":false,"context_lines":[{"line_number":204,"context_line":"Testing"},{"line_number":205,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Unit tests for policy rules and APIs should be added."},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Documentation Impact"},{"line_number":210,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_7b6351ac","line":207,"range":{"start_line":207,"start_character":0,"end_line":207,"end_character":53},"updated":"2020-01-02 15:24:45.000000000","message":"Colleen has an idea for how to do this with devstack-tempest plugins, which keeps local unit testing times down and reuses some useful setup.\n\nhttps://review.opendev.org/#/c/686305/","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"6641758fc49242422d0cde65940dafb28b5e80be","unresolved":false,"context_lines":[{"line_number":204,"context_line":"Testing"},{"line_number":205,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Unit tests for policy rules and APIs should be added."},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Documentation Impact"},{"line_number":210,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_25a73754","line":207,"range":{"start_line":207,"start_character":0,"end_line":207,"end_character":53},"in_reply_to":"3fa7e38b_7b6351ac","updated":"2020-01-17 10:01:45.000000000","message":"wow. That\u0027s so cool!","commit_id":"b1a024f9bb9ec042f07d3580a9c3a587cbba74fe"}]}