)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"48f17207f4ad125c8a5b1dc1f16c88a0a479a17e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d2b32e7b_c3ec7324","updated":"2026-06-16 10:51:15.000000000","message":"ill leave this open for a while longer in case anyone has questions or feedback and we can chat about it in the irc meeting if needed.\n\ni havve created the blueprint\n\nhttps://blueprints.launchpad.net/openstack-cyborg/+spec/consistent-and-secure-rbac\nand preemptively linked it to where the spec will be publihsed\n\nhttps://specs.openstack.org/openstack/cyborg-specs/specs/2026.2/approved/consistent-and-secure-rbac.html\n\nwe still have a copy avaible on the preview site\n\nhttps://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_337/openstack/337b1cfb05fc4c2594bf951d3eba6058/docs/specs/2026.2/approved/consistent-and-secure-rbac.html\n\nalthough that typically ages out after about 10 days or so dependign on capcity so that may not be avaibel for much longer.\n\nlet me know if anything needs more clarity but im hopeful this is good to go.","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"},{"author":{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},"change_message_id":"b2ea6fa0289353802b0394577399536489fc0b7f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a0d8f2bf_d579fce3","updated":"2026-06-17 16:18:04.000000000","message":"lgtm, the spec explains the design well and covers a needed security improvement I only spotted a very minor fomatting issue","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"},{"author":{"_account_id":12393,"name":"chandan kumar","display_name":"Chandan Kumar","email":"chkumar@redhat.com","username":"chkumar246"},"change_message_id":"7c10864215115f45dad8d9f88d9ed9e3bb895ae1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"5487af30_b8368092","updated":"2026-06-16 09:55:21.000000000","message":"looks good.","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"}],"specs/2026.2/approved/consistent-and-secure-rbac.rst":[{"author":{"_account_id":12393,"name":"chandan kumar","display_name":"Chandan Kumar","email":"chkumar@redhat.com","username":"chkumar246"},"change_message_id":"7c10864215115f45dad8d9f88d9ed9e3bb895ae1","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Consistent and Secure RBAC for Cyborg APIs"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://blueprints.launchpad.net/openstack-cyborg/+spec/consistent-and-secure-rbac"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Cyborg\u0027s REST API authorization still relies on legacy ``RuleDefault``"},{"line_number":14,"context_line":"policies defined in ``cyborg/common/policy.py``. Although critical"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2e5b0573_f80cd07f","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":82},"updated":"2026-06-16 09:55:21.000000000","message":"The above link does not exists. Before merging, we need to create the blueprint.","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"48f17207f4ad125c8a5b1dc1f16c88a0a479a17e","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Consistent and Secure RBAC for Cyborg APIs"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://blueprints.launchpad.net/openstack-cyborg/+spec/consistent-and-secure-rbac"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Cyborg\u0027s REST API authorization still relies on legacy ``RuleDefault``"},{"line_number":14,"context_line":"policies defined in ``cyborg/common/policy.py``. Although critical"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1b13af73_030969d6","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":82},"in_reply_to":"2e5b0573_f80cd07f","updated":"2026-06-16 10:51:15.000000000","message":"we rechnailly do it after or just as we are merging it to avoid creating blueprint that wont be implemnted.\n\nbut sure i just created it now","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"},{"author":{"_account_id":12393,"name":"chandan kumar","display_name":"Chandan Kumar","email":"chkumar@redhat.com","username":"chkumar246"},"change_message_id":"7c10864215115f45dad8d9f88d9ed9e3bb895ae1","unresolved":false,"context_lines":[{"line_number":50,"context_line":"With those patches merged, the current policy baseline is secure but"},{"line_number":51,"context_line":"incomplete. Device, deployable, and attribute endpoints are locked to"},{"line_number":52,"context_line":"admin-only access, which is more restrictive than the long-term SRBAC"},{"line_number":53,"context_line":"target. ARQ reads still use the deprecated ``rule:default`` chain, which"},{"line_number":54,"context_line":"relies on the deprecated ``is_admin:True or project_id:%(project_id)s``"},{"line_number":55,"context_line":"check rather than the modern reader persona. The policy definitions are"},{"line_number":56,"context_line":"still ``RuleDefault`` entries without deprecated-rule bridges, so enabling"},{"line_number":57,"context_line":"``enforce_new_defaults \u003d True`` has no effect on those endpoints. There is no"},{"line_number":58,"context_line":"``project_manager_or_admin`` base rule for the manager persona, and no"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0b17f2f7_236b4995","line":55,"range":{"start_line":53,"start_character":8,"end_line":55,"end_character":43},"updated":"2026-06-16 09:55:21.000000000","message":"Yes correct, https://github.com/openstack/cyborg/blob/master/cyborg/common/policy.py#L32","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"},{"author":{"_account_id":12393,"name":"chandan kumar","display_name":"Chandan Kumar","email":"chkumar@redhat.com","username":"chkumar246"},"change_message_id":"7c10864215115f45dad8d9f88d9ed9e3bb895ae1","unresolved":false,"context_lines":[{"line_number":63,"context_line":"Use Cases"},{"line_number":64,"context_line":"---------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"* As a cloud operator (``admin`` role), I want to manage the hardware"},{"line_number":67,"context_line":"  lifecycle — disabling and enabling devices, programming FPGA bitstreams,"},{"line_number":68,"context_line":"  creating and deleting device profiles, and enriching device metadata —"},{"line_number":69,"context_line":"  while also having read access to all hardware inventory and all ARQs"},{"line_number":70,"context_line":"  regardless of project."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"* As a trusted end user (``manager`` role), I want to inspect the"},{"line_number":73,"context_line":"  accelerator hardware inventory — devices, deployables, and attributes —"},{"line_number":74,"context_line":"  available to my project for capacity planning and troubleshooting, without"},{"line_number":75,"context_line":"  being granted write access to hardware management operations."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"* As a normal end user (``member`` role), I want Nova to be able to create,"},{"line_number":78,"context_line":"  bind, and delete ARQs on my behalf during instance lifecycle operations,"},{"line_number":79,"context_line":"  using my Keystone token as the primary credential."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"* As an auditor (``reader`` role), I want read-only access to the ARQs"},{"line_number":82,"context_line":"  belonging to my project so that I can inspect accelerator request state,"},{"line_number":83,"context_line":"  for example to check bind state during instance scheduling."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"* As a deployer, I want Cyborg to default to the legacy authorization"},{"line_number":86,"context_line":"  behaviour during the upgrade window so that I can migrate all services in"},{"line_number":87,"context_line":"  my deployment to the new persona model together, rather than being forced"},{"line_number":88,"context_line":"  to adopt new defaults before the rest of the stack is ready."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* As a Nova developer, I want Cyborg\u0027s ARQ write policies to accept the"},{"line_number":91,"context_line":"  ``service`` role alongside ``member`` so that when Nova transitions to"},{"line_number":92,"context_line":"  presenting its service account token as the primary credential, the"},{"line_number":93,"context_line":"  Cyborg policy layer does not need a coordinated change."},{"line_number":94,"context_line":""},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Proposed change"},{"line_number":97,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"060d98de_5c934de9","line":94,"range":{"start_line":66,"start_character":0,"end_line":94,"end_character":1},"updated":"2026-06-16 09:55:21.000000000","message":"+1 for explaining the usecases based on specific role (admin, manager, member, reader and service role)","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"},{"author":{"_account_id":12393,"name":"chandan kumar","display_name":"Chandan Kumar","email":"chkumar@redhat.com","username":"chkumar246"},"change_message_id":"7c10864215115f45dad8d9f88d9ed9e3bb895ae1","unresolved":false,"context_lines":[{"line_number":127,"context_line":"for trusted service accounts, bridging the transition from member-based to"},{"line_number":128,"context_line":"service-based authorization for machine-to-machine APIs. Both rules will be"},{"line_number":129,"context_line":"registered in the ``default_policies`` list alongside the existing"},{"line_number":130,"context_line":"``project_member_or_admin`` and ``project_reader_or_admin`` rules."},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"The existing ``admin_api`` base rule currently includes"},{"line_number":133,"context_line":"``role:administrator`` as a non-standard alias alongside ``role:admin``."}],"source_content_type":"text/x-rst","patch_set":1,"id":"1d95a7b9_09b2af86","line":130,"range":{"start_line":130,"start_character":0,"end_line":130,"end_character":66},"updated":"2026-06-16 09:55:21.000000000","message":"Links to existing rules: https://github.com/openstack/cyborg/blob/master/cyborg/policies/base.py#L106","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"},{"author":{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},"change_message_id":"b2ea6fa0289353802b0394577399536489fc0b7f","unresolved":true,"context_lines":[{"line_number":517,"context_line":"  https://etherpad.opendev.org/p/rbac-goal-tracking"},{"line_number":518,"context_line":""},{"line_number":519,"context_line":"* LP#2143263 — rule:allow policy bypass on device, deployable, and attribute"},{"line_number":520,"context_line":"  APIs:"},{"line_number":521,"context_line":"  https://bugs.launchpad.net/openstack-cyborg/+bug/2143263"},{"line_number":522,"context_line":""},{"line_number":523,"context_line":"* LP#2144056 — ARQ cross-tenant access and service-token enforcement:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ccb4ff57_d5ae171f","line":520,"updated":"2026-06-17 16:18:04.000000000","message":"looks like this being in its own line is messing the formating of the link in the generated html","commit_id":"54ce2e7b5253cedf73d55c026854229df04f870d"}]}