)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"92e858dda197e5efb30c59e208c4053ee540cd5d","unresolved":false,"context_lines":[{"line_number":10,"context_line":"release, the specification[0] has been merged in ussuri. To be brief, we need"},{"line_number":11,"context_line":"to do the followings to incorporate authorization scopes into cyborg:"},{"line_number":12,"context_line":"1. Add the following applicable five personas to cyborg and deprecate old ones:"},{"line_number":13,"context_line":"   * project reader"},{"line_number":14,"context_line":"   * project member"},{"line_number":15,"context_line":"   * project admin"},{"line_number":16,"context_line":"   * system reader"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":10,"id":"bf51134e_be1de478","line":13,"updated":"2020-07-23 03:00:41.000000000","message":"SYSTEM_ADMIN \u003d \u0027rule:system_admin_api\u0027\nSYSTEM_READER \u003d \u0027rule:system_reader_api\u0027\nPROJECT_ADMIN \u003d \u0027rule:project_admin_api\u0027\nPROJECT_MEMBER \u003d \u0027rule:project_member_api\u0027\nPROJECT_READER \u003d \u0027rule:project_reader_api\u0027\nPROJECT_ADMIN_OR_OWNER \u003d \u0027rule:project_admin_or_owner\u0027\n\nFrom the init role, it has six roles.","commit_id":"f93bf16ffbdbf1049a0f928ed6d9b2ce7c28bb44"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"92e858dda197e5efb30c59e208c4053ee540cd5d","unresolved":false,"context_lines":[{"line_number":30,"context_line":"    2) Updated device_profile APIs"},{"line_number":31,"context_line":"    3) extract API_policies from policy.py to indenpendent policy files"},{"line_number":32,"context_line":"    4) extract authorize_wsgi.py out from policy.py"},{"line_number":33,"context_line":"Debug info of this patch can be found in [1], one can easily reproduce by "},{"line_number":34,"context_line":"debugging test_device_profiles.TestDeviceProfileController.test_create."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"All changes in this patch will show a full framwork of the new policies, and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":10,"id":"bf51134e_9e6bc0ef","line":33,"range":{"start_line":33,"start_character":73,"end_line":33,"end_character":74},"updated":"2020-07-23 03:00:41.000000000","message":"redundant white space.","commit_id":"f93bf16ffbdbf1049a0f928ed6d9b2ce7c28bb44"},{"author":{"_account_id":31412,"name":"Wenping Song","email":"songwenping@inspur.com","username":"songwenping"},"change_message_id":"2804534571f61f519ffb8eb0ea087133bea71bc2","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Debug info of this patch can be found in [1], one can easily reproduce by"},{"line_number":35,"context_line":"debugging test_device_profiles.TestDeviceProfileController.test_create."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"All changes in this patch will show a full framwork of the new policies, and"},{"line_number":38,"context_line":"this patch implements the changes for base_policies and device_profile_policies."},{"line_number":39,"context_line":"Changes for other policies such as device_policies, deployable_policies"},{"line_number":40,"context_line":"will be followed in the next patches."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"9f560f44_6724870e","line":37,"range":{"start_line":37,"start_character":43,"end_line":37,"end_character":51},"updated":"2020-07-29 06:15:05.000000000","message":"framework","commit_id":"592ffb6146e672442fef2098000d407c9a896c0e"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"bee1db683025578e308727915ee3b4f463d46705","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Debug info of this patch can be found in [1], one can easily reproduce by"},{"line_number":35,"context_line":"debugging test_device_profiles.TestDeviceProfileController.test_create."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"All changes in this patch will show a full framwork of the new policies, and"},{"line_number":38,"context_line":"this patch implements the changes for base_policies and device_profile_policies."},{"line_number":39,"context_line":"Changes for other policies such as device_policies, deployable_policies"},{"line_number":40,"context_line":"will be followed in the next patches."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"9f560f44_c22e21a4","line":37,"range":{"start_line":37,"start_character":43,"end_line":37,"end_character":51},"in_reply_to":"9f560f44_6724870e","updated":"2020-07-29 08:49:44.000000000","message":"Done","commit_id":"592ffb6146e672442fef2098000d407c9a896c0e"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"cfd2c015ce2544a24cbac3fa9a4f7c630225cf2e","unresolved":false,"context_lines":[{"line_number":19,"context_line":"2. Rewrite check string(authorization rules) using new personas for all APIs"},{"line_number":20,"context_line":"3. Add protection test for all APIs."},{"line_number":21,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":22,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":23,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":24,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":25,"context_line":"   able to make writable changes."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":15,"id":"9f560f44_b5e7bc12","line":22,"updated":"2020-07-31 01:47:15.000000000","message":"need a space here.","commit_id":"1699f0426817f6b615feedb9198a060e4c54801e"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"fcdc9bb3cda3cfd2a2a15eaab66024b118bf23aa","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Cyborg Policy Default Refresh is one of the planned blueprints for victoria"},{"line_number":10,"context_line":"release, the specification[0] has been merged in ussuri. To be brief, we need"},{"line_number":11,"context_line":"to do the followings to incorporate authorization scopes into cyborg:"},{"line_number":12,"context_line":"1. Add the following applicable six personas to cyborg and deprecate old ones:"},{"line_number":13,"context_line":"   * project reader"},{"line_number":14,"context_line":"   * project member"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_25c06be1","line":11,"range":{"start_line":11,"start_character":62,"end_line":11,"end_character":68},"updated":"2020-08-04 08:52:46.000000000","message":"Cyborg","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"fcdc9bb3cda3cfd2a2a15eaab66024b118bf23aa","unresolved":false,"context_lines":[{"line_number":9,"context_line":"Cyborg Policy Default Refresh is one of the planned blueprints for victoria"},{"line_number":10,"context_line":"release, the specification[0] has been merged in ussuri. To be brief, we need"},{"line_number":11,"context_line":"to do the followings to incorporate authorization scopes into cyborg:"},{"line_number":12,"context_line":"1. Add the following applicable six personas to cyborg and deprecate old ones:"},{"line_number":13,"context_line":"   * project reader"},{"line_number":14,"context_line":"   * project member"},{"line_number":15,"context_line":"   * project admin"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_05c567f1","line":12,"range":{"start_line":12,"start_character":48,"end_line":12,"end_character":54},"updated":"2020-08-04 08:52:46.000000000","message":"Cyborg","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"fcdc9bb3cda3cfd2a2a15eaab66024b118bf23aa","unresolved":false,"context_lines":[{"line_number":21,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":22,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":23,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":24,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":25,"context_line":"   able to make writable changes."},{"line_number":26,"context_line":"4. Update policy documentation on cyborg-doc page"},{"line_number":27,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_85b0578c","line":24,"range":{"start_line":24,"start_character":12,"end_line":24,"end_character":17},"updated":"2020-08-04 08:52:46.000000000","message":"users","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3514f6f122d84e63952d8816e2585550192e5b31","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   * system admin"},{"line_number":18,"context_line":"   * project admin_or_owner"},{"line_number":19,"context_line":"2. Rewrite check string(authorization rules) using new personas for all APIs"},{"line_number":20,"context_line":"3. Add protection test for all APIs."},{"line_number":21,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":22,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":23,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":24,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":25,"context_line":"   able to make writable changes."},{"line_number":26,"context_line":"4. Update policy documentation on cyborg-doc page"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"This patch refreshed cyborg default RBAC policy to scoped RBAC policy, and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_e6283498","line":25,"range":{"start_line":20,"start_character":2,"end_line":25,"end_character":33},"updated":"2020-08-04 16:37:15.000000000","message":"this would be great to do to avoid any regression but I could not see that in this patch. \n\nLet\u0027s do hose in series,\npatch1: add test for existing policies with old roles.\n\npatch2: policy adopt scope_type and default roles with tests modification. Here we can see what all behavior we are changing with new policy and whether old context(token) keep working or not. You can break this to two-part also 1. add scope_type 2. add new defaults","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"efbf5e118bf7b11ff9fca7b154d31096381f9f74","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   * system admin"},{"line_number":18,"context_line":"   * project admin_or_owner"},{"line_number":19,"context_line":"2. Rewrite check string(authorization rules) using new personas for all APIs"},{"line_number":20,"context_line":"3. Add protection test for all APIs."},{"line_number":21,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":22,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":23,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":24,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":25,"context_line":"   able to make writable changes."},{"line_number":26,"context_line":"4. Update policy documentation on cyborg-doc page"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"This patch refreshed cyborg default RBAC policy to scoped RBAC policy, and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_e369f924","line":25,"range":{"start_line":20,"start_character":2,"end_line":25,"end_character":33},"in_reply_to":"9f560f44_e6283498","updated":"2020-08-10 07:11:53.000000000","message":"Thanks for the suggestion! Splitting patch sounds good to me, I also don\u0027t wanna make it too big to scare off reviewers. I will split them by the suggested order. \n\nAfter referenced patches [0],[1],[2], pls allow me to confirm one more question: in the policies/test_admin_actions.py , AdminActionsPolicyTest can test both existed and new policies, while AdminActionsScopeTypePolicyTest(for enforce_scope\u003dTrue) and AdminActionsNoLegacyPolicyTest(no_deprecated_rule is True) are defined but not actually test anything. does that mean we need to add actual tests before we enforce_scope\u003dTrue, not now?\n\n\n[0]Add test coverage of existing admin_actions policies: https://review.opendev.org/#/c/657698/14\n[1]Introduce scope_types in Admin Actions: https://review.opendev.org/#/c/657823/11\n[2]Add new default roles in Admin Action API policies: https://review.opendev.org/#/c/676682/7","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"fcdc9bb3cda3cfd2a2a15eaab66024b118bf23aa","unresolved":false,"context_lines":[{"line_number":25,"context_line":"   able to make writable changes."},{"line_number":26,"context_line":"4. Update policy documentation on cyborg-doc page"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"This patch refreshed cyborg default RBAC policy to scoped RBAC policy, and"},{"line_number":29,"context_line":"reorganized the policy framework into a more logical way:"},{"line_number":30,"context_line":"    1) added five personas to basic policies and deprecated legacy roles"},{"line_number":31,"context_line":"    2) Updated device_profile APIs"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_25650b1f","line":28,"range":{"start_line":28,"start_character":21,"end_line":28,"end_character":27},"updated":"2020-08-04 08:52:46.000000000","message":"Cyborg","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"fcdc9bb3cda3cfd2a2a15eaab66024b118bf23aa","unresolved":false,"context_lines":[{"line_number":40,"context_line":"in [1], one can easily reproduce by"},{"line_number":41,"context_line":"debugging test_device_profiles.TestDeviceProfileController.test_create."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"All changes in this patch will show a full framwork of the new policies, and"},{"line_number":44,"context_line":"this patch implements the changes for base_policies and device_profile_policies."},{"line_number":45,"context_line":"Changes for other policies such as device_policies, deployable_policies"},{"line_number":46,"context_line":"will be followed in the next patches."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_8587b7b5","line":43,"range":{"start_line":43,"start_character":43,"end_line":43,"end_character":51},"updated":"2020-08-04 08:52:46.000000000","message":"framework","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"efbf5e118bf7b11ff9fca7b154d31096381f9f74","unresolved":false,"context_lines":[{"line_number":40,"context_line":"in [1], one can easily reproduce by"},{"line_number":41,"context_line":"debugging test_device_profiles.TestDeviceProfileController.test_create."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"All changes in this patch will show a full framwork of the new policies, and"},{"line_number":44,"context_line":"this patch implements the changes for base_policies and device_profile_policies."},{"line_number":45,"context_line":"Changes for other policies such as device_policies, deployable_policies"},{"line_number":46,"context_line":"will be followed in the next patches."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"9f560f44_bee8b47b","line":43,"range":{"start_line":43,"start_character":43,"end_line":43,"end_character":51},"in_reply_to":"9f560f44_8587b7b5","updated":"2020-08-10 07:11:53.000000000","message":"ok.thanks Xinran, will update all of them.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c81441460ab0c8f4d72774c68785b257e349817d","unresolved":false,"context_lines":[{"line_number":13,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":14,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":15,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":16,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":17,"context_line":"   able to make writable changes."},{"line_number":18,"context_line":"2. Add the following applicable six personas to cyborg and deprecate old ones:"},{"line_number":19,"context_line":"   * project reader"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_78882f70","line":16,"range":{"start_line":16,"start_character":12,"end_line":16,"end_character":13},"updated":"2020-09-09 10:04:01.000000000","message":"u","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"20a244bc396b95ab1b033e8f3d3e3bd8a2b5ada0","unresolved":false,"context_lines":[{"line_number":13,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":14,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":15,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":16,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":17,"context_line":"   able to make writable changes."},{"line_number":18,"context_line":"2. Add the following applicable six personas to cyborg and deprecate old ones:"},{"line_number":19,"context_line":"   * project reader"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_b1de4b67","line":16,"range":{"start_line":16,"start_character":12,"end_line":16,"end_character":13},"in_reply_to":"9f560f44_78882f70","updated":"2020-09-10 09:40:03.000000000","message":"Done","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c81441460ab0c8f4d72774c68785b257e349817d","unresolved":false,"context_lines":[{"line_number":15,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":16,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":17,"context_line":"   able to make writable changes."},{"line_number":18,"context_line":"2. Add the following applicable six personas to cyborg and deprecate old ones:"},{"line_number":19,"context_line":"   * project reader"},{"line_number":20,"context_line":"   * project member"},{"line_number":21,"context_line":"   * project admin"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_d8c7bb97","line":18,"range":{"start_line":18,"start_character":59,"end_line":18,"end_character":78},"updated":"2020-09-09 10:04:01.000000000","message":"Here just marking the old roles, and we dont deprecate them in this release, I think.","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c81441460ab0c8f4d72774c68785b257e349817d","unresolved":false,"context_lines":[{"line_number":15,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":16,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":17,"context_line":"   able to make writable changes."},{"line_number":18,"context_line":"2. Add the following applicable six personas to cyborg and deprecate old ones:"},{"line_number":19,"context_line":"   * project reader"},{"line_number":20,"context_line":"   * project member"},{"line_number":21,"context_line":"   * project admin"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_f8d8bf7f","line":18,"range":{"start_line":18,"start_character":31,"end_line":18,"end_character":45},"updated":"2020-09-09 10:04:01.000000000","message":"seven roles","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"20a244bc396b95ab1b033e8f3d3e3bd8a2b5ada0","unresolved":false,"context_lines":[{"line_number":15,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":16,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":17,"context_line":"   able to make writable changes."},{"line_number":18,"context_line":"2. Add the following applicable six personas to cyborg and deprecate old ones:"},{"line_number":19,"context_line":"   * project reader"},{"line_number":20,"context_line":"   * project member"},{"line_number":21,"context_line":"   * project admin"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_71c15380","line":18,"range":{"start_line":18,"start_character":59,"end_line":18,"end_character":78},"in_reply_to":"9f560f44_d8c7bb97","updated":"2020-09-10 09:40:03.000000000","message":"here in the commit message, \"deprecated old ones\" means remark old roles as deprecated.","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c81441460ab0c8f4d72774c68785b257e349817d","unresolved":false,"context_lines":[{"line_number":24,"context_line":"   * system admin or owner"},{"line_number":25,"context_line":"   * system or project reader"},{"line_number":26,"context_line":"3. Rewrite check string(authorization rules) using new personas for all APIs"},{"line_number":27,"context_line":"4. Add protection test for all APIs."},{"line_number":28,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":29,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":30,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":31,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":32,"context_line":"   able to make writable changes."},{"line_number":33,"context_line":"5. Update policy documentation on cyborg-doc page"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"This patch refreshed cyborg default RBAC policy to scoped RBAC policy, and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_184ad325","line":32,"range":{"start_line":27,"start_character":2,"end_line":32,"end_character":33},"updated":"2020-09-09 10:04:01.000000000","message":"Repeat with above 1th.","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"20a244bc396b95ab1b033e8f3d3e3bd8a2b5ada0","unresolved":false,"context_lines":[{"line_number":24,"context_line":"   * system admin or owner"},{"line_number":25,"context_line":"   * system or project reader"},{"line_number":26,"context_line":"3. Rewrite check string(authorization rules) using new personas for all APIs"},{"line_number":27,"context_line":"4. Add protection test for all APIs."},{"line_number":28,"context_line":"   A protection test is similar to an API test, but purely focused on the"},{"line_number":29,"context_line":"   authoritative outcome.In other words, protection testing is sufficient when"},{"line_number":30,"context_line":"   we can assert that a user is or isn’t allowed to do or see something. For"},{"line_number":31,"context_line":"   example, Users with a reader role on the system or a project shouldn’t be"},{"line_number":32,"context_line":"   able to make writable changes."},{"line_number":33,"context_line":"5. Update policy documentation on cyborg-doc page"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"This patch refreshed cyborg default RBAC policy to scoped RBAC policy, and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_b1b76b21","line":32,"range":{"start_line":27,"start_character":2,"end_line":32,"end_character":33},"in_reply_to":"9f560f44_184ad325","updated":"2020-09-10 09:40:03.000000000","message":"removed","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c81441460ab0c8f4d72774c68785b257e349817d","unresolved":false,"context_lines":[{"line_number":34,"context_line":""},{"line_number":35,"context_line":"This patch refreshed cyborg default RBAC policy to scoped RBAC policy, and"},{"line_number":36,"context_line":"reorganized the policy framework into a more logical way:"},{"line_number":37,"context_line":"    1) added five personas to basic policies and deprecated legacy roles"},{"line_number":38,"context_line":"    2) extract API_policies from policy.py to indenpendent policy files"},{"line_number":39,"context_line":"    3) extract authorize_wsgi.py out from policy.py"},{"line_number":40,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f560f44_d855fbc3","line":37,"range":{"start_line":37,"start_character":45,"end_line":37,"end_character":72},"updated":"2020-09-09 10:04:01.000000000","message":"ditto","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"}],"cyborg/api/controllers/v2/arqs.py":[{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":27,"context_line":"from cyborg.common import constants"},{"line_number":28,"context_line":"from cyborg.common import exception"},{"line_number":29,"context_line":"from cyborg.common.i18n import _"},{"line_number":30,"context_line":"from cyborg.common import authorize_wsgi"},{"line_number":31,"context_line":"from cyborg import objects"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"LOG \u003d log.getLogger(__name__)"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_23988668","line":30,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: H306: imports not in alphabetical order (cyborg.common.i18n._, cyborg.common.authorize_wsgi)","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":17813,"name":"wangzhh","email":"wzh_1993@126.com","username":"wangzhh"},"change_message_id":"12f780b701dfe9d1a34e5e95cac048ee91689d85","unresolved":false,"context_lines":[{"line_number":216,"context_line":"        LOG.info(\u0027[arqs:get_all] Returned: %s\u0027, ret)"},{"line_number":217,"context_line":"        return ret"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"    @authorize_wsgi.authorize_wsgi(\"cyborg:arq\", \"delete\", False)"},{"line_number":220,"context_line":"    @expose.expose(None, wtypes.text, wtypes.text,"},{"line_number":221,"context_line":"                   status_code\u003dhttp_client.NO_CONTENT)"},{"line_number":222,"context_line":"    def delete(self, arqs\u003dNone, instance\u003dNone):"}],"source_content_type":"text/x-python","patch_set":22,"id":"9f560f44_a01d7710","line":219,"updated":"2020-09-09 01:28:02.000000000","message":"Do we have `DELETE /v2/accelerator_requests/{uuid}`? If the answer is yes. I think that the delete method should have a target.","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"}],"cyborg/common/authorize_wsgi.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3514f6f122d84e63952d8816e2585550192e5b31","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"@lockutils.synchronized(\u0027policy_enforcer\u0027, \u0027cyborg-\u0027)"},{"line_number":34,"context_line":"def init_enforcer(policy_file\u003dNone, rules\u003dNone,"},{"line_number":35,"context_line":"                  default_rule\u003dNone, use_conf\u003dTrue):"},{"line_number":36,"context_line":"    \"\"\"Synchronously initializes the policy enforcer"},{"line_number":37,"context_line":"    :param policy_file: Custom policy file to use, if none is specified,"},{"line_number":38,"context_line":"                        `CONF.oslo_policy.policy_file` will be used."}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_064608c1","line":35,"range":{"start_line":35,"start_character":50,"end_line":35,"end_character":51},"updated":"2020-08-04 16:37:15.000000000","message":"you can ad suppress warning option also for tests otherwise each test initializing policy will start logging warnings. This might not be as worse as it was in nova due to high number of policy but still good to suppress.\n\n...use_conf\u003dTrue, suppress_deprecation_warnings\u003dFalse","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"279f44418780495b02dc71976506893f35f96b6c","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"@lockutils.synchronized(\u0027policy_enforcer\u0027, \u0027cyborg-\u0027)"},{"line_number":34,"context_line":"def init_enforcer(policy_file\u003dNone, rules\u003dNone,"},{"line_number":35,"context_line":"                  default_rule\u003dNone, use_conf\u003dTrue):"},{"line_number":36,"context_line":"    \"\"\"Synchronously initializes the policy enforcer"},{"line_number":37,"context_line":"    :param policy_file: Custom policy file to use, if none is specified,"},{"line_number":38,"context_line":"                        `CONF.oslo_policy.policy_file` will be used."}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_b572d2ab","line":35,"range":{"start_line":35,"start_character":50,"end_line":35,"end_character":51},"in_reply_to":"9f560f44_064608c1","updated":"2020-08-05 11:16:53.000000000","message":"Agree to do this.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"efbf5e118bf7b11ff9fca7b154d31096381f9f74","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"@lockutils.synchronized(\u0027policy_enforcer\u0027, \u0027cyborg-\u0027)"},{"line_number":34,"context_line":"def init_enforcer(policy_file\u003dNone, rules\u003dNone,"},{"line_number":35,"context_line":"                  default_rule\u003dNone, use_conf\u003dTrue):"},{"line_number":36,"context_line":"    \"\"\"Synchronously initializes the policy enforcer"},{"line_number":37,"context_line":"    :param policy_file: Custom policy file to use, if none is specified,"},{"line_number":38,"context_line":"                        `CONF.oslo_policy.policy_file` will be used."}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_de692825","line":35,"range":{"start_line":35,"start_character":50,"end_line":35,"end_character":51},"in_reply_to":"9f560f44_064608c1","updated":"2020-08-10 07:11:53.000000000","message":"ok. will do.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3514f6f122d84e63952d8816e2585550192e5b31","unresolved":false,"context_lines":[{"line_number":55,"context_line":"    _ENFORCER \u003d policy.Enforcer(CONF, policy_file\u003dpolicy_file,"},{"line_number":56,"context_line":"                                rules\u003drules,"},{"line_number":57,"context_line":"                                default_rule\u003ddefault_rule,"},{"line_number":58,"context_line":"                                use_conf\u003duse_conf)"},{"line_number":59,"context_line":"    _ENFORCER.register_defaults(policies.list_policies())"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":""}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_061f28b7","line":58,"range":{"start_line":58,"start_character":49,"end_line":58,"end_character":50},"updated":"2020-08-04 16:37:15.000000000","message":"here you can pass it to oslo policy\n\n        if suppress_deprecation_warnings:\n            _ENFORCER.suppress_deprecation_warnings \u003d True","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"efbf5e118bf7b11ff9fca7b154d31096381f9f74","unresolved":false,"context_lines":[{"line_number":55,"context_line":"    _ENFORCER \u003d policy.Enforcer(CONF, policy_file\u003dpolicy_file,"},{"line_number":56,"context_line":"                                rules\u003drules,"},{"line_number":57,"context_line":"                                default_rule\u003ddefault_rule,"},{"line_number":58,"context_line":"                                use_conf\u003duse_conf)"},{"line_number":59,"context_line":"    _ENFORCER.register_defaults(policies.list_policies())"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":""}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_7e645c4a","line":58,"range":{"start_line":58,"start_character":49,"end_line":58,"end_character":50},"in_reply_to":"9f560f44_061f28b7","updated":"2020-08-10 07:11:53.000000000","message":"got it. will do.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c81441460ab0c8f4d72774c68785b257e349817d","unresolved":false,"context_lines":[{"line_number":36,"context_line":"    \"\"\"Synchronously initializes the policy enforcer"},{"line_number":37,"context_line":"    :param policy_file: Custom policy file to use, if none is specified,"},{"line_number":38,"context_line":"                        `CONF.oslo_policy.policy_file` will be used."},{"line_number":39,"context_line":"    :param rules: Default dictionary / Rules to use. It will be"},{"line_number":40,"context_line":"                  considered just in the first instantiation."},{"line_number":41,"context_line":"    :param default_rule: Default rule to use,"},{"line_number":42,"context_line":"                         CONF.oslo_policy.policy_default_rule will"}],"source_content_type":"text/x-python","patch_set":22,"id":"9f560f44_b8280733","line":39,"range":{"start_line":39,"start_character":25,"end_line":39,"end_character":44},"updated":"2020-09-09 10:04:01.000000000","message":"Question: I dont understand too much with this comment.","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"98a2dcb1ad3228ec63abd5ca05764357f175a86d","unresolved":false,"context_lines":[{"line_number":96,"context_line":"    :param act: The function name of wsgi action."},{"line_number":97,"context_line":"    :param need_target: Whether need target for authorization. Such as,"},{"line_number":98,"context_line":"                        when create some resource , maybe target is not needed."},{"line_number":99,"context_line":"    example:"},{"line_number":100,"context_line":"        from cyborg.common import policy"},{"line_number":101,"context_line":"        class AcceleratorController(rest.RestController):"},{"line_number":102,"context_line":"            ...."},{"line_number":103,"context_line":"            @policy.authorize_wsgi(\"cyborg:accelerator\", \"create\", False)"},{"line_number":104,"context_line":"            @wsme_pecan.wsexpose(Accelerator, body\u003dtypes.jsontype,"},{"line_number":105,"context_line":"                                 status_code\u003dhttp_client.CREATED)"},{"line_number":106,"context_line":"            def post(self, values):"},{"line_number":107,"context_line":"                ..."},{"line_number":108,"context_line":"    \"\"\""},{"line_number":109,"context_line":"    def wraper(fn):"},{"line_number":110,"context_line":"        action \u003d \u0027%s:%s\u0027 % (api_name, act or fn.__name__)"}],"source_content_type":"text/x-python","patch_set":22,"id":"9f560f44_9b625d15","line":107,"range":{"start_line":99,"start_character":4,"end_line":107,"end_character":19},"updated":"2020-09-09 10:39:00.000000000","message":"Looks like this need to be update.\nThe API used authorize_wsgi() directly.","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"20a244bc396b95ab1b033e8f3d3e3bd8a2b5ada0","unresolved":false,"context_lines":[{"line_number":96,"context_line":"    :param act: The function name of wsgi action."},{"line_number":97,"context_line":"    :param need_target: Whether need target for authorization. Such as,"},{"line_number":98,"context_line":"                        when create some resource , maybe target is not needed."},{"line_number":99,"context_line":"    example:"},{"line_number":100,"context_line":"        from cyborg.common import policy"},{"line_number":101,"context_line":"        class AcceleratorController(rest.RestController):"},{"line_number":102,"context_line":"            ...."},{"line_number":103,"context_line":"            @policy.authorize_wsgi(\"cyborg:accelerator\", \"create\", False)"},{"line_number":104,"context_line":"            @wsme_pecan.wsexpose(Accelerator, body\u003dtypes.jsontype,"},{"line_number":105,"context_line":"                                 status_code\u003dhttp_client.CREATED)"},{"line_number":106,"context_line":"            def post(self, values):"},{"line_number":107,"context_line":"                ..."},{"line_number":108,"context_line":"    \"\"\""},{"line_number":109,"context_line":"    def wraper(fn):"},{"line_number":110,"context_line":"        action \u003d \u0027%s:%s\u0027 % (api_name, act or fn.__name__)"}],"source_content_type":"text/x-python","patch_set":22,"id":"9f560f44_b1e80bdf","line":107,"range":{"start_line":99,"start_character":4,"end_line":107,"end_character":19},"in_reply_to":"9f560f44_9b625d15","updated":"2020-09-10 09:40:03.000000000","message":"Done","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"085998244b7bf61bf55f27dbd96700e563daea86","unresolved":false,"context_lines":[{"line_number":100,"context_line":"        from cyborg.common import authorize_wsgi"},{"line_number":101,"context_line":"        class AcceleratorController(rest.RestController):"},{"line_number":102,"context_line":"            ...."},{"line_number":103,"context_line":"            @authorize_wsgi.authorize_wsgi(\"cyborg:accelerator\", \"create\", False)"},{"line_number":104,"context_line":"            @wsme_pecan.wsexpose(Accelerator, body\u003dtypes.jsontype,"},{"line_number":105,"context_line":"                                 status_code\u003dhttp_client.CREATED)"},{"line_number":106,"context_line":"            def post(self, values):"}],"source_content_type":"text/x-python","patch_set":24,"id":"9f560f44_ec746a38","line":103,"updated":"2020-09-10 10:21:11.000000000","message":"pep8: E501 line too long (81 \u003e 79 characters)","commit_id":"9046d8cd3d5dd4743ac2d3e62151577178e51f1c"}],"cyborg/common/policy.py":[{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"48389567812d0b684a1b5d01d3b14d92da54fa54","unresolved":false,"context_lines":[{"line_number":21,"context_line":"from oslo_concurrency import lockutils"},{"line_number":22,"context_line":"from oslo_config import cfg"},{"line_number":23,"context_line":"from oslo_log import log"},{"line_number":24,"context_line":"from oslo_log import versionutils"},{"line_number":25,"context_line":"from oslo_policy import policy"},{"line_number":26,"context_line":"from oslo_versionedobjects import base as object_base"},{"line_number":27,"context_line":"import pecan"}],"source_content_type":"text/x-python","patch_set":10,"id":"bf51134e_7e5d0c78","line":24,"updated":"2020-07-23 02:44:08.000000000","message":"pep8: F401 \u0027oslo_log.versionutils\u0027 imported but unused","commit_id":"f93bf16ffbdbf1049a0f928ed6d9b2ce7c28bb44"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":15,"context_line":""},{"line_number":16,"context_line":"\"\"\"Policy Engine For Cyborg.\"\"\""},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"import functools"},{"line_number":19,"context_line":"import sys"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"from oslo_concurrency import lockutils"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_23836606","line":18,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027functools\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":16,"context_line":"\"\"\"Policy Engine For Cyborg.\"\"\""},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"import functools"},{"line_number":19,"context_line":"import sys"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"from oslo_concurrency import lockutils"},{"line_number":22,"context_line":"from oslo_config import cfg"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_03862214","line":19,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027sys\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":18,"context_line":"import functools"},{"line_number":19,"context_line":"import sys"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"from oslo_concurrency import lockutils"},{"line_number":22,"context_line":"from oslo_config import cfg"},{"line_number":23,"context_line":"from oslo_log import log"},{"line_number":24,"context_line":"from oslo_policy import policy"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_637c3e20","line":21,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027oslo_concurrency.lockutils\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":22,"context_line":"from oslo_config import cfg"},{"line_number":23,"context_line":"from oslo_log import log"},{"line_number":24,"context_line":"from oslo_policy import policy"},{"line_number":25,"context_line":"from oslo_versionedobjects import base as object_base"},{"line_number":26,"context_line":"import pecan"},{"line_number":27,"context_line":"import wsme"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_43777a3c","line":25,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027oslo_versionedobjects.base as object_base\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":23,"context_line":"from oslo_log import log"},{"line_number":24,"context_line":"from oslo_policy import policy"},{"line_number":25,"context_line":"from oslo_versionedobjects import base as object_base"},{"line_number":26,"context_line":"import pecan"},{"line_number":27,"context_line":"import wsme"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"from cyborg.common import exception"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_a376563d","line":26,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027pecan\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":24,"context_line":"from oslo_policy import policy"},{"line_number":25,"context_line":"from oslo_versionedobjects import base as object_base"},{"line_number":26,"context_line":"import pecan"},{"line_number":27,"context_line":"import wsme"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"from cyborg.common import exception"},{"line_number":30,"context_line":"from cyborg import policies as new_policy"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_83719247","line":27,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027wsme\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":26,"context_line":"import pecan"},{"line_number":27,"context_line":"import wsme"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"from cyborg.common import exception"},{"line_number":30,"context_line":"from cyborg import policies as new_policy"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":""}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_e38dee2a","line":29,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027cyborg.common.exception\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":27,"context_line":"import wsme"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"from cyborg.common import exception"},{"line_number":30,"context_line":"from cyborg import policies as new_policy"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"_ENFORCER \u003d None"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_c390aa45","line":30,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: F401 \u0027cyborg.policies as new_policy\u0027 imported but unused","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"9f7ad4dbf028c6c4208a860064ca595c855761e9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"9f560f44_cf8fc620","updated":"2020-09-11 02:41:11.000000000","message":"Looks good to me overall, but I am worry about we decrepated the old policy when we introduce the new policy directly, does it really have no effect?","commit_id":"0bb806b9dc7f7c74998c9b03efe1b8bf2153f1f3"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"a60ca430bbecc993802e182b4e2d6fe6133c8243","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"9f560f44_6e9e7bb8","in_reply_to":"9f560f44_cf8fc620","updated":"2020-09-11 06:14:53.000000000","message":"no worries, the old one can still work fine. \nFirst of all, we\u0027ve added the protection test[0] to test both 1.users who can pass the deprecated policy and 2.users that can pass the new policy. Secondly, by going through the policy authorize code, you can find that cyborg.commonauthorize_wsgi.authorize will finally invoke oslo_policy.policy.OrCheck[1] if the new rule has a deprecated_rule.\n[0]https://review.opendev.org/#/c/749724/8/cyborg/tests/unit/policies/test_device_profiles.py\n[1]https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L738","commit_id":"0bb806b9dc7f7c74998c9b03efe1b8bf2153f1f3"}],"cyborg/policies/__init__.py":[{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"86b925dd55d0e6c86757d0406194ad69ba62e264","unresolved":false,"context_lines":[{"line_number":20,"context_line":"from cyborg.policies import base"},{"line_number":21,"context_line":"from cyborg.policies import device_profile"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"def list_policies():"},{"line_number":24,"context_line":"    return itertools.chain("},{"line_number":25,"context_line":"        base.list_policies(),"},{"line_number":26,"context_line":"        device_profile.list_policies(),"}],"source_content_type":"text/x-python","patch_set":11,"id":"bf51134e_c38b8a1b","line":23,"updated":"2020-07-24 03:25:56.000000000","message":"pep8: E302 expected 2 blank lines, found 1","commit_id":"04e4344fae0c0b48aab0c3e38da1902c9c9919a2"}],"cyborg/policies/base.py":[{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"cfd2c015ce2544a24cbac3fa9a4f7c630225cf2e","unresolved":false,"context_lines":[{"line_number":78,"context_line":"        description\u003d\"Default rule for Project level read only APIs.\"),"},{"line_number":79,"context_line":"    policy.RuleDefault("},{"line_number":80,"context_line":"        name\u003d\"project_admin_or_owner\","},{"line_number":81,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:owner_api\","},{"line_number":82,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\"),"},{"line_number":83,"context_line":"]"},{"line_number":84,"context_line":""}],"source_content_type":"text/x-python","patch_set":15,"id":"9f560f44_d5c5105d","line":81,"range":{"start_line":81,"start_character":50,"end_line":81,"end_character":59},"updated":"2020-07-31 01:47:15.000000000","message":"do we miss the definition of owner API here?","commit_id":"1699f0426817f6b615feedb9198a060e4c54801e"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"2efdb46456ee574d40adf93c943284cbfc209ce3","unresolved":false,"context_lines":[{"line_number":78,"context_line":"        description\u003d\"Default rule for Project level read only APIs.\"),"},{"line_number":79,"context_line":"    policy.RuleDefault("},{"line_number":80,"context_line":"        name\u003d\"project_admin_or_owner\","},{"line_number":81,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:owner_api\","},{"line_number":82,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\"),"},{"line_number":83,"context_line":"]"},{"line_number":84,"context_line":""}],"source_content_type":"text/x-python","patch_set":15,"id":"9f560f44_9a7c60b6","line":81,"range":{"start_line":81,"start_character":50,"end_line":81,"end_character":59},"in_reply_to":"9f560f44_d5c5105d","updated":"2020-07-31 10:32:27.000000000","message":"yes, my mistake. should define owner_api here","commit_id":"1699f0426817f6b615feedb9198a060e4c54801e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3514f6f122d84e63952d8816e2585550192e5b31","unresolved":false,"context_lines":[{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027rule:system_admin_api\u0027"},{"line_number":38,"context_line":"SYSTEM_READER \u003d \u0027rule:system_reader_api\u0027"},{"line_number":39,"context_line":"PROJECT_ADMIN \u003d \u0027rule:project_admin_api\u0027"},{"line_number":40,"context_line":"PROJECT_MEMBER \u003d \u0027rule:project_member_api\u0027"},{"line_number":41,"context_line":"PROJECT_READER \u003d \u0027rule:project_reader_api\u0027"},{"line_number":42,"context_line":"PROJECT_ADMIN_OR_OWNER \u003d \u0027rule:project_admin_or_owner\u0027"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"# NOTE(yumeng): Keystone already support implied roles means assignment"}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_a6747cd0","line":41,"range":{"start_line":40,"start_character":0,"end_line":41,"end_character":42},"updated":"2020-08-04 16:37:15.000000000","message":"I have not gone through the individual policy but I am sure you might need PROJECT_MEMBER_OR_SYSTEM_ADMIN and PROJECT_READER_OR_SYSTEM_READER so that system role tokens can still allow to do the operation on projects accessed APIs. anyways let\u0027s add those while doing each policy with new rule.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"efbf5e118bf7b11ff9fca7b154d31096381f9f74","unresolved":false,"context_lines":[{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027rule:system_admin_api\u0027"},{"line_number":38,"context_line":"SYSTEM_READER \u003d \u0027rule:system_reader_api\u0027"},{"line_number":39,"context_line":"PROJECT_ADMIN \u003d \u0027rule:project_admin_api\u0027"},{"line_number":40,"context_line":"PROJECT_MEMBER \u003d \u0027rule:project_member_api\u0027"},{"line_number":41,"context_line":"PROJECT_READER \u003d \u0027rule:project_reader_api\u0027"},{"line_number":42,"context_line":"PROJECT_ADMIN_OR_OWNER \u003d \u0027rule:project_admin_or_owner\u0027"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"# NOTE(yumeng): Keystone already support implied roles means assignment"}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_9e5df07a","line":41,"range":{"start_line":40,"start_character":0,"end_line":41,"end_character":42},"in_reply_to":"9f560f44_a6747cd0","updated":"2020-08-10 07:11:53.000000000","message":"ok, I will recheck and add if needed.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3514f6f122d84e63952d8816e2585550192e5b31","unresolved":false,"context_lines":[{"line_number":76,"context_line":"        name\u003d\"project_reader_api\","},{"line_number":77,"context_line":"        check_str\u003d\"role:reader and project_id:%(project_id)s\","},{"line_number":78,"context_line":"        description\u003d\"Default rule for Project level read only APIs.\"),"},{"line_number":79,"context_line":"    policy.RuleDefault("},{"line_number":80,"context_line":"        name\u003d\"project_admin_or_owner\","},{"line_number":81,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:owner_api\","},{"line_number":82,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\"),"},{"line_number":83,"context_line":"    policy.RuleDefault("},{"line_number":84,"context_line":"        name\u003d\"owner_api\","},{"line_number":85,"context_line":"        check_str\u003d\"rule:project_id:%(project_id)s\","},{"line_number":86,"context_line":"        description\u003d\"Default rule for owner API.\"),"},{"line_number":87,"context_line":"]"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"DEPRECATED_REASON \u003d \"\"\""}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_0690c8ec","line":86,"range":{"start_line":79,"start_character":0,"end_line":86,"end_character":51},"updated":"2020-08-04 16:37:15.000000000","message":"new project_* rules are now owner implicitly as their check_str are with \u0027..and project_id..\u0027 so they do check the project_id of request token so ownership is checked. Any other project admin try to access then \u0027project_id\u0027 mismatch will fail those.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"efbf5e118bf7b11ff9fca7b154d31096381f9f74","unresolved":false,"context_lines":[{"line_number":76,"context_line":"        name\u003d\"project_reader_api\","},{"line_number":77,"context_line":"        check_str\u003d\"role:reader and project_id:%(project_id)s\","},{"line_number":78,"context_line":"        description\u003d\"Default rule for Project level read only APIs.\"),"},{"line_number":79,"context_line":"    policy.RuleDefault("},{"line_number":80,"context_line":"        name\u003d\"project_admin_or_owner\","},{"line_number":81,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:owner_api\","},{"line_number":82,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\"),"},{"line_number":83,"context_line":"    policy.RuleDefault("},{"line_number":84,"context_line":"        name\u003d\"owner_api\","},{"line_number":85,"context_line":"        check_str\u003d\"rule:project_id:%(project_id)s\","},{"line_number":86,"context_line":"        description\u003d\"Default rule for owner API.\"),"},{"line_number":87,"context_line":"]"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"DEPRECATED_REASON \u003d \"\"\""}],"source_content_type":"text/x-python","patch_set":18,"id":"9f560f44_7ef29c71","line":86,"range":{"start_line":79,"start_character":0,"end_line":86,"end_character":51},"in_reply_to":"9f560f44_0690c8ec","updated":"2020-08-10 07:11:53.000000000","message":"sounds like a\"system_admin_or_owner\": \"rule:system_admin_api or rule:project_member_api\" might be better, right?\nEmma, let me rethink the base policies again.","commit_id":"60f978ce4256b4b06c87614fb9ff06adb41ae7b1"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c81441460ab0c8f4d72774c68785b257e349817d","unresolved":false,"context_lines":[{"line_number":55,"context_line":"# legacy rules list: \u0027public_api\u0027,\u0027allow\u0027,\u0027deny\u0027,\u0027admin_api\u0027,\u0027is_admin\u0027,"},{"line_number":56,"context_line":"# \u0027admin_or_owner\u0027,\u0027admin_or_user\u0027."},{"line_number":57,"context_line":"# new rules list: system_admin_api,system_reader_api,project_admin_api,"},{"line_number":58,"context_line":"# project_member_api, project_reader_api, project_admin_or_owner."},{"line_number":59,"context_line":"default_policies \u003d ["},{"line_number":60,"context_line":"    policy.RuleDefault("},{"line_number":61,"context_line":"        name\u003d\"system_admin_api\","}],"source_content_type":"text/x-python","patch_set":22,"id":"9f560f44_a0c73745","line":58,"range":{"start_line":58,"start_character":42,"end_line":58,"end_character":64},"updated":"2020-09-09 10:04:01.000000000","message":"It seems we dont have this role, as bellow your list it should be: system_admin_or_owner, system_or_project_reader.","commit_id":"1cb665716c806f4762bda3dc8c3030c49ac22d00"},{"author":{"_account_id":31412,"name":"Wenping Song","email":"songwenping@inspur.com","username":"songwenping"},"change_message_id":"854311a70b190a52916ce4b5cb6f5a4c85288abd","unresolved":false,"context_lines":[{"line_number":23,"context_line":"# TODO(yumeng) Special string ``system_scope:all``"},{"line_number":24,"context_line":"# We are explicitly setting system_scope:all in these check strings because"},{"line_number":25,"context_line":"# they provide backwards compatibility in the event a deployment sets"},{"line_number":26,"context_line":"# ``cyborg.conf [oslo_policy] enforce_scope \u003d False``, which the default."},{"line_number":27,"context_line":"# Otherwise, this might open up APIs to be more permissive unintentionally if a"},{"line_number":28,"context_line":"# deployment isn\u0027t enforcing scope. For example, the new rule for action"},{"line_number":29,"context_line":"# \u0027cyborg:device_profile:create\u0027 will be System Scoped Admin with"}],"source_content_type":"text/x-python","patch_set":24,"id":"9f560f44_4741f109","line":26,"range":{"start_line":26,"start_character":61,"end_line":26,"end_character":64},"updated":"2020-09-11 08:41:17.000000000","message":"is","commit_id":"9046d8cd3d5dd4743ac2d3e62151577178e51f1c"},{"author":{"_account_id":31412,"name":"Wenping Song","email":"songwenping@inspur.com","username":"songwenping"},"change_message_id":"854311a70b190a52916ce4b5cb6f5a4c85288abd","unresolved":false,"context_lines":[{"line_number":31,"context_line":"# users with the ``admin`` role on a project to access the"},{"line_number":32,"context_line":"# \u0027cyborg:device_profile:create\u0027 until enforce_scope\u003dTrue is set by default."},{"line_number":33,"context_line":"# Once cyborg defaults ``cyborg.conf [oslo_policy] enforce_scope \u003d True``,"},{"line_number":34,"context_line":"# the the ``system_scope:all`` bits of these check strings"},{"line_number":35,"context_line":"# can be removed since that will be handled automatically by scope_types in"},{"line_number":36,"context_line":"# oslo.policy\u0027s RuleDefault objects."},{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027rule:system_admin_api\u0027"}],"source_content_type":"text/x-python","patch_set":24,"id":"9f560f44_87aae9ce","line":34,"range":{"start_line":34,"start_character":1,"end_line":34,"end_character":9},"updated":"2020-09-11 08:41:17.000000000","message":"duplicate","commit_id":"9046d8cd3d5dd4743ac2d3e62151577178e51f1c"},{"author":{"_account_id":31412,"name":"Wenping Song","email":"songwenping@inspur.com","username":"songwenping"},"change_message_id":"854311a70b190a52916ce4b5cb6f5a4c85288abd","unresolved":false,"context_lines":[{"line_number":31,"context_line":"# users with the ``admin`` role on a project to access the"},{"line_number":32,"context_line":"# \u0027cyborg:device_profile:create\u0027 until enforce_scope\u003dTrue is set by default."},{"line_number":33,"context_line":"# Once cyborg defaults ``cyborg.conf [oslo_policy] enforce_scope \u003d True``,"},{"line_number":34,"context_line":"# the the ``system_scope:all`` bits of these check strings"},{"line_number":35,"context_line":"# can be removed since that will be handled automatically by scope_types in"},{"line_number":36,"context_line":"# oslo.policy\u0027s RuleDefault objects."},{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027rule:system_admin_api\u0027"}],"source_content_type":"text/x-python","patch_set":24,"id":"9f560f44_a7d0cd20","line":34,"range":{"start_line":34,"start_character":31,"end_line":34,"end_character":57},"updated":"2020-09-11 08:41:17.000000000","message":"what\u0027s means `bits of ...`?","commit_id":"9046d8cd3d5dd4743ac2d3e62151577178e51f1c"}],"cyborg/policies/device_profile.py":[{"author":{"_account_id":31412,"name":"Wenping Song","email":"songwenping@inspur.com","username":"songwenping"},"change_message_id":"2804534571f61f519ffb8eb0ea087133bea71bc2","unresolved":false,"context_lines":[{"line_number":81,"context_line":"        operations\u003d["},{"line_number":82,"context_line":"            {"},{"line_number":83,"context_line":"                \u0027path\u0027: \u0027/v2/device_profiles\u0027,"},{"line_number":84,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":85,"context_line":"            }],"},{"line_number":86,"context_line":"        deprecated_rule\u003ddeprecated_create,"},{"line_number":87,"context_line":"        deprecated_reason\u003d(\u0027project_admin_or_owner is too permissive,\u0027"}],"source_content_type":"text/x-python","patch_set":14,"id":"9f560f44_44b86175","line":84,"range":{"start_line":84,"start_character":27,"end_line":84,"end_character":30},"updated":"2020-07-29 06:15:05.000000000","message":"POST","commit_id":"592ffb6146e672442fef2098000d407c9a896c0e"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"bee1db683025578e308727915ee3b4f463d46705","unresolved":false,"context_lines":[{"line_number":81,"context_line":"        operations\u003d["},{"line_number":82,"context_line":"            {"},{"line_number":83,"context_line":"                \u0027path\u0027: \u0027/v2/device_profiles\u0027,"},{"line_number":84,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":85,"context_line":"            }],"},{"line_number":86,"context_line":"        deprecated_rule\u003ddeprecated_create,"},{"line_number":87,"context_line":"        deprecated_reason\u003d(\u0027project_admin_or_owner is too permissive,\u0027"}],"source_content_type":"text/x-python","patch_set":14,"id":"9f560f44_a2568d28","line":84,"range":{"start_line":84,"start_character":27,"end_line":84,"end_character":30},"in_reply_to":"9f560f44_44b86175","updated":"2020-07-29 08:49:44.000000000","message":"Done","commit_id":"592ffb6146e672442fef2098000d407c9a896c0e"}]}