)]}'
{"id":"openstack%2Fcyborg~987687","triplet_id":"openstack%2Fcyborg~stable%2F2026.1~I56f04adcfe270f02dfd6511a1aea1074e3d2dedb","project":"openstack/cyborg","branch":"stable/2026.1","topic":"bug/2144056","attention_set":{},"removed_from_attention_set":{"11604":{"account":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"last_update":"2026-05-07 18:48:01.000000000","reason":"\u003cGERRIT_ACCOUNT_11604\u003e replied on the change","reason_account":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"}}},"hashtags":[],"change_id":"I56f04adcfe270f02dfd6511a1aea1074e3d2dedb","subject":"Fix rule:allow policy bypass on device/deployable/attribute APIs","status":"MERGED","created":"2026-05-07 15:05:30.000000000","updated":"2026-05-07 19:30:22.000000000","submitted":"2026-05-07 19:28:32.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":2,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"987687-bug/2144056","meta_rev_id":"20c4c43fb59419f52941a92dcd4b077a3e189970","_number":987687,"virtual_id_number":987687,"owner":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2026-05-07 19:28:31.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},{"value":0,"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"recommended":{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":1,"date":"2026-05-07 15:39:02.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},{"value":2,"date":"2026-05-07 18:48:01.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","value":1,"default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},{"value":1,"date":"2026-05-07 18:48:01.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-05-07 15:39:02.000000000","updated_by":{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},"reviewer":{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},"state":"REVIEWER"},{"updated":"2026-05-07 16:25:47.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"}],"messages":[{"id":"eb0ee87b53aa613ecf8ec9c71658a297fc6c063f","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2026-05-07 15:05:30.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"5757382329cb1c9eb9bb4c4d47674d963288768d","author":{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"},"date":"2026-05-07 15:39:02.000000000","message":"Patch Set 1: Code-Review+1\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"58a833cf9905e3195d408cdf4edc6152dd82f110","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-07 16:25:47.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/a168d18aec1b4950a077f7390f8a0810\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/b674f5c15e5b4c958ef14d49136844f9 : SUCCESS in 5m 10s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/60b59e23ff49486298c8010234100b68 : SUCCESS in 3m 09s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/2746d9697a3943b7bfbc1760ccb04f7f : SUCCESS in 8m 11s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/58e09de7c5a64238971e7ca6b1aa77d0 : SUCCESS in 5m 56s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/92ff0471fdef43b0a1b05e58bf7a86ac : SUCCESS in 5m 03s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/adac7a4aa71d494cbdc725123990ebd2 : SUCCESS in 4m 12s\n- cyborg-tempest https://zuul.opendev.org/t/openstack/build/88de63a998b94beab741d64f9980505d : SUCCESS in 33m 25s\n- cyborg-tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/b95e1b1a6ba441b4973e1712d13b898d : SUCCESS in 22m 20s\n- cyborg-grenade https://zuul.opendev.org/t/openstack/build/36a0e52bf64d4e46a46a2ca162dace2d : SUCCESS in 58m 14s\n- cyborg-grenade-skip-level-always https://zuul.opendev.org/t/openstack/build/430af51bedaf4c1da9885ce4d803e9c8 : SUCCESS in 1h 03m 36s","accounts_in_message":[],"_revision_number":1},{"id":"25fe4b78929dbcf860b1ea7a0ffcb96f83002e00","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2026-05-07 18:48:01.000000000","message":"Patch Set 1: Code-Review+2 Workflow+1\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"e06d3e35c1b3f9f73791f197be242284d279c85e","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-07 18:48:51.000000000","message":"Patch Set 1: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":1},{"id":"cda58535e45b18d3324f15c08b262b3bf7a90cb2","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-07 19:28:31.000000000","message":"Patch Set 1: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/59689a4808bc45cca7e30a0e819ae4f7\n\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/50d6e1409eb4469e84c2499a15e2cb51 : SUCCESS in 3m 10s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/50c44728cb0842bc9326d929049f422c : SUCCESS in 3m 59s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/c11f942fd21349ef8dcaf6f9868cb274 : SUCCESS in 3m 22s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/7de479e4d175443eab01190c7bafc1b5 : SUCCESS in 2m 15s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/b1300e571d08456ca53b9605e91959af : SUCCESS in 3m 43s\n- cyborg-tempest https://zuul.opendev.org/t/openstack/build/8aa74d77350e465d9125dd4047710d0b : SUCCESS in 12m 48s\n- cyborg-grenade https://zuul.opendev.org/t/openstack/build/f1eec7a5cb2249c38a55a07133b531a6 : SUCCESS in 24m 40s\n- cyborg-grenade-skip-level-always https://zuul.opendev.org/t/openstack/build/b0b006dc018145029888b353350c8a71 : SUCCESS in 39m 11s","accounts_in_message":[],"_revision_number":1},{"id":"f8d258418df0667817f8d730047faaf2954a6765","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-07 19:28:32.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":1},{"id":"20c4c43fb59419f52941a92dcd4b077a3e189970","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-07 19:30:22.000000000","message":"Patch Set 1:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/2026934d0cd24cbc9182938bbb68a0f7\n\n- promote-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/3de32056b9f54f229c9d0cef57ebea43 : SUCCESS in 43s\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/c1a99ec190ed44c6a851f14833206034 : SUCCESS in 45s","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"8aad73b158c2c8210f38747686b03e1f1c5fbeb9","revisions":{"8aad73b158c2c8210f38747686b03e1f1c5fbeb9":{"kind":"REWORK","_number":1,"created":"2026-05-07 15:05:30.000000000","uploader":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"ref":"refs/changes/87/987687/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/cyborg","ref":"refs/changes/87/987687/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/cyborg refs/changes/87/987687/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/cyborg refs/changes/87/987687/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/cyborg refs/changes/87/987687/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/cyborg refs/changes/87/987687/1"}}},"commit":{"parents":[{"commit":"8b6c371d3bd6b59fae1e7968097d0ce042b10694","subject":"Merge \"Add Grenade upgrade support for Cyborg\" into stable/2026.1","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/cyborg/commit/8b6c371d3bd6b59fae1e7968097d0ce042b10694"}]}],"author":{"name":"Sean Mooney","email":"work@seanmooney.info","date":"2026-03-04 18:52:56.000000000","tz":0},"committer":{"name":"Sean Mooney","email":"work@seanmooney.info","date":"2026-04-26 18:20:21.000000000","tz":0},"subject":"Fix rule:allow policy bypass on device/deployable/attribute APIs","message":"Fix rule:allow policy bypass on device/deployable/attribute APIs\n\nTen API endpoints in cyborg/common/policy.py used check_str\u003d\u0027rule:allow\u0027\n(@), which unconditionally authorises any authenticated Keystone user\nregardless of role, project membership, or scope. This allowed any\ntenant to enumerate the full accelerator hardware topology and trigger\nprivileged operations including FPGA reprogramming and hardware metadata\nmutation.\n\nReplace the unconditional rule:allow with role-checked rules available\non all maintained stable branches:\n\n  cyborg:arq:create          rule:allow -\u003e rule:project_member_or_admin\n  cyborg:device:get_one      rule:allow -\u003e rule:admin_api\n  cyborg:device:get_all      rule:allow -\u003e rule:admin_api\n  cyborg:deployable:get_one  rule:allow -\u003e rule:admin_api\n  cyborg:deployable:get_all  rule:allow -\u003e rule:admin_api\n  cyborg:deployable:program  rule:allow -\u003e rule:admin_api\n  cyborg:attribute:get_one   rule:allow -\u003e rule:admin_api\n  cyborg:attribute:get_all   rule:allow -\u003e rule:admin_api\n  cyborg:attribute:create    rule:allow -\u003e rule:admin_api\n  cyborg:attribute:delete    rule:allow -\u003e rule:admin_api\n\narq:create receives project_member_or_admin rather than admin_api\nbecause Nova forwards the end-user token when creating ARQs; admin_api\nwould break all non-admin instance launches.\n\nAlso remove the dead fpga_policies group (cyborg:fpga:{get_one,\nget_all,update}) whose rules were registered but never evaluated at\nruntime as no /v2/fpgas endpoint exists.\n\nAdd unit tests in cyborg/tests/unit/policies/ covering authorised and\nunauthorised contexts for each affected endpoint group, following the\npattern established by test_device_profiles.py.\n\nCVE-2026-40213\n\nCloses-Bug: #2143263\nAssisted-By: claude-code sonnet 4.6\nChange-Id: I56f04adcfe270f02dfd6511a1aea1074e3d2dedb\nSigned-off-by: Sean Mooney \u003cwork@seanmooney.info\u003e\n(cherry picked from commit 9c313b007fd09301b487ba500089636a09a02609)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/cyborg/commit/8aad73b158c2c8210f38747686b03e1f1c5fbeb9"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/cyborg/commit/8aad73b158c2c8210f38747686b03e1f1c5fbeb9"}]},"branch":"refs/heads/stable/2026.1"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":34452,"name":"Joan Gilabert","display_name":"jgilaber","email":"jgilaber@redhat.com","username":"jgilaber"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}