)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"f2ad2294e6fb54a3fffffc3d2a8d3fc12c2eebf7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1906e699_ce50b077","updated":"2022-08-17 05:36:17.000000000","message":"Abandoning this spec foe now since the system scope has been postpone and atm it\u0027s removed from current goal and would be a separate goal in future if operators have any use case.","commit_id":"dbdd4e318639ddef91d9673c800c9847550438ae"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ee0cc73a2f1baa940b562003e4d37c68171e32de","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"3ae2f7be_836fba17","updated":"2022-06-06 15:33:57.000000000","message":"I would propose we hold off on this for the moment as recent discussions on the RBAC popup team tend to be favoring punting the system scope until later so that we can make progress on rolling out the personas as default. The system scope stuff has major implications for tools like heat and tacker, and support for pushing this split is waning. Summit is this week, and at the ops meetup on Friday, we\u0027ll be trying to gather some more data on operators\u0027 opinions on this, and I\u0027m expecting we\u0027ll be pushing system scope out a bit as a result.","commit_id":"dbdd4e318639ddef91d9673c800c9847550438ae"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ea0413c69f81ab6bee80d2df4f75f611a661bcaf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"72a23574_8096768f","in_reply_to":"3ae2f7be_836fba17","updated":"2022-06-07 22:11:03.000000000","message":"+1, agree. we are waiting for some operator feedback from opes meetup berlin or on ML and accordingly will decide on scope things.","commit_id":"dbdd4e318639ddef91d9673c800c9847550438ae"}],"specs/zed/approved/s-rbac-system-scope-support.rst":[{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"bd080b42160cb13082a39eff63106a65e5926081","unresolved":true,"context_lines":[{"line_number":44,"context_line":"Only all the create/update metadef apis will need the ``owner`` validation"},{"line_number":45,"context_line":"since they require owner in the request."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"NOTE: The image create/update apis are not require to be expose to system"},{"line_number":48,"context_line":"      admin hence we are keeping those project scoped only."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Alternatives"},{"line_number":51,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3427275d_56d421f0","line":48,"range":{"start_line":47,"start_character":0,"end_line":48,"end_character":59},"updated":"2022-06-02 05:05:11.000000000","message":"Even if you keep image create/update APIs project specific you can not restrict user to call these APIs with system token and if it is called it will fail with 500 error at this moment. So we need to handle all non-system admin apis to reject the request with 400 error if they are called with system token.","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"c2726599b7d6366ead6268f1ea97ae1710b26ac3","unresolved":false,"context_lines":[{"line_number":44,"context_line":"Only all the create/update metadef apis will need the ``owner`` validation"},{"line_number":45,"context_line":"since they require owner in the request."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"NOTE: The image create/update apis are not require to be expose to system"},{"line_number":48,"context_line":"      admin hence we are keeping those project scoped only."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Alternatives"},{"line_number":51,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"47ff105b_6d0dda58","line":48,"range":{"start_line":47,"start_character":0,"end_line":48,"end_character":59},"in_reply_to":"3427275d_56d421f0","updated":"2022-06-02 05:31:03.000000000","message":"Ack","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"bd080b42160cb13082a39eff63106a65e5926081","unresolved":true,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"REST API impact"},{"line_number":61,"context_line":"---------------"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Security impact"},{"line_number":64,"context_line":"---------------"},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"757cbbcd_c223a16e","line":62,"updated":"2022-06-02 05:05:11.000000000","message":"None","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"c2726599b7d6366ead6268f1ea97ae1710b26ac3","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"REST API impact"},{"line_number":61,"context_line":"---------------"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Security impact"},{"line_number":64,"context_line":"---------------"},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"6381f2f0_a14522ec","line":62,"in_reply_to":"757cbbcd_c223a16e","updated":"2022-06-02 05:31:03.000000000","message":"Done","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"bd080b42160cb13082a39eff63106a65e5926081","unresolved":true,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Security impact"},{"line_number":64,"context_line":"---------------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Notifications impact"},{"line_number":67,"context_line":"--------------------"},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9a8d6c49_2fef3677","line":65,"updated":"2022-06-02 05:05:11.000000000","message":"None","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"c2726599b7d6366ead6268f1ea97ae1710b26ac3","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Security impact"},{"line_number":64,"context_line":"---------------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Notifications impact"},{"line_number":67,"context_line":"--------------------"},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"e61deee5_593134e2","line":65,"in_reply_to":"9a8d6c49_2fef3677","updated":"2022-06-02 05:31:03.000000000","message":"Done","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"bd080b42160cb13082a39eff63106a65e5926081","unresolved":true,"context_lines":[{"line_number":69,"context_line":"None"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Other end user impact"},{"line_number":72,"context_line":"---------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Performance Impact"},{"line_number":75,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2851b7b9_deac5c7f","line":72,"updated":"2022-06-02 05:05:11.000000000","message":"None","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"c2726599b7d6366ead6268f1ea97ae1710b26ac3","unresolved":false,"context_lines":[{"line_number":69,"context_line":"None"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Other end user impact"},{"line_number":72,"context_line":"---------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Performance Impact"},{"line_number":75,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"45739090_e9f9ebea","line":72,"in_reply_to":"2851b7b9_deac5c7f","updated":"2022-06-02 05:31:03.000000000","message":"Done","commit_id":"a43a0b96bd7471cbb80a68291981fdc1dfc82bee"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"ce98e8181aa3bf70120cbe2e389f618f2959d3b2","unresolved":true,"context_lines":[{"line_number":16,"context_line":"In Wallaby and Xena we have mangaed to move all policy checks to API layer"},{"line_number":17,"context_line":"and implemented project scope of all glance APIs."},{"line_number":18,"context_line":"As per the RBAC new direction, we need to allow project resources operation to"},{"line_number":19,"context_line":"be performed by the project scoped token only and system user will be allowed"},{"line_number":20,"context_line":"to perform system level operation only not project resources specific."},{"line_number":21,"context_line":"In Zed cycle we need to implement the system-admin scope and the policies"},{"line_number":22,"context_line":"which are currently scoped to both needs to be seperate out to single as"},{"line_number":23,"context_line":"they are supposed to be exposed to."}],"source_content_type":"text/x-rst","patch_set":2,"id":"26e1074f_c8b07675","line":20,"range":{"start_line":19,"start_character":50,"end_line":20,"end_character":70},"updated":"2022-06-06 04:56:52.000000000","message":"Is this real, I think system admin can be able to perform project specific operations as well. Could you please add reference to this from keystone or any other document?","commit_id":"dbdd4e318639ddef91d9673c800c9847550438ae"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ee0cc73a2f1baa940b562003e4d37c68171e32de","unresolved":true,"context_lines":[{"line_number":16,"context_line":"In Wallaby and Xena we have mangaed to move all policy checks to API layer"},{"line_number":17,"context_line":"and implemented project scope of all glance APIs."},{"line_number":18,"context_line":"As per the RBAC new direction, we need to allow project resources operation to"},{"line_number":19,"context_line":"be performed by the project scoped token only and system user will be allowed"},{"line_number":20,"context_line":"to perform system level operation only not project resources specific."},{"line_number":21,"context_line":"In Zed cycle we need to implement the system-admin scope and the policies"},{"line_number":22,"context_line":"which are currently scoped to both needs to be seperate out to single as"},{"line_number":23,"context_line":"they are supposed to be exposed to."}],"source_content_type":"text/x-rst","patch_set":2,"id":"f3b58bb6_bdadc0c9","line":20,"range":{"start_line":19,"start_character":50,"end_line":20,"end_character":70},"in_reply_to":"26e1074f_c8b07675","updated":"2022-06-06 15:33:57.000000000","message":"This is correct, as per the PTG before last, and is captured in this section of the revised community goal:\n\nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change","commit_id":"dbdd4e318639ddef91d9673c800c9847550438ae"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"ce98e8181aa3bf70120cbe2e389f618f2959d3b2","unresolved":true,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Currently glance admin works exactly as system admin, so we need to"},{"line_number":26,"context_line":"explicitly add system-scope to the policy rule but if we mention that"},{"line_number":27,"context_line":"explicitly and operator calls POST and PUT apis without owner, glance"},{"line_number":28,"context_line":"will fail as these apis require the project id(aka owner) during"},{"line_number":29,"context_line":"resource details update in the DB."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"32ce2eb8_c3f22798","line":27,"range":{"start_line":27,"start_character":39,"end_line":27,"end_character":61},"updated":"2022-06-06 04:56:52.000000000","message":"I am not sure for PUT we need owner explicitly as it is there in the DB which can be read internally.","commit_id":"dbdd4e318639ddef91d9673c800c9847550438ae"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"ce98e8181aa3bf70120cbe2e389f618f2959d3b2","unresolved":true,"context_lines":[{"line_number":41,"context_line":"2. Publicize Image APIs"},{"line_number":42,"context_line":"3. Cache APIs"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Only all the create/update metadef apis will need the ``owner`` validation"},{"line_number":45,"context_line":"since they require owner in the request."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"The APIs which are not supported with system token will be rejected with HTTP"},{"line_number":48,"context_line":"400 response."}],"source_content_type":"text/x-rst","patch_set":2,"id":"fc6039b9_479a25ef","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":40},"updated":"2022-06-06 04:56:52.000000000","message":"I doubt that all metadef APIs requires owner, i think only namespace requires owner and that is while creating only not while updating, kindly confirm.","commit_id":"dbdd4e318639ddef91d9673c800c9847550438ae"}]}