)]}'
{".zuul.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cad0e7370c4e93c09e2a7227abf7b07344babcd6","unresolved":false,"context_lines":[{"line_number":10,"context_line":"      devstack_local_conf:"},{"line_number":11,"context_line":"        post-config: {}"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"- project:"},{"line_number":14,"context_line":"    templates:"},{"line_number":15,"context_line":"      - check-requirements"},{"line_number":16,"context_line":"      - tempest-plugin-jobs"},{"line_number":17,"context_line":"    check:"},{"line_number":18,"context_line":"      jobs:"},{"line_number":19,"context_line":"        - glance-protection-functional"},{"line_number":20,"context_line":"    gate:"},{"line_number":21,"context_line":"      jobs:"},{"line_number":22,"context_line":"        - glance-protection-functional"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"70843e54_ec0154c8","line":22,"range":{"start_line":13,"start_character":2,"end_line":22,"end_character":0},"in_reply_to":"3962c671_d53f8e67","updated":"2021-02-02 16:50:46.000000000","message":"\u003e Job glance-protection-functional not defined\n\nPlease fix.","commit_id":"cfe57a9ca465c596be44efc454868d67b2dc08b6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2c47a170cca35956861cf078b4a73e8ec3f1b557","unresolved":true,"context_lines":[{"line_number":19,"context_line":"        post-config:"},{"line_number":20,"context_line":"          $GLANCE_API_CONF:"},{"line_number":21,"context_line":"            DEFAULT:"},{"line_number":22,"context_line":"              enforce_secure_rbac: True"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"- job:"},{"line_number":25,"context_line":"    name: glance-legacy-rbac-protection-functional"}],"source_content_type":"text/x-yaml","patch_set":24,"id":"0081d183_e78b83cc","line":22,"range":{"start_line":22,"start_character":14,"end_line":22,"end_character":33},"updated":"2021-03-02 22:08:20.000000000","message":"I think we can remove this since it\u0027s handled in devstack/plugin.sh\n\nhttps://github.com/openstack/glance/blob/master/devstack/plugin.sh","commit_id":"a7dd52a9502ef1544791067f0db5a8f656400563"}],"glance_tempest_plugin/tests/rbac/v2/test_images.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2ed5910a681b8cef3989f859cf38aedc6ff050ef","unresolved":true,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"        image \u003d self.do_request(\u0027create_image\u0027, expected_status\u003d201,"},{"line_number":81,"context_line":"                                **self.image(visibility\u003d\u0027public\u0027))"},{"line_number":82,"context_line":"        self.addCleanup(self.admin_images_client.delete_image, image[\u0027id\u0027])"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"class SystemMemberTests(ImageV2RbacImageTest, base.BaseV2ImageTest):"}],"source_content_type":"text/x-python","patch_set":4,"id":"67a6c943_f9c63574","line":82,"updated":"2021-02-02 16:58:37.000000000","message":"Glance must have some opinions about users with \u0027admin\u0027 creating images and what to use for the owner. These tests are run with system-scoped tokens, which don\u0027t have a project, and they don\u0027t fail like the SystemMember and SystemReader tests below.","commit_id":"fa12dec6756c101691131171a6734f84e35f6839"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"bbf9915bc81a34cfa4dcde361c3fd128f4c11ed4","unresolved":true,"context_lines":[{"line_number":138,"context_line":"        pass"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"class SystemAdminTests(ImageV2RbacImageTest, base.BaseV2ImageTest):"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"    credentials \u003d [\u0027system_admin\u0027, \u0027project_member\u0027, \u0027project_admin\u0027]"},{"line_number":144,"context_line":""}],"source_content_type":"text/x-python","patch_set":25,"id":"6ebaa320_49f95938","line":141,"updated":"2021-03-03 00:23:07.000000000","message":"Talked with Lance about this, and he\u0027s going to split these must-always-be-skipped patches to a WIP patch above this. These won\u0027t be enable-able for quite a while, so no reason to add to the review load and/or commit tests that we can\u0027t actually run just yet, IMHO.","commit_id":"a63beba3856ff6e68284bf0e78ad0509a0b7d675"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3b041e063519d2ba441a3f1b1c3e59194e01126e","unresolved":false,"context_lines":[{"line_number":138,"context_line":"        pass"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"class SystemAdminTests(ImageV2RbacImageTest, base.BaseV2ImageTest):"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"    credentials \u003d [\u0027system_admin\u0027, \u0027project_member\u0027, \u0027project_admin\u0027]"},{"line_number":144,"context_line":""}],"source_content_type":"text/x-python","patch_set":25,"id":"eb1a70ff_8e536391","line":141,"in_reply_to":"6ebaa320_49f95938","updated":"2021-03-03 00:34:06.000000000","message":"Done in https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778343/","commit_id":"a63beba3856ff6e68284bf0e78ad0509a0b7d675"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"bbf9915bc81a34cfa4dcde361c3fd128f4c11ed4","unresolved":true,"context_lines":[{"line_number":573,"context_line":"    credentials \u003d [\u0027system_reader\u0027, \u0027system_admin\u0027, \u0027project_admin\u0027]"},{"line_number":574,"context_line":""},{"line_number":575,"context_line":""},{"line_number":576,"context_line":"class ProjectAdminTests(ImageV2RbacImageTest, base.BaseV2ImageTest):"},{"line_number":577,"context_line":""},{"line_number":578,"context_line":"    credentials \u003d [\u0027project_admin\u0027, \u0027system_admin\u0027]"},{"line_number":579,"context_line":""}],"source_content_type":"text/x-python","patch_set":25,"id":"4c605345_19a0f100","line":576,"updated":"2021-03-03 00:23:07.000000000","message":"Note for other reviewers:\n\nThese are effectively what we currently consider to be \"admin\" today, which is \"can do anything.\" These are testing those assumptions today, which before RBAC changes, are true. The FIXME comments in these tests describe what will need to change when this class is actually scoped to just admin-of-a-project. In effect, the SystemAdminTests above (currently disabled) will validate the actual can-do-anything admin after that is enabled, when these change to just assert what we expect a project admin to do.","commit_id":"a63beba3856ff6e68284bf0e78ad0509a0b7d675"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3b041e063519d2ba441a3f1b1c3e59194e01126e","unresolved":true,"context_lines":[{"line_number":573,"context_line":"    credentials \u003d [\u0027system_reader\u0027, \u0027system_admin\u0027, \u0027project_admin\u0027]"},{"line_number":574,"context_line":""},{"line_number":575,"context_line":""},{"line_number":576,"context_line":"class ProjectAdminTests(ImageV2RbacImageTest, base.BaseV2ImageTest):"},{"line_number":577,"context_line":""},{"line_number":578,"context_line":"    credentials \u003d [\u0027project_admin\u0027, \u0027system_admin\u0027]"},{"line_number":579,"context_line":""}],"source_content_type":"text/x-python","patch_set":25,"id":"62fee3b0_69539b1c","line":576,"in_reply_to":"4c605345_19a0f100","updated":"2021-03-03 00:34:06.000000000","message":"++ thanks for calling this out explicitly.","commit_id":"a63beba3856ff6e68284bf0e78ad0509a0b7d675"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"bbf9915bc81a34cfa4dcde361c3fd128f4c11ed4","unresolved":true,"context_lines":[{"line_number":984,"context_line":"                        image_id\u003dimage[\u0027id\u0027])"},{"line_number":985,"context_line":""},{"line_number":986,"context_line":""},{"line_number":987,"context_line":"class ProjectMemberTests(ProjectAdminTests, base.BaseV2ImageTest):"},{"line_number":988,"context_line":""},{"line_number":989,"context_line":"    credentials \u003d [\u0027project_member\u0027, \u0027project_admin\u0027, \u0027system_admin\u0027]"},{"line_number":990,"context_line":""}],"source_content_type":"text/x-python","patch_set":25,"id":"47aee5a7_06c9cfaf","line":987,"updated":"2021-03-03 00:23:07.000000000","message":"Note for reviewers:\n\nThese are the tests that matter the most (IMHO) in that they assert that non-admin users are able to do what they should, and not able to do what they shouldn\u0027t, which is largely stable between the secure- and legacy-rbac jobs, and the glance changes for enforce-scope.","commit_id":"a63beba3856ff6e68284bf0e78ad0509a0b7d675"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"297d52d86b653b9a6163d2b9fdc7e7a3c04601dd","unresolved":true,"context_lines":[{"line_number":1411,"context_line":"        # project-admininstrators because the database layer allows users with"},{"line_number":1412,"context_line":"        # the admin role the ability to view images outside their project, and"},{"line_number":1413,"context_line":"        # returns a 403 because it checks tenancy later. IMO, this return code"},{"line_number":1414,"context_line":"        # shouldn\u0027t be any different from project users."},{"line_number":1415,"context_line":"        self.do_request(\u0027update_image\u0027, expected_status\u003dexceptions.NotFound,"},{"line_number":1416,"context_line":"                        image_id\u003dimage[\u0027id\u0027], patch\u003dpatch_body)"},{"line_number":1417,"context_line":""}],"source_content_type":"text/x-python","patch_set":25,"id":"5e8d26c3_a664b4fb","line":1414,"updated":"2021-03-02 22:59:27.000000000","message":"This comment might not be applicable anymore. I might have written this before we landed Dan\u0027s patch to ensure glance returns 404s instead of 403s.","commit_id":"a63beba3856ff6e68284bf0e78ad0509a0b7d675"}]}