)]}'
{"etc/glance-policy-generator.conf":[{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"0c42a788fb501f3dadcbdbfba9629ee1eac08c85","unresolved":false,"context_lines":[{"line_number":1,"context_line":"[DEFAULT]"},{"line_number":2,"context_line":"namespace \u003d glance"},{"line_number":3,"context_line":"output_file \u003d etc/glance.policy.yaml.sample"}],"source_content_type":"text/plain","patch_set":9,"id":"3fa7e38b_55ed04b6","line":3,"range":{"start_line":3,"start_character":18,"end_line":3,"end_character":43},"updated":"2019-12-06 12:56:50.000000000","message":"Couple of questions:\n1) Are we actually changing the file format we expect operators to provide? _When_ there is custom policy.json in the config dir, how does that affect the upgrade?\n2) NIT: can we just call this policy.yaml.sample or if we really are not changing the format policy.json.sample","commit_id":"649e06c58f4e860cd5167966ed87208a2f76003f"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"8ba041b320416b41bbb52b12d56e749da509ed41","unresolved":false,"context_lines":[{"line_number":1,"context_line":"[DEFAULT]"},{"line_number":2,"context_line":"namespace \u003d glance"},{"line_number":3,"context_line":"output_file \u003d etc/glance.policy.yaml.sample"}],"source_content_type":"text/plain","patch_set":9,"id":"3fa7e38b_1b825d53","line":3,"range":{"start_line":3,"start_character":18,"end_line":3,"end_character":43},"in_reply_to":"3fa7e38b_55ed04b6","updated":"2019-12-06 15:11:27.000000000","message":"oslo.policy will accept either a json or yaml file AIUI. This config file means only that the sample policy file we generate will be in yaml format. That\u0027s what you want because it has comments.\n\nI copied the name glance.policy.yaml.sample from Lance\u0027s patch I5fa65b8421351c8b6dfc2dcb10af4ec7c322bda1. Most other projects have a directory structure like etc/glance/policy.yaml.sample, so I think that\u0027s the reason he included glance in the name. I suspect in practice this stuff gets installed in /etc/glance/ anyway so maybe it doesn\u0027t matter.","commit_id":"649e06c58f4e860cd5167966ed87208a2f76003f"}],"glance/api/policy.py":[{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"df0ddcbc2a987b4048307c6f6b9596298eb10594","unresolved":false,"context_lines":[{"line_number":61,"context_line":"           :returns: A non-False value if access is allowed."},{"line_number":62,"context_line":"        \"\"\""},{"line_number":63,"context_line":"        if registered and action not in self.registered_rules:"},{"line_number":64,"context_line":"            raise policy.PolicyNotRegistered(action)"},{"line_number":65,"context_line":"        return super(Enforcer, self).enforce(action, target,"},{"line_number":66,"context_line":"                                             context.to_policy_values(),"},{"line_number":67,"context_line":"                                             do_raise\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_c9a967dd","line":64,"range":{"start_line":64,"start_character":12,"end_line":64,"end_character":52},"updated":"2019-12-06 05:57:53.000000000","message":"Can we have a unit test to verify this is covered?","commit_id":"649e06c58f4e860cd5167966ed87208a2f76003f"}],"glance/policies/tasks.py":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"ba400fa5a61374b01795b4153c493cbdb456fb1d","unresolved":false,"context_lines":[{"line_number":20,"context_line":"    policy.RuleDefault(name\u003d\"modify_task\", check_str\u003d\"\"),"},{"line_number":21,"context_line":"    policy.RuleDefault(name\u003d\"tasks_api_access\", check_str\u003d\"role:admin\"),"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    policy.RuleDefault(name\u003d\"deactivate\", check_str\u003d\"\"),"},{"line_number":24,"context_line":"    policy.RuleDefault(name\u003d\"reactivate\", check_str\u003d\"\"),"},{"line_number":25,"context_line":"]"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":""}],"source_content_type":"text/x-python","patch_set":6,"id":"3fa7e38b_ddf08469","line":24,"range":{"start_line":23,"start_character":0,"end_line":24,"end_character":56},"updated":"2019-11-13 00:51:35.000000000","message":"These apply to images; should probably be moved to  policies/images.py\n\nAlso (this isn\u0027t due to your change), I don\u0027t know why the default for \u0027reactivate\u0027 is not role:admin; kind of defeats the point of deactivating an image if suspected bad actors can just reactivate it on their own!","commit_id":"f307165e48f38d6d9cb52f2bf153790dea30d9dc"}],"glance/tests/unit/test_policy.py":[{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"0c42a788fb501f3dadcbdbfba9629ee1eac08c85","unresolved":false,"context_lines":[{"line_number":203,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":204,"context_line":"        self.assertEqual(False, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    def test_policy_file_get_image_default_everybody(self):"},{"line_number":207,"context_line":"        rules \u003d {\"default\": \u0027\u0027}"},{"line_number":208,"context_line":"        self.set_policy_rules(rules)"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":213,"context_line":"        self.assertEqual(True, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"    def test_policy_file_get_image_default_nobody(self):"},{"line_number":216,"context_line":"        rules \u003d {\"default\": \u0027!\u0027}"},{"line_number":217,"context_line":"        self.set_policy_rules(rules)"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":222,"context_line":"        self.assertRaises(exception.Forbidden,"},{"line_number":223,"context_line":"                          enforcer.enforce, context, \u0027get_image\u0027, {})"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_f5975038","side":"PARENT","line":223,"range":{"start_line":206,"start_character":0,"end_line":223,"end_character":69},"updated":"2019-12-06 12:56:50.000000000","message":"In general I\u0027m all for removing meaningless tests, but I\u0027m not convinced that these two are those. By the quick look I did not find anywhere else us testing that overriding the \"default\" has actual effect. Perhaps we should rename these tests instead of removing them or am I missing something?","commit_id":"7c85bdcf837da06463dbea0cd5171b1f5b3e726d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"ee1f488b8516d8758a96d992b4534601a36efa33","unresolved":false,"context_lines":[{"line_number":203,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":204,"context_line":"        self.assertEqual(False, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    def test_policy_file_get_image_default_everybody(self):"},{"line_number":207,"context_line":"        rules \u003d {\"default\": \u0027\u0027}"},{"line_number":208,"context_line":"        self.set_policy_rules(rules)"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":213,"context_line":"        self.assertEqual(True, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"    def test_policy_file_get_image_default_nobody(self):"},{"line_number":216,"context_line":"        rules \u003d {\"default\": \u0027!\u0027}"},{"line_number":217,"context_line":"        self.set_policy_rules(rules)"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":222,"context_line":"        self.assertRaises(exception.Forbidden,"},{"line_number":223,"context_line":"                          enforcer.enforce, context, \u0027get_image\u0027, {})"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_bc677cea","side":"PARENT","line":223,"range":{"start_line":206,"start_character":0,"end_line":223,"end_character":69},"in_reply_to":"3fa7e38b_216cc705","updated":"2019-12-06 20:29:30.000000000","message":"Shouldn\u0027t it be impossible for the \"default\" rule to ever be used?  I thought that the point of the policy-in-code effort was that when any policy action is defined in the code, it\u0027s defined along with a default value.  Since every policy action has its own default value, the \"default\" will never be activated.","commit_id":"7c85bdcf837da06463dbea0cd5171b1f5b3e726d"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"466291e6ee9c905bea197d7fb397bf38d9195032","unresolved":false,"context_lines":[{"line_number":203,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":204,"context_line":"        self.assertEqual(False, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    def test_policy_file_get_image_default_everybody(self):"},{"line_number":207,"context_line":"        rules \u003d {\"default\": \u0027\u0027}"},{"line_number":208,"context_line":"        self.set_policy_rules(rules)"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":213,"context_line":"        self.assertEqual(True, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"    def test_policy_file_get_image_default_nobody(self):"},{"line_number":216,"context_line":"        rules \u003d {\"default\": \u0027!\u0027}"},{"line_number":217,"context_line":"        self.set_policy_rules(rules)"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":222,"context_line":"        self.assertRaises(exception.Forbidden,"},{"line_number":223,"context_line":"                          enforcer.enforce, context, \u0027get_image\u0027, {})"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_bb678951","side":"PARENT","line":223,"range":{"start_line":206,"start_character":0,"end_line":223,"end_character":69},"in_reply_to":"3fa7e38b_3b6399b3","updated":"2019-12-06 15:32:18.000000000","message":"\u003e We don\u0027t create a rule named \"default\" any more, so this test was\n \u003e failing.\n\nOk this is going to be a problem as this is backwards incompatible and potentially is very hazardous for lots of existing deployments. The \"default\" policy has been operating in a way that one can specify rule that gets applied everywhere and after that just overwrite what they want to deviate from that.\n\nFor example following policy.json file:\n{\n    \"context_is_admin\": \"role:admin\",\n    \"default\": \"role:admin\",\n    \"get_image\": \"\",\n    \"get_images\": \"\",\n    \"download_image\": \"\",\n    \"get_image_location\": \"\"\n}\n\nwould have previously allowed anyone consume images but not create, modify etc. (basically everything else) which would have been reserved for \"role:admin\". After this change, most of the privileges would be just silently granted to everyone.\n\nWe cannot just silently ignore \"default\" rule that applies everywhere and has been the basis for any sane policy file so far.","commit_id":"7c85bdcf837da06463dbea0cd5171b1f5b3e726d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6e439ffcac8c1a320abf2a7af3963de88d5c6633","unresolved":false,"context_lines":[{"line_number":203,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":204,"context_line":"        self.assertEqual(False, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    def test_policy_file_get_image_default_everybody(self):"},{"line_number":207,"context_line":"        rules \u003d {\"default\": \u0027\u0027}"},{"line_number":208,"context_line":"        self.set_policy_rules(rules)"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":213,"context_line":"        self.assertEqual(True, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"    def test_policy_file_get_image_default_nobody(self):"},{"line_number":216,"context_line":"        rules \u003d {\"default\": \u0027!\u0027}"},{"line_number":217,"context_line":"        self.set_policy_rules(rules)"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":222,"context_line":"        self.assertRaises(exception.Forbidden,"},{"line_number":223,"context_line":"                          enforcer.enforce, context, \u0027get_image\u0027, {})"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_216cc705","side":"PARENT","line":223,"range":{"start_line":206,"start_character":0,"end_line":223,"end_character":69},"in_reply_to":"3fa7e38b_bb678951","updated":"2019-12-06 20:17:54.000000000","message":"Can\u0027t this be specified in configuration instead? \n\nhttps://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.policy_default_rule","commit_id":"7c85bdcf837da06463dbea0cd5171b1f5b3e726d"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"4668c95991e2b6d0bbb3b53142ca72fd93689de9","unresolved":false,"context_lines":[{"line_number":203,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":204,"context_line":"        self.assertEqual(False, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    def test_policy_file_get_image_default_everybody(self):"},{"line_number":207,"context_line":"        rules \u003d {\"default\": \u0027\u0027}"},{"line_number":208,"context_line":"        self.set_policy_rules(rules)"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":213,"context_line":"        self.assertEqual(True, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"    def test_policy_file_get_image_default_nobody(self):"},{"line_number":216,"context_line":"        rules \u003d {\"default\": \u0027!\u0027}"},{"line_number":217,"context_line":"        self.set_policy_rules(rules)"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":222,"context_line":"        self.assertRaises(exception.Forbidden,"},{"line_number":223,"context_line":"                          enforcer.enforce, context, \u0027get_image\u0027, {})"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_3c82ac53","side":"PARENT","line":223,"range":{"start_line":206,"start_character":0,"end_line":223,"end_character":69},"in_reply_to":"3fa7e38b_bc677cea","updated":"2019-12-06 20:31:18.000000000","message":"+1","commit_id":"7c85bdcf837da06463dbea0cd5171b1f5b3e726d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3efe65c458d53fd1ea76bac3a6f36e9b4f1e5275","unresolved":false,"context_lines":[{"line_number":203,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":204,"context_line":"        self.assertEqual(False, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    def test_policy_file_get_image_default_everybody(self):"},{"line_number":207,"context_line":"        rules \u003d {\"default\": \u0027\u0027}"},{"line_number":208,"context_line":"        self.set_policy_rules(rules)"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":213,"context_line":"        self.assertEqual(True, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"    def test_policy_file_get_image_default_nobody(self):"},{"line_number":216,"context_line":"        rules \u003d {\"default\": \u0027!\u0027}"},{"line_number":217,"context_line":"        self.set_policy_rules(rules)"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":222,"context_line":"        self.assertRaises(exception.Forbidden,"},{"line_number":223,"context_line":"                          enforcer.enforce, context, \u0027get_image\u0027, {})"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_5c8d282f","side":"PARENT","line":223,"range":{"start_line":206,"start_character":0,"end_line":223,"end_character":69},"in_reply_to":"3fa7e38b_bc677cea","updated":"2019-12-06 20:59:18.000000000","message":"\u003e Shouldn\u0027t it be impossible for the \"default\" rule to ever be used? \n \u003e I thought that the point of the policy-in-code effort was that when\n \u003e any policy action is defined in the code, it\u0027s defined along with a\n \u003e default value.  Since every policy action has its own default\n \u003e value, the \"default\" will never be activated.\n\nYeah - the whole policy-in-code effort makes specifying a default completely obsolete (in favor of something much more granular).\n\nBut, from a backward-compatibility perspective, if one is concerned about preserving a one-size-fits-all default, oslo.policy will do that for you with that configuration option (so the behavior is achievable even though it might not be recommended).","commit_id":"7c85bdcf837da06463dbea0cd5171b1f5b3e726d"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"8ba041b320416b41bbb52b12d56e749da509ed41","unresolved":false,"context_lines":[{"line_number":203,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":204,"context_line":"        self.assertEqual(False, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"    def test_policy_file_get_image_default_everybody(self):"},{"line_number":207,"context_line":"        rules \u003d {\"default\": \u0027\u0027}"},{"line_number":208,"context_line":"        self.set_policy_rules(rules)"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":213,"context_line":"        self.assertEqual(True, enforcer.check(context, \u0027get_image\u0027, {}))"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"    def test_policy_file_get_image_default_nobody(self):"},{"line_number":216,"context_line":"        rules \u003d {\"default\": \u0027!\u0027}"},{"line_number":217,"context_line":"        self.set_policy_rules(rules)"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"        enforcer \u003d glance.api.policy.Enforcer()"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"        context \u003d glance.context.RequestContext(roles\u003d[])"},{"line_number":222,"context_line":"        self.assertRaises(exception.Forbidden,"},{"line_number":223,"context_line":"                          enforcer.enforce, context, \u0027get_image\u0027, {})"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_3b6399b3","side":"PARENT","line":223,"range":{"start_line":206,"start_character":0,"end_line":223,"end_character":69},"in_reply_to":"3fa7e38b_f5975038","updated":"2019-12-06 15:11:27.000000000","message":"This test was testing what happens if the user provides an empty/nonexistent policy.json file instead of the in-tree one with the default policies, forcing us to rely on some default default policy (in the form of a rule named \"default\").\n\nWith the default policies now in code, it\u0027s no longer possible to not have the default policy available (you\u0027d have to remove some code, not just the policy.json file), so there\u0027s nothing to test. We don\u0027t create a rule named \"default\" any more, so this test was failing.","commit_id":"7c85bdcf837da06463dbea0cd5171b1f5b3e726d"}],"releasenotes/notes/policy-in-code-7e0c6c070d32d136.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"345792f7647051a6e13495ba007f73ec6b6f593c","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    ``\"role:admin\"`` (prior to Queens it was ``\"@\"``, which allows everything)."},{"line_number":20,"context_line":"    After upgrading to this release, the policy file should be replaced by one"},{"line_number":21,"context_line":"    that overrides only policies that need to be different from the defaults,"},{"line_number":22,"context_line":"    without relying on the ``default`` rule. Users who want to retain the old"},{"line_number":23,"context_line":"    behaviour should set the ``policy_default_rule`` option in the"},{"line_number":24,"context_line":"    ``[oslo_policy]`` section of the config file."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"3fa7e38b_c2c68a9d","line":24,"range":{"start_line":22,"start_character":45,"end_line":24,"end_character":49},"updated":"2019-12-17 14:02:44.000000000","message":"Even though we don\u0027t recommend this...\n\nDo operators know more granular defaults for glance policies are being developed?","commit_id":"37f8926810cab176620235425c9f45fb71c0cfd1"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"c281f01555490593d3423042870fd9d3407456d7","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    ``\"role:admin\"`` (prior to Queens it was ``\"@\"``, which allows everything)."},{"line_number":20,"context_line":"    After upgrading to this release, the policy file should be replaced by one"},{"line_number":21,"context_line":"    that overrides only policies that need to be different from the defaults,"},{"line_number":22,"context_line":"    without relying on the ``default`` rule. Users who want to retain the old"},{"line_number":23,"context_line":"    behaviour should set the ``policy_default_rule`` option in the"},{"line_number":24,"context_line":"    ``[oslo_policy]`` section of the config file."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"3fa7e38b_93c4d895","line":24,"range":{"start_line":22,"start_character":45,"end_line":24,"end_character":49},"in_reply_to":"3fa7e38b_480fea38","updated":"2020-01-06 18:02:52.000000000","message":"Done","commit_id":"37f8926810cab176620235425c9f45fb71c0cfd1"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"0f046da6c428b16373b6e4238f2dd248c9fd2b5e","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    ``\"role:admin\"`` (prior to Queens it was ``\"@\"``, which allows everything)."},{"line_number":20,"context_line":"    After upgrading to this release, the policy file should be replaced by one"},{"line_number":21,"context_line":"    that overrides only policies that need to be different from the defaults,"},{"line_number":22,"context_line":"    without relying on the ``default`` rule. Users who want to retain the old"},{"line_number":23,"context_line":"    behaviour should set the ``policy_default_rule`` option in the"},{"line_number":24,"context_line":"    ``[oslo_policy]`` section of the config file."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"3fa7e38b_fe3697df","line":24,"range":{"start_line":22,"start_character":45,"end_line":24,"end_character":49},"in_reply_to":"3fa7e38b_c2c68a9d","updated":"2019-12-19 14:18:20.000000000","message":"It used to be the case that the policy_default_rule setting governed the *name* of the rule that was used in the situation where a target is being checked but a rule for that target does not exist.  So I don\u0027t see how setting this option will have any effect, since the rule is never going to be used because all the targets have rules defined in the code.","commit_id":"37f8926810cab176620235425c9f45fb71c0cfd1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f74a208b5e9ed5a9e3f68b2849fc519797b0ad65","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    ``\"role:admin\"`` (prior to Queens it was ``\"@\"``, which allows everything)."},{"line_number":20,"context_line":"    After upgrading to this release, the policy file should be replaced by one"},{"line_number":21,"context_line":"    that overrides only policies that need to be different from the defaults,"},{"line_number":22,"context_line":"    without relying on the ``default`` rule. Users who want to retain the old"},{"line_number":23,"context_line":"    behaviour should set the ``policy_default_rule`` option in the"},{"line_number":24,"context_line":"    ``[oslo_policy]`` section of the config file."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"3fa7e38b_480fea38","line":24,"range":{"start_line":22,"start_character":45,"end_line":24,"end_character":49},"in_reply_to":"3fa7e38b_d8364be9","updated":"2019-12-20 02:46:34.000000000","message":"I apologize, I may have remembered that behavior differently. After dusting off the code and oslo.policy docs, Brian is right.","commit_id":"37f8926810cab176620235425c9f45fb71c0cfd1"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"f660bafe6eca6be35c81b959da56de8b428931f8","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    ``\"role:admin\"`` (prior to Queens it was ``\"@\"``, which allows everything)."},{"line_number":20,"context_line":"    After upgrading to this release, the policy file should be replaced by one"},{"line_number":21,"context_line":"    that overrides only policies that need to be different from the defaults,"},{"line_number":22,"context_line":"    without relying on the ``default`` rule. Users who want to retain the old"},{"line_number":23,"context_line":"    behaviour should set the ``policy_default_rule`` option in the"},{"line_number":24,"context_line":"    ``[oslo_policy]`` section of the config file."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"3fa7e38b_d8364be9","line":24,"range":{"start_line":22,"start_character":45,"end_line":24,"end_character":49},"in_reply_to":"3fa7e38b_fe3697df","updated":"2019-12-19 20:04:28.000000000","message":"I interpreted Lance\u0027s response last time you asked this question as meaning that if you set this config option the defaults in code are ignored in favour of the configured default rule. If this interpretation were incorrect I assume Lance would have said so in his comment above.","commit_id":"37f8926810cab176620235425c9f45fb71c0cfd1"}]}