)]}'
{"glance/api/policy.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1d75601a8bdcea77d1eab3cd5692c33a1f2241b0","unresolved":true,"context_lines":[{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults \u003d True` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""}],"source_content_type":"text/x-python","patch_set":2,"id":"093a84bc_b4c09dcd","line":54,"updated":"2021-02-22 19:34:14.000000000","message":"I opted to reuse an existing configuration option instead of introducing a new one. Since the new defaults we\u0027re introducing are for secure RBAC and this option forces the policy engine to use the new defaults, it was effectively doing the same thing as a enforce_new_policies option, but it isn\u0027t specific to glance.","commit_id":"f74f9f7f491072fac1913a7cd4f9f6ef294f422a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"633e010cd9d487ec305672e14edb56b1032413fc","unresolved":true,"context_lines":[{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults \u003d True` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""}],"source_content_type":"text/x-python","patch_set":2,"id":"6f9765ae_b36d22f1","line":54,"in_reply_to":"093a84bc_b4c09dcd","updated":"2021-02-23 10:37:37.000000000","message":"AFAIK, glance wants control in its hand to be certain that if you need RBAC then you need to explicitly set glance related flag to True along with the above one.\n\nLets see what others have to say on this, but I guess that is what we decided in last meeting.","commit_id":"f74f9f7f491072fac1913a7cd4f9f6ef294f422a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"603b6aa82ba0f4fd7a87b562abd40ea374efa03e","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    def __init__(self):"},{"line_number":49,"context_line":"        super(Enforcer, self).__init__(CONF, use_conf\u003dTrue, overwrite\u003dFalse)"},{"line_number":50,"context_line":"        self.register_defaults(policies.list_rules())"},{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults \u003d True` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""},{"line_number":58,"context_line":"            ))"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"    def add_rules(self, rules):"},{"line_number":61,"context_line":"        \"\"\"Add new rules to the Rules object\"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"eb148de8_506a2cd2","line":58,"range":{"start_line":51,"start_character":8,"end_line":58,"end_character":14},"updated":"2021-03-01 06:36:40.000000000","message":"We have decided to add glance specific config parameter for this purpose, so now this should check both the config options are True then log the warning.","commit_id":"63ceecdbe702df47d5276d2ec09ea89aa6ca6fa3"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"4f57a457519ee58b3f95b04a5bd55eb9bf279af0","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    def __init__(self):"},{"line_number":49,"context_line":"        super(Enforcer, self).__init__(CONF, use_conf\u003dTrue, overwrite\u003dFalse)"},{"line_number":50,"context_line":"        self.register_defaults(policies.list_rules())"},{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults \u003d True` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""},{"line_number":58,"context_line":"            ))"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"    def add_rules(self, rules):"},{"line_number":61,"context_line":"        \"\"\"Add new rules to the Rules object\"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"fde0ef1d_bb3ca3b8","line":58,"range":{"start_line":51,"start_character":8,"end_line":58,"end_character":14},"in_reply_to":"075184a8_824ca265","updated":"2021-03-01 17:46:37.000000000","message":"Perfect.","commit_id":"63ceecdbe702df47d5276d2ec09ea89aa6ca6fa3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e50cc5355d5afa9ff0be523519e40f09e1d158ae","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    def __init__(self):"},{"line_number":49,"context_line":"        super(Enforcer, self).__init__(CONF, use_conf\u003dTrue, overwrite\u003dFalse)"},{"line_number":50,"context_line":"        self.register_defaults(policies.list_rules())"},{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults \u003d True` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""},{"line_number":58,"context_line":"            ))"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"    def add_rules(self, rules):"},{"line_number":61,"context_line":"        \"\"\"Add new rules to the Rules object\"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"075184a8_824ca265","line":58,"range":{"start_line":51,"start_character":8,"end_line":58,"end_character":14},"in_reply_to":"eb148de8_506a2cd2","updated":"2021-03-01 17:29:56.000000000","message":"And make sure glance fails to start if the configuration options don\u0027t match, right?","commit_id":"63ceecdbe702df47d5276d2ec09ea89aa6ca6fa3"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3a396c7819ce53a7ae2c58986ec7437deb26b373","unresolved":true,"context_lines":[{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults and CONF.enforce_secure_rbac:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults \u003d True` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""}],"source_content_type":"text/x-python","patch_set":5,"id":"150063ae_9958f019","line":54,"range":{"start_line":54,"start_character":68,"end_line":54,"end_character":71},"updated":"2021-03-01 19:46:02.000000000","message":"Recommend you collapse the space around here. IMHO, it\u0027s more clearly a config option that way, and matches what I see (far) more often.","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"81e24741b9d67a1e8aa2f72f360e93c52a704c63","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults and CONF.enforce_secure_rbac:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults \u003d True` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""}],"source_content_type":"text/x-python","patch_set":5,"id":"392c6fce_4743d252","line":54,"range":{"start_line":54,"start_character":68,"end_line":54,"end_character":71},"in_reply_to":"150063ae_9958f019","updated":"2021-03-01 20:02:22.000000000","message":"Done","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"f1272f43ee716181ffa50dc106d624314ede51b4","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    def __init__(self):"},{"line_number":49,"context_line":"        super(Enforcer, self).__init__(CONF, use_conf\u003dTrue, overwrite\u003dFalse)"},{"line_number":50,"context_line":"        self.register_defaults(policies.list_rules())"},{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults and CONF.enforce_secure_rbac:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults\u003dTrue` \""}],"source_content_type":"text/x-python","patch_set":6,"id":"da087a1e_3574c7d0","line":51,"range":{"start_line":51,"start_character":11,"end_line":51,"end_character":77},"updated":"2021-03-02 06:51:59.000000000","message":"Nit: Technically we should check glance parameter first","commit_id":"8ad6cd59bcbcf2ccec767adc6b4fa4f22233024d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"08f42ff9eca7d7b6ccdb565635a301b4647b4e50","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    def __init__(self):"},{"line_number":49,"context_line":"        super(Enforcer, self).__init__(CONF, use_conf\u003dTrue, overwrite\u003dFalse)"},{"line_number":50,"context_line":"        self.register_defaults(policies.list_rules())"},{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults and CONF.enforce_secure_rbac:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults\u003dTrue` \""}],"source_content_type":"text/x-python","patch_set":6,"id":"351fe48b_a5fc4cf7","line":51,"range":{"start_line":51,"start_character":11,"end_line":51,"end_character":77},"in_reply_to":"da087a1e_3574c7d0","updated":"2021-03-02 13:28:56.000000000","message":"Done","commit_id":"8ad6cd59bcbcf2ccec767adc6b4fa4f22233024d"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"f1272f43ee716181ffa50dc106d624314ede51b4","unresolved":true,"context_lines":[{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults and CONF.enforce_secure_rbac:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults\u003dTrue` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""}],"source_content_type":"text/x-python","patch_set":6,"id":"d6cfc972_a37320f9","line":54,"range":{"start_line":54,"start_character":18,"end_line":54,"end_character":74},"updated":"2021-03-02 06:51:59.000000000","message":"also we need to mention about \u0027enforce_secure_rbac\u0027","commit_id":"8ad6cd59bcbcf2ccec767adc6b4fa4f22233024d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"08f42ff9eca7d7b6ccdb565635a301b4647b4e50","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        if CONF.oslo_policy.enforce_new_defaults and CONF.enforce_secure_rbac:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults\u003dTrue` \""},{"line_number":55,"context_line":"                \"is marked as EXPERIMENTAL in Wallaby. The status of this \""},{"line_number":56,"context_line":"                \"feature will graduate to SUPPORTED as glance adopts more \""},{"line_number":57,"context_line":"                \"personas, specifically for system-scope.\""}],"source_content_type":"text/x-python","patch_set":6,"id":"8799c00f_dabf01c7","line":54,"range":{"start_line":54,"start_character":18,"end_line":54,"end_character":74},"in_reply_to":"d6cfc972_a37320f9","updated":"2021-03-02 13:28:56.000000000","message":"Done","commit_id":"8ad6cd59bcbcf2ccec767adc6b4fa4f22233024d"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"3efc001c029cda73aa6af9c7746ac4bfb329edc9","unresolved":true,"context_lines":[{"line_number":49,"context_line":"        super(Enforcer, self).__init__(CONF, use_conf\u003dTrue, overwrite\u003dFalse)"},{"line_number":50,"context_line":"        self.register_defaults(policies.list_rules())"},{"line_number":51,"context_line":"        if CONF.enforce_secure_rbac and CONF.oslo_policy.enforce_new_defaults:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [DEFAULT] enforce_secure_rbac\u003dTrue` and \""},{"line_number":55,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults\u003dTrue` \""}],"source_content_type":"text/x-python","patch_set":7,"id":"203211c5_e9672ae5","line":52,"range":{"start_line":52,"start_character":24,"end_line":52,"end_character":25},"updated":"2021-03-02 13:56:14.000000000","message":"_LW\nsorry I missed earlier 😞\n\nFix if respin is required, OW we can fix it in follow up","commit_id":"a4335022751066826d9aaf9bc6269ab1b86da747"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"73056d101c0af580e408063bf1b183f5d74e9591","unresolved":false,"context_lines":[{"line_number":49,"context_line":"        super(Enforcer, self).__init__(CONF, use_conf\u003dTrue, overwrite\u003dFalse)"},{"line_number":50,"context_line":"        self.register_defaults(policies.list_rules())"},{"line_number":51,"context_line":"        if CONF.enforce_secure_rbac and CONF.oslo_policy.enforce_new_defaults:"},{"line_number":52,"context_line":"            LOG.warning(_("},{"line_number":53,"context_line":"                \"Deploying glance with secure RBAC personas enabled via \""},{"line_number":54,"context_line":"                \"`glance-api.conf [DEFAULT] enforce_secure_rbac\u003dTrue` and \""},{"line_number":55,"context_line":"                \"`glance-api.conf [oslo_policy] enforce_new_defaults\u003dTrue` \""}],"source_content_type":"text/x-python","patch_set":7,"id":"c19f125a_226ed38d","line":52,"range":{"start_line":52,"start_character":24,"end_line":52,"end_character":25},"in_reply_to":"203211c5_e9672ae5","updated":"2021-03-02 14:54:32.000000000","message":"Done","commit_id":"a4335022751066826d9aaf9bc6269ab1b86da747"}],"glance/common/config.py":[{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"e158ca1c9933adb541a0d056d751bd58db367c64","unresolved":true,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"Glance is introducing Secure RBAC as EXPERIMENTAL feature in Wallaby."},{"line_number":178,"context_line":"In order to enable Secure RBAC to enforce new policies operator needs"},{"line_number":179,"context_line":"to set this option to True along with setting ``enforce_new_defaults``"},{"line_number":180,"context_line":"to True under ``oslo_policy`` section in glance-api.conf file."},{"line_number":181,"context_line":"\"\"\")),"},{"line_number":182,"context_line":"    cfg.BoolOpt(\u0027allow_additional_image_properties\u0027, default\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":1,"id":"89d9f0a8_7fe3fbb0","line":179,"range":{"start_line":179,"start_character":47,"end_line":179,"end_character":69},"updated":"2021-02-19 14:07:39.000000000","message":"We should overwrite this value upon startup when \u0027enforce_new_policies\u0027 is False, likely before https://github.com/openstack/glance/blob/master/glance/cmd/api.py#L74 so the effect is clear when the service starts and logs it\u0027s current running config.","commit_id":"dc15d66e7708280201740800139e1ce26489b623"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"cfc55a848639adce34c4cab2946375d90b5f014e","unresolved":true,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"Glance is introducing Secure RBAC as EXPERIMENTAL feature in Wallaby."},{"line_number":178,"context_line":"In order to enable Secure RBAC to enforce new policies operator needs"},{"line_number":179,"context_line":"to set this option to True along with setting ``enforce_new_defaults``"},{"line_number":180,"context_line":"to True under ``oslo_policy`` section in glance-api.conf file."},{"line_number":181,"context_line":"\"\"\")),"},{"line_number":182,"context_line":"    cfg.BoolOpt(\u0027allow_additional_image_properties\u0027, default\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":1,"id":"b6b3338a_76944863","line":179,"range":{"start_line":179,"start_character":47,"end_line":179,"end_character":69},"in_reply_to":"075248a0_f37664f9","updated":"2021-02-19 14:22:58.000000000","message":"AFAIK, override (CONF.set_override) is used in tests only, I haven\u0027t seen any such example in any of the code base.","commit_id":"dc15d66e7708280201740800139e1ce26489b623"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"0ec567054410fa487fb9750864982c8b12c0f82c","unresolved":true,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"Glance is introducing Secure RBAC as EXPERIMENTAL feature in Wallaby."},{"line_number":178,"context_line":"In order to enable Secure RBAC to enforce new policies operator needs"},{"line_number":179,"context_line":"to set this option to True along with setting ``enforce_new_defaults``"},{"line_number":180,"context_line":"to True under ``oslo_policy`` section in glance-api.conf file."},{"line_number":181,"context_line":"\"\"\")),"},{"line_number":182,"context_line":"    cfg.BoolOpt(\u0027allow_additional_image_properties\u0027, default\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":1,"id":"075248a0_f37664f9","line":179,"range":{"start_line":179,"start_character":47,"end_line":179,"end_character":69},"in_reply_to":"89d9f0a8_7fe3fbb0","updated":"2021-02-19 14:19:15.000000000","message":"So after doing this there is no need of if and else condition as done in \nhttps://review.opendev.org/c/openstack/glance/+/764754/10/glance/policies/image.py#446","commit_id":"dc15d66e7708280201740800139e1ce26489b623"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"394f66393f384b69cce38de0edadaab2dfd8f50b","unresolved":true,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"Glance is introducing Secure RBAC as EXPERIMENTAL feature in Wallaby."},{"line_number":178,"context_line":"In order to enable Secure RBAC to enforce new policies operator needs"},{"line_number":179,"context_line":"to set this option to True along with setting ``enforce_new_defaults``"},{"line_number":180,"context_line":"to True under ``oslo_policy`` section in glance-api.conf file."},{"line_number":181,"context_line":"\"\"\")),"},{"line_number":182,"context_line":"    cfg.BoolOpt(\u0027allow_additional_image_properties\u0027, default\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":1,"id":"50b5a536_15d70f13","line":179,"range":{"start_line":179,"start_character":47,"end_line":179,"end_character":69},"in_reply_to":"b6b3338a_76944863","updated":"2021-02-19 14:44:56.000000000","message":"Yeah, you shouldn\u0027t mutate CONF yourself at runtime. I would just log a warning if one is enabled and not the other.","commit_id":"dc15d66e7708280201740800139e1ce26489b623"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3a396c7819ce53a7ae2c58986ec7437deb26b373","unresolved":true,"context_lines":[{"line_number":586,"context_line":"Operators should take an opportunity to understand glance\u0027s new image policies,"},{"line_number":587,"context_line":"audit assignments in their deployment, and update permissions using the default"},{"line_number":588,"context_line":"roles in keystone (e.g., `admin`, `member`, and `reader`)."},{"line_number":589,"context_line":"\"\"\")),"},{"line_number":590,"context_line":"]"},{"line_number":591,"context_line":""},{"line_number":592,"context_line":"wsgi_opts \u003d ["}],"source_content_type":"text/x-python","patch_set":5,"id":"63bf5321_20d76585","line":589,"updated":"2021-03-01 19:46:02.000000000","message":"Related options: oslo_policy/enforce_new_defaults ?","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"81e24741b9d67a1e8aa2f72f360e93c52a704c63","unresolved":false,"context_lines":[{"line_number":586,"context_line":"Operators should take an opportunity to understand glance\u0027s new image policies,"},{"line_number":587,"context_line":"audit assignments in their deployment, and update permissions using the default"},{"line_number":588,"context_line":"roles in keystone (e.g., `admin`, `member`, and `reader`)."},{"line_number":589,"context_line":"\"\"\")),"},{"line_number":590,"context_line":"]"},{"line_number":591,"context_line":""},{"line_number":592,"context_line":"wsgi_opts \u003d ["}],"source_content_type":"text/x-python","patch_set":5,"id":"d1afe738_c0f59286","line":589,"in_reply_to":"63bf5321_20d76585","updated":"2021-03-01 20:02:22.000000000","message":"Done","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"}],"glance/common/wsgi_app.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3a396c7819ce53a7ae2c58986ec7437deb26b373","unresolved":true,"context_lines":[{"line_number":76,"context_line":"            \"[DEFAULT] enforce_secure_rbac does not match \""},{"line_number":77,"context_line":"            \"[oslo_policy] enforce_new_defaults. Please set both to \""},{"line_number":78,"context_line":"            \"True to enable secure RBAC personas. Otherwise, make sure \""},{"line_number":79,"context_line":"            \"both are disabled.\")"},{"line_number":80,"context_line":"        raise exception.ServerError(fail_message)"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"cbee297e_49d15f94","line":79,"range":{"start_line":79,"start_character":22,"end_line":79,"end_character":30},"updated":"2021-03-01 19:46:02.000000000","message":"False, for parity with your \"both to True\" before that.","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"81e24741b9d67a1e8aa2f72f360e93c52a704c63","unresolved":false,"context_lines":[{"line_number":76,"context_line":"            \"[DEFAULT] enforce_secure_rbac does not match \""},{"line_number":77,"context_line":"            \"[oslo_policy] enforce_new_defaults. Please set both to \""},{"line_number":78,"context_line":"            \"True to enable secure RBAC personas. Otherwise, make sure \""},{"line_number":79,"context_line":"            \"both are disabled.\")"},{"line_number":80,"context_line":"        raise exception.ServerError(fail_message)"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"b89c139a_4fd7e569","line":79,"range":{"start_line":79,"start_character":22,"end_line":79,"end_character":30},"in_reply_to":"cbee297e_49d15f94","updated":"2021-03-01 20:02:22.000000000","message":"Done","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3a396c7819ce53a7ae2c58986ec7437deb26b373","unresolved":true,"context_lines":[{"line_number":123,"context_line":"        glance_store.verify_default_store()"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    _setup_os_profiler()"},{"line_number":126,"context_line":"    _validate_policy_enforcement_configuration()"},{"line_number":127,"context_line":"    return config.load_paste_app(\u0027glance-api\u0027)"}],"source_content_type":"text/x-python","patch_set":5,"id":"343b9c5a_92d02bc0","line":126,"updated":"2021-03-01 19:46:02.000000000","message":"Glance still supports standalone mode, so you also need to make sure you do this in here:\n\nhttps://github.com/openstack/glance/blob/master/glance/cmd/api.py","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"81e24741b9d67a1e8aa2f72f360e93c52a704c63","unresolved":false,"context_lines":[{"line_number":123,"context_line":"        glance_store.verify_default_store()"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    _setup_os_profiler()"},{"line_number":126,"context_line":"    _validate_policy_enforcement_configuration()"},{"line_number":127,"context_line":"    return config.load_paste_app(\u0027glance-api\u0027)"}],"source_content_type":"text/x-python","patch_set":5,"id":"48f66af6_a493b05c","line":126,"in_reply_to":"343b9c5a_92d02bc0","updated":"2021-03-01 20:02:22.000000000","message":"Ack\n\nI was wondering what use-case invoked that code because I was modifying it and it wasn\u0027t working the way I expected.\n\nIt looks like duplication between this module and glance/cmd/api.py is OK? Or do you want me to pull the common policy enforcement bits into a sharable place?","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"49a5c45cea70a9d69351378c56f74253b61a4e2e","unresolved":false,"context_lines":[{"line_number":123,"context_line":"        glance_store.verify_default_store()"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    _setup_os_profiler()"},{"line_number":126,"context_line":"    _validate_policy_enforcement_configuration()"},{"line_number":127,"context_line":"    return config.load_paste_app(\u0027glance-api\u0027)"}],"source_content_type":"text/x-python","patch_set":5,"id":"d76cbe6b_df534625","line":126,"in_reply_to":"48f66af6_a493b05c","updated":"2021-03-01 20:06:35.000000000","message":"Yeah, it\u0027s confusing as the rest of the projects (and devstack default) has moved on. However, some *ahem* deployments still use standalone mode, so we want to make sure not to orphan them.\n\nI think you could have imported the helper above from cmd/api.py and used it there, but it\u0027s not a huge deal to me.","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"}],"glance/tests/unit/common/test_wsgi_app.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3a396c7819ce53a7ae2c58986ec7437deb26b373","unresolved":true,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"        self.config(enforce_new_defaults\u003dFalse, group\u003d\u0027oslo_policy\u0027)"},{"line_number":78,"context_line":"        self.config(enforce_secure_rbac\u003dTrue)"},{"line_number":79,"context_line":"        self.assertRaises(exception.ServerError, wsgi_app.init_app)"}],"source_content_type":"text/x-python","patch_set":5,"id":"5e2371f6_a6157dde","line":79,"updated":"2021-03-01 19:46:02.000000000","message":"Need a True/True case here? Presumably everything else covers the False/False case.","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"81e24741b9d67a1e8aa2f72f360e93c52a704c63","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"        self.config(enforce_new_defaults\u003dFalse, group\u003d\u0027oslo_policy\u0027)"},{"line_number":78,"context_line":"        self.config(enforce_secure_rbac\u003dTrue)"},{"line_number":79,"context_line":"        self.assertRaises(exception.ServerError, wsgi_app.init_app)"}],"source_content_type":"text/x-python","patch_set":5,"id":"5fd3f884_56e76cb9","line":79,"in_reply_to":"5e2371f6_a6157dde","updated":"2021-03-01 20:02:22.000000000","message":"Done","commit_id":"09dd275b1a3c27c5143bc3332fcd2dc60d32c968"}]}