)]}'
{"glance/api/v2/metadef_objects.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f67ce6d642ef35228d13e82ba57d67b3a6f25337","unresolved":true,"context_lines":[{"line_number":105,"context_line":"                raise exception.NotFound(msg)"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"            # NOTE(abhishekk): Our default policy is open for everyone, means"},{"line_number":108,"context_line":"            # any one can see any thing, but there is visibility check at db"},{"line_number":109,"context_line":"            # layer which restricts the user if resource is not owned by him"},{"line_number":110,"context_line":"            # or it is not public. In case in if we decide to fix this"},{"line_number":111,"context_line":"            # behaviour by changing default policy then here I have made"}],"source_content_type":"text/x-python","patch_set":10,"id":"c21905c5_18b23748","line":108,"range":{"start_line":108,"start_character":14,"end_line":108,"end_character":21},"updated":"2021-08-02 15:12:42.000000000","message":"Not worth changing unless you respin, but technically this should be \"anyone\".","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"374d95e1c6ad57f2280c80af7efd9905fb5d8aa1","unresolved":false,"context_lines":[{"line_number":105,"context_line":"                raise exception.NotFound(msg)"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"            # NOTE(abhishekk): Our default policy is open for everyone, means"},{"line_number":108,"context_line":"            # any one can see any thing, but there is visibility check at db"},{"line_number":109,"context_line":"            # layer which restricts the user if resource is not owned by him"},{"line_number":110,"context_line":"            # or it is not public. In case in if we decide to fix this"},{"line_number":111,"context_line":"            # behaviour by changing default policy then here I have made"}],"source_content_type":"text/x-python","patch_set":10,"id":"4025379c_89b8f1bc","line":108,"range":{"start_line":108,"start_character":14,"end_line":108,"end_character":21},"in_reply_to":"c21905c5_18b23748","updated":"2021-08-02 16:56:22.000000000","message":"Ack","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f67ce6d642ef35228d13e82ba57d67b3a6f25337","unresolved":true,"context_lines":[{"line_number":107,"context_line":"            # NOTE(abhishekk): Our default policy is open for everyone, means"},{"line_number":108,"context_line":"            # any one can see any thing, but there is visibility check at db"},{"line_number":109,"context_line":"            # layer which restricts the user if resource is not owned by him"},{"line_number":110,"context_line":"            # or it is not public. In case in if we decide to fix this"},{"line_number":111,"context_line":"            # behaviour by changing default policy then here I have made"},{"line_number":112,"context_line":"            # provision to simplify the enforcement by passing the resource"},{"line_number":113,"context_line":"            # to enforce all."}],"source_content_type":"text/x-python","patch_set":10,"id":"b1cf8b15_4a86d331","line":110,"range":{"start_line":110,"start_character":43,"end_line":110,"end_character":45},"updated":"2021-08-02 15:12:42.000000000","message":"duplicate \"in\" should be removed.","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"374d95e1c6ad57f2280c80af7efd9905fb5d8aa1","unresolved":false,"context_lines":[{"line_number":107,"context_line":"            # NOTE(abhishekk): Our default policy is open for everyone, means"},{"line_number":108,"context_line":"            # any one can see any thing, but there is visibility check at db"},{"line_number":109,"context_line":"            # layer which restricts the user if resource is not owned by him"},{"line_number":110,"context_line":"            # or it is not public. In case in if we decide to fix this"},{"line_number":111,"context_line":"            # behaviour by changing default policy then here I have made"},{"line_number":112,"context_line":"            # provision to simplify the enforcement by passing the resource"},{"line_number":113,"context_line":"            # to enforce all."}],"source_content_type":"text/x-python","patch_set":10,"id":"412bc688_d0961324","line":110,"range":{"start_line":110,"start_character":43,"end_line":110,"end_character":45},"in_reply_to":"b1cf8b15_4a86d331","updated":"2021-08-02 16:56:22.000000000","message":"Ack","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f67ce6d642ef35228d13e82ba57d67b3a6f25337","unresolved":true,"context_lines":[{"line_number":117,"context_line":"                enforcer\u003dself.policy).get_metadef_objects()"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"            filters \u003d filters or dict()"},{"line_number":120,"context_line":"            filters[\u0027namespace\u0027] \u003d namespace_obj.namespace"},{"line_number":121,"context_line":"            object_repo \u003d self.gateway.get_metadef_object_repo("},{"line_number":122,"context_line":"                req.context, authorization_layer\u003dFalse)"},{"line_number":123,"context_line":"            db_metaobject_list \u003d object_repo.list("}],"source_content_type":"text/x-python","patch_set":10,"id":"33dff338_138998b3","line":120,"range":{"start_line":120,"start_character":35,"end_line":120,"end_character":58},"updated":"2021-08-02 15:12:42.000000000","message":"Why change this? I mean, I\u0027m sure it\u0027s fine, but is there a reason?","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"374d95e1c6ad57f2280c80af7efd9905fb5d8aa1","unresolved":false,"context_lines":[{"line_number":117,"context_line":"                enforcer\u003dself.policy).get_metadef_objects()"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"            filters \u003d filters or dict()"},{"line_number":120,"context_line":"            filters[\u0027namespace\u0027] \u003d namespace_obj.namespace"},{"line_number":121,"context_line":"            object_repo \u003d self.gateway.get_metadef_object_repo("},{"line_number":122,"context_line":"                req.context, authorization_layer\u003dFalse)"},{"line_number":123,"context_line":"            db_metaobject_list \u003d object_repo.list("}],"source_content_type":"text/x-python","patch_set":10,"id":"254f2e09_9c079fed","line":120,"range":{"start_line":120,"start_character":35,"end_line":120,"end_character":58},"in_reply_to":"33dff338_138998b3","updated":"2021-08-02 16:56:22.000000000","message":"Ack","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f67ce6d642ef35228d13e82ba57d67b3a6f25337","unresolved":true,"context_lines":[{"line_number":126,"context_line":"            object_list \u003d [MetadefObject.to_wsme_model("},{"line_number":127,"context_line":"                db_metaobject,"},{"line_number":128,"context_line":"                get_object_href(namespace, db_metaobject),"},{"line_number":129,"context_line":"                self.obj_schema_link) for db_metaobject in db_metaobject_list]"},{"line_number":130,"context_line":"            metadef_objects \u003d MetadefObjects()"},{"line_number":131,"context_line":"            metadef_objects.objects \u003d object_list"},{"line_number":132,"context_line":"        except exception.Forbidden as e:"}],"source_content_type":"text/x-python","patch_set":10,"id":"ea7bfdd6_ebbb6fa1","line":129,"updated":"2021-08-02 15:12:42.000000000","message":"Shouldn\u0027t you be checking get_metadef_object() on these, per L167 below?","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"374d95e1c6ad57f2280c80af7efd9905fb5d8aa1","unresolved":true,"context_lines":[{"line_number":126,"context_line":"            object_list \u003d [MetadefObject.to_wsme_model("},{"line_number":127,"context_line":"                db_metaobject,"},{"line_number":128,"context_line":"                get_object_href(namespace, db_metaobject),"},{"line_number":129,"context_line":"                self.obj_schema_link) for db_metaobject in db_metaobject_list]"},{"line_number":130,"context_line":"            metadef_objects \u003d MetadefObjects()"},{"line_number":131,"context_line":"            metadef_objects.objects \u003d object_list"},{"line_number":132,"context_line":"        except exception.Forbidden as e:"}],"source_content_type":"text/x-python","patch_set":10,"id":"7138da8a_4a425ea8","line":129,"in_reply_to":"ea7bfdd6_ebbb6fa1","updated":"2021-08-02 16:56:22.000000000","message":"Will do it, my initial assumption is our db already giving us valid/expected response then why should we enforce the rule here again. But I see your reason and will implement it in next patch.","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f67ce6d642ef35228d13e82ba57d67b3a6f25337","unresolved":true,"context_lines":[{"line_number":167,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":168,"context_line":"                req.context,"},{"line_number":169,"context_line":"                md_resource\u003dnamespace_obj,"},{"line_number":170,"context_line":"                enforcer\u003dself.policy).get_metadef_object()"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"            metadef_object \u003d meta_object_repo.get(namespace_obj.namespace,"},{"line_number":173,"context_line":"                                                  object_name)"}],"source_content_type":"text/x-python","patch_set":10,"id":"5c39a072_93fb42e9","line":170,"updated":"2021-08-02 15:12:42.000000000","message":"Hmm, maybe I\u0027m missing something there, but you\u0027re passing namespace in as the md_resource (i.e. the target). Is the namespace the gatekeeper object? Meaning, if you can see the namespace, you can see the metadef_objects inside? If so, I guess that explains the reason you\u0027re not checking each object, per my comment on L129? But, if we have a separate policy element, seems like we still should. Meaning, what if an operator grants access to the namespace, but restricts get_metadef_object in some way. This show will not work, but the object will still be in the index result from above right?\n\nFurther, it seems like get_metadef_object implies that the target is the metadef_object itself and not the namespace. So someone writing a rule would probably expect properties of the metadef_object to be accessible in the check, but they won\u0027t be because you\u0027re checking that rule against namespace.","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"374d95e1c6ad57f2280c80af7efd9905fb5d8aa1","unresolved":true,"context_lines":[{"line_number":167,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":168,"context_line":"                req.context,"},{"line_number":169,"context_line":"                md_resource\u003dnamespace_obj,"},{"line_number":170,"context_line":"                enforcer\u003dself.policy).get_metadef_object()"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"            metadef_object \u003d meta_object_repo.get(namespace_obj.namespace,"},{"line_number":173,"context_line":"                                                  object_name)"}],"source_content_type":"text/x-python","patch_set":10,"id":"bd65af74_fed3b6f6","line":170,"in_reply_to":"5c39a072_93fb42e9","updated":"2021-08-02 16:56:22.000000000","message":"If you see the read-only checks at auth and db layer then you will come to know that everything in metadef (other than namespace) is associated on namespace and its visibility check.","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f67ce6d642ef35228d13e82ba57d67b3a6f25337","unresolved":true,"context_lines":[{"line_number":194,"context_line":"            # future."},{"line_number":195,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":196,"context_line":"                req.context,"},{"line_number":197,"context_line":"                enforcer\u003dself.policy).modify_metadef_object()"},{"line_number":198,"context_line":""},{"line_number":199,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":200,"context_line":"            metadef_object._old_name \u003d metadef_object.name"}],"source_content_type":"text/x-python","patch_set":10,"id":"ddf972dd_59a3e400","line":197,"updated":"2021-08-02 15:12:42.000000000","message":"Shouldn\u0027t this be passing the object into the check as the target? Otherwise this is just a global \"can this user update any and all objects?\" check right?","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"374d95e1c6ad57f2280c80af7efd9905fb5d8aa1","unresolved":true,"context_lines":[{"line_number":194,"context_line":"            # future."},{"line_number":195,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":196,"context_line":"                req.context,"},{"line_number":197,"context_line":"                enforcer\u003dself.policy).modify_metadef_object()"},{"line_number":198,"context_line":""},{"line_number":199,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":200,"context_line":"            metadef_object._old_name \u003d metadef_object.name"}],"source_content_type":"text/x-python","patch_set":10,"id":"67194837_eead3ceb","line":197,"in_reply_to":"ddf972dd_59a3e400","updated":"2021-08-02 16:56:22.000000000","message":"This API is admin only so it does not make sense to pass object and build target which never be executed in policy enforcement.","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f67ce6d642ef35228d13e82ba57d67b3a6f25337","unresolved":true,"context_lines":[{"line_number":236,"context_line":"            # future."},{"line_number":237,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":238,"context_line":"                req.context,"},{"line_number":239,"context_line":"                enforcer\u003dself.policy).delete_metadef_object()"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":242,"context_line":"            metadef_object.delete()"}],"source_content_type":"text/x-python","patch_set":10,"id":"34835a05_72c6861b","line":239,"updated":"2021-08-02 15:12:42.000000000","message":"Same.","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"374d95e1c6ad57f2280c80af7efd9905fb5d8aa1","unresolved":true,"context_lines":[{"line_number":236,"context_line":"            # future."},{"line_number":237,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":238,"context_line":"                req.context,"},{"line_number":239,"context_line":"                enforcer\u003dself.policy).delete_metadef_object()"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":242,"context_line":"            metadef_object.delete()"}],"source_content_type":"text/x-python","patch_set":10,"id":"8db8c9f6_69999523","line":239,"in_reply_to":"34835a05_72c6861b","updated":"2021-08-02 16:56:22.000000000","message":"ditto","commit_id":"963f4da0a6d5e2c0e7071c5f16a10c8994d2d45c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"689647bd03b05331d547238412d487ae4a162d6e","unresolved":true,"context_lines":[{"line_number":117,"context_line":"                if api_policy.MetadefAPIPolicy("},{"line_number":118,"context_line":"                        req.context, md_resource\u003dobj.namespace,"},{"line_number":119,"context_line":"                        enforcer\u003dself.policy).check(\u0027get_metadef_namespace\u0027):"},{"line_number":120,"context_line":"                    obj_list.append(obj)"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"            object_list \u003d [MetadefObject.to_wsme_model("},{"line_number":123,"context_line":"                db_metaobject,"}],"source_content_type":"text/x-python","patch_set":11,"id":"6529246c_c06616e4","line":120,"updated":"2021-08-03 13:51:27.000000000","message":"Not that it matters much, but if you were to put this if in the listcomp below it\u0027ll avoid double iteration, like I did in the image patches. It definitely makes it denser and a little harder to read, but, it\u0027s good for performance :)","commit_id":"10d2409877e964e3e9d554f11350261cbf27ea43"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"b035f75072cf182ff69bfeda570ba764e1e0f3d9","unresolved":false,"context_lines":[{"line_number":117,"context_line":"                if api_policy.MetadefAPIPolicy("},{"line_number":118,"context_line":"                        req.context, md_resource\u003dobj.namespace,"},{"line_number":119,"context_line":"                        enforcer\u003dself.policy).check(\u0027get_metadef_namespace\u0027):"},{"line_number":120,"context_line":"                    obj_list.append(obj)"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"            object_list \u003d [MetadefObject.to_wsme_model("},{"line_number":123,"context_line":"                db_metaobject,"}],"source_content_type":"text/x-python","patch_set":11,"id":"2bb9da73_106caadc","line":120,"in_reply_to":"6529246c_c06616e4","updated":"2021-08-03 14:52:17.000000000","message":"Ack","commit_id":"10d2409877e964e3e9d554f11350261cbf27ea43"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"689647bd03b05331d547238412d487ae4a162d6e","unresolved":true,"context_lines":[{"line_number":147,"context_line":"                msg \u003d _(\"Namespace %s not found\") % namespace"},{"line_number":148,"context_line":"                raise exception.NotFound(msg)"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"            # NOTE(abhishekk): Metadef objects are assoiciated with"},{"line_number":151,"context_line":"            # namespace, so passing namespace here for visibility check"},{"line_number":152,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":153,"context_line":"                req.context,"}],"source_content_type":"text/x-python","patch_set":11,"id":"bbbe0504_2ab1c28a","line":150,"range":{"start_line":150,"start_character":51,"end_line":150,"end_character":62},"updated":"2021-08-03 13:51:27.000000000","message":"associated","commit_id":"10d2409877e964e3e9d554f11350261cbf27ea43"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"b035f75072cf182ff69bfeda570ba764e1e0f3d9","unresolved":false,"context_lines":[{"line_number":147,"context_line":"                msg \u003d _(\"Namespace %s not found\") % namespace"},{"line_number":148,"context_line":"                raise exception.NotFound(msg)"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"            # NOTE(abhishekk): Metadef objects are assoiciated with"},{"line_number":151,"context_line":"            # namespace, so passing namespace here for visibility check"},{"line_number":152,"context_line":"            api_policy.MetadefAPIPolicy("},{"line_number":153,"context_line":"                req.context,"}],"source_content_type":"text/x-python","patch_set":11,"id":"a50a2c31_88c9e2ac","line":150,"range":{"start_line":150,"start_character":51,"end_line":150,"end_character":62},"in_reply_to":"bbbe0504_2ab1c28a","updated":"2021-08-03 14:52:17.000000000","message":"Done","commit_id":"10d2409877e964e3e9d554f11350261cbf27ea43"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"e1f99492b9df1e93729f276af02b6320029be9f3","unresolved":true,"context_lines":[{"line_number":172,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":173,"context_line":"        try:"},{"line_number":174,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":177,"context_line":"            # Here we are just checking if user is authorized to modify metadef"},{"line_number":178,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"90360b95_1c508047","line":175,"updated":"2021-08-10 16:10:18.000000000","message":"Don\u0027t we want the same ns_repo.get() check here before we check the modify, in case we need to raise 404?","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"32bbf05aed6b4ff2aaeaeca4c30db5b9e6cf40f3","unresolved":true,"context_lines":[{"line_number":172,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":173,"context_line":"        try:"},{"line_number":174,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":177,"context_line":"            # Here we are just checking if user is authorized to modify metadef"},{"line_number":178,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"b6702f3e_759458af","line":175,"in_reply_to":"90360b95_1c508047","updated":"2021-08-10 16:50:20.000000000","message":"This is admin only API so I think all namespaces (public/private) will be visible to admin.","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ac73a6eb93d0777b147910e644dc173ba92954aa","unresolved":true,"context_lines":[{"line_number":172,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":173,"context_line":"        try:"},{"line_number":174,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":177,"context_line":"            # Here we are just checking if user is authorized to modify metadef"},{"line_number":178,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"cea658c2_e9bff5f0","line":175,"in_reply_to":"b6702f3e_759458af","updated":"2021-08-10 17:10:55.000000000","message":"Okay, it\u0027s just that you\u0027re offering the user a knob to make these non-admin-only, and if they have a generated policy from last cycle in their deployment, they will not have your new default. So it just seems like _if_ we\u0027re going to go and make these all almost-right, I\u0027m not sure why we\u0027re not making them entirely-right, or at least marking the inner policies as deprecated for removal.","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"a0acd0ce37b19b6ed5bdad4c1c3dd9459cdb8ad4","unresolved":true,"context_lines":[{"line_number":172,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":173,"context_line":"        try:"},{"line_number":174,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":177,"context_line":"            # Here we are just checking if user is authorized to modify metadef"},{"line_number":178,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"fec7621a_27e79b5c","line":175,"in_reply_to":"cea658c2_e9bff5f0","updated":"2021-08-10 17:26:25.000000000","message":"Ack, I think it will not harm to do that.\nWill make those changes in all patches.","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"340d1d7c7bdb79b9b6ebc2473c062dd3262599f6","unresolved":false,"context_lines":[{"line_number":172,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":173,"context_line":"        try:"},{"line_number":174,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":177,"context_line":"            # Here we are just checking if user is authorized to modify metadef"},{"line_number":178,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"b462e6cb_3edd7966","line":175,"in_reply_to":"fec7621a_27e79b5c","updated":"2021-08-10 19:19:47.000000000","message":"Done","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"e1f99492b9df1e93729f276af02b6320029be9f3","unresolved":true,"context_lines":[{"line_number":212,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":213,"context_line":"        try:"},{"line_number":214,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":217,"context_line":"            # Here we are just checking if user is authorized to delete metadef"},{"line_number":218,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"aad02052_f4be27f2","line":215,"updated":"2021-08-10 16:10:18.000000000","message":"Here too.","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"340d1d7c7bdb79b9b6ebc2473c062dd3262599f6","unresolved":false,"context_lines":[{"line_number":212,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":213,"context_line":"        try:"},{"line_number":214,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":217,"context_line":"            # Here we are just checking if user is authorized to delete metadef"},{"line_number":218,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"adb64617_1d31a40d","line":215,"in_reply_to":"47b6f0bf_a413c843","updated":"2021-08-10 19:19:47.000000000","message":"Done","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"32bbf05aed6b4ff2aaeaeca4c30db5b9e6cf40f3","unresolved":true,"context_lines":[{"line_number":212,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":213,"context_line":"        try:"},{"line_number":214,"context_line":"            metadef_object \u003d meta_repo.get(namespace, object_name)"},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":217,"context_line":"            # Here we are just checking if user is authorized to delete metadef"},{"line_number":218,"context_line":"            # object or not."}],"source_content_type":"text/x-python","patch_set":15,"id":"47b6f0bf_a413c843","line":215,"in_reply_to":"aad02052_f4be27f2","updated":"2021-08-10 16:50:20.000000000","message":"ditto","commit_id":"1c9341b55d7e8a47066cd6bafe6bb385a292b08a"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"4c54c16e7e714a01c9c8fdecb62316d171caaaf7","unresolved":true,"context_lines":[{"line_number":64,"context_line":"                # NOTE (abhishekk): Returning 404 Not Found as the"},{"line_number":65,"context_line":"                # namespace is outside of this user\u0027s project"},{"line_number":66,"context_line":"                msg \u003d _(\"Namespace %s not found\") % namespace"},{"line_number":67,"context_line":"                raise exception.NotFound(msg)"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"            # NOTE(abhishekk): Metadef object is created for Metadef namespaces"},{"line_number":70,"context_line":"            # Here we are just checking if user is authorized to create metadef"}],"source_content_type":"text/x-python","patch_set":17,"id":"e6ad95ac_bf41409a","line":67,"updated":"2021-08-11 14:13:39.000000000","message":"We\u0027re missing a test for this path where we fail to get the namespace and raise NotFound directly.","commit_id":"f8dbf57762b7e8d31ef1341dbaf0351f39333051"}],"glance/tests/functional/v2/test_metadef_object_api_policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"689647bd03b05331d547238412d487ae4a162d6e","unresolved":true,"context_lines":[{"line_number":109,"context_line":"        # attempts fail"},{"line_number":110,"context_line":"        self.set_policy_rules({\u0027get_metadef_objects\u0027: \u0027!\u0027})"},{"line_number":111,"context_line":"        resp \u003d self.api_get(path)"},{"line_number":112,"context_line":"        self.assertEqual(403, resp.status_code)"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"    def test_object_get_basic(self):"},{"line_number":115,"context_line":"        self.start_server()"}],"source_content_type":"text/x-python","patch_set":11,"id":"99e2f5a0_b7ea90fd","line":112,"updated":"2021-08-03 13:51:27.000000000","message":"You need a case here where get_metadef_objects is allowed, but get_metadef_object fails. Ideally just for one of them so you know it\u0027s filtering properly.","commit_id":"10d2409877e964e3e9d554f11350261cbf27ea43"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"b035f75072cf182ff69bfeda570ba764e1e0f3d9","unresolved":false,"context_lines":[{"line_number":109,"context_line":"        # attempts fail"},{"line_number":110,"context_line":"        self.set_policy_rules({\u0027get_metadef_objects\u0027: \u0027!\u0027})"},{"line_number":111,"context_line":"        resp \u003d self.api_get(path)"},{"line_number":112,"context_line":"        self.assertEqual(403, resp.status_code)"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"    def test_object_get_basic(self):"},{"line_number":115,"context_line":"        self.start_server()"}],"source_content_type":"text/x-python","patch_set":11,"id":"6c829342_df0a8b49","line":112,"in_reply_to":"99e2f5a0_b7ea90fd","updated":"2021-08-03 14:52:17.000000000","message":"Ack","commit_id":"10d2409877e964e3e9d554f11350261cbf27ea43"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"4c54c16e7e714a01c9c8fdecb62316d171caaaf7","unresolved":true,"context_lines":[{"line_number":210,"context_line":"        # 404 Not Found"},{"line_number":211,"context_line":"        self.set_policy_rules({"},{"line_number":212,"context_line":"            \u0027modify_metadef_object\u0027: \u0027!\u0027,"},{"line_number":213,"context_line":"            \u0027get_metadef_namespace\u0027: \u0027!\u0027"},{"line_number":214,"context_line":"        })"},{"line_number":215,"context_line":"        resp \u003d self.api_put(path, json\u003ddata)"},{"line_number":216,"context_line":"        self.assertEqual(404, resp.status_code)"}],"source_content_type":"text/x-python","patch_set":17,"id":"c3f8e266_0f87f33c","line":213,"updated":"2021-08-11 14:13:39.000000000","message":"Note to other reviewers, this causes our \"check get if modify fails\" logic to return 404 as we expect, but not related to the latest rev that checks the namespace get operation first.","commit_id":"f8dbf57762b7e8d31ef1341dbaf0351f39333051"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d08ceeb3df08fc220d5a0ec65b99f485761e073e","unresolved":true,"context_lines":[{"line_number":79,"context_line":"            mock_enf.return_value \u003d self.policy"},{"line_number":80,"context_line":"            super(TestMetadefObjectsPolicy, self).start_server()"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    def _verify_forbidden_converted_to_not_found(self, path, method,"},{"line_number":83,"context_line":"                                                 json\u003dNone):"},{"line_number":84,"context_line":"        # Note for other reviewers, these tests runs by default using"},{"line_number":85,"context_line":"        # admin role, to test this scenario we need private namespace"}],"source_content_type":"text/x-python","patch_set":18,"id":"8474245e_ee004d90","line":82,"updated":"2021-08-11 16:12:32.000000000","message":"Confirmed this tickles that other code path, thanks!","commit_id":"da02c0c4909b685e8bb95c41aec3bcf58e5b713b"}],"glance/tests/unit/v2/test_metadef_resources.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3ca382d06687a622bef9ef828268184b39dca8e7","unresolved":true,"context_lines":[{"line_number":1393,"context_line":""},{"line_number":1394,"context_line":"    def test_object_delete_non_visible(self):"},{"line_number":1395,"context_line":"        request \u003d unit_test_utils.get_fake_request(tenant\u003dTENANT2)"},{"line_number":1396,"context_line":"        self.assertRaises(webob.exc.HTTPForbidden,"},{"line_number":1397,"context_line":"                          self.object_controller.delete, request, NAMESPACE1,"},{"line_number":1398,"context_line":"                          OBJECT1)"},{"line_number":1399,"context_line":"        self.assertNotificationsLog([])"}],"source_content_type":"text/x-python","patch_set":13,"id":"a38e1c93_869f2c8f","line":1396,"updated":"2021-08-04 19:19:54.000000000","message":"Should this return 404 if the user isn\u0027t authorized to see the object (assuming the policy check fails since we\u0027re not passing roles\u003d[\u0027admin\u0027] into the fake request context middleware)?","commit_id":"52ade2af84e02085e607342b38fe8ffce38aab96"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"83501bcabb2f7d08d981f3375b1801f22a5c6774","unresolved":true,"context_lines":[{"line_number":1393,"context_line":""},{"line_number":1394,"context_line":"    def test_object_delete_non_visible(self):"},{"line_number":1395,"context_line":"        request \u003d unit_test_utils.get_fake_request(tenant\u003dTENANT2)"},{"line_number":1396,"context_line":"        self.assertRaises(webob.exc.HTTPForbidden,"},{"line_number":1397,"context_line":"                          self.object_controller.delete, request, NAMESPACE1,"},{"line_number":1398,"context_line":"                          OBJECT1)"},{"line_number":1399,"context_line":"        self.assertNotificationsLog([])"}],"source_content_type":"text/x-python","patch_set":13,"id":"92b84d62_c6409708","line":1396,"in_reply_to":"566a1840_b09b46e3","updated":"2021-08-04 20:05:32.000000000","message":"Oh - so this will go back to asserting a 404 in a subsequent patch?","commit_id":"52ade2af84e02085e607342b38fe8ffce38aab96"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"a85aa469d15c674490cb405f84a5b817eb6cead2","unresolved":true,"context_lines":[{"line_number":1393,"context_line":""},{"line_number":1394,"context_line":"    def test_object_delete_non_visible(self):"},{"line_number":1395,"context_line":"        request \u003d unit_test_utils.get_fake_request(tenant\u003dTENANT2)"},{"line_number":1396,"context_line":"        self.assertRaises(webob.exc.HTTPForbidden,"},{"line_number":1397,"context_line":"                          self.object_controller.delete, request, NAMESPACE1,"},{"line_number":1398,"context_line":"                          OBJECT1)"},{"line_number":1399,"context_line":"        self.assertNotificationsLog([])"}],"source_content_type":"text/x-python","patch_set":13,"id":"1f187ac7_fa60fdef","line":1396,"in_reply_to":"92b84d62_c6409708","updated":"2021-08-04 20:34:53.000000000","message":"Will fix it in next PS.","commit_id":"52ade2af84e02085e607342b38fe8ffce38aab96"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"c125058357afa77cbbdc619828af06922eb7ee93","unresolved":true,"context_lines":[{"line_number":1393,"context_line":""},{"line_number":1394,"context_line":"    def test_object_delete_non_visible(self):"},{"line_number":1395,"context_line":"        request \u003d unit_test_utils.get_fake_request(tenant\u003dTENANT2)"},{"line_number":1396,"context_line":"        self.assertRaises(webob.exc.HTTPForbidden,"},{"line_number":1397,"context_line":"                          self.object_controller.delete, request, NAMESPACE1,"},{"line_number":1398,"context_line":"                          OBJECT1)"},{"line_number":1399,"context_line":"        self.assertNotificationsLog([])"}],"source_content_type":"text/x-python","patch_set":13,"id":"566a1840_b09b46e3","line":1396,"in_reply_to":"a38e1c93_869f2c8f","updated":"2021-08-04 19:40:04.000000000","message":"Earlier here it was returning 404 as the namespace was not visible to the user, i.e. during get call for namespace for delete it was raising 404 error but now since we have this delete policy enforcement before the get namespace call it is raising forbidden, so In order to retain this behavior I need to move delete enforcement check after getting namespace from the database.","commit_id":"52ade2af84e02085e607342b38fe8ffce38aab96"}]}