)]}'
{"glance/api/v2/image_members.py":[{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"0d0f8b1b05ef7d4b30482c77e64dd31184e51d91","unresolved":true,"context_lines":[{"line_number":83,"context_line":"            raise exception.Forbidden(message)"},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"        # NOTE(abhishekk): Ownership check only needs to performed while"},{"line_number":86,"context_line":"        # adding new members to image"},{"line_number":87,"context_line":"        owner \u003d image.owner"},{"line_number":88,"context_line":"        if not CONF.enforce_secure_rbac and not context.is_admin:"},{"line_number":89,"context_line":"            if ownership_check \u003d\u003d \u0027create\u0027:"}],"source_content_type":"text/x-python","patch_set":2,"id":"b2dc46a1_70d54e7d","line":86,"range":{"start_line":86,"start_character":10,"end_line":86,"end_character":37},"updated":"2021-08-06 16:51:35.000000000","message":"need to change this comment.","commit_id":"3a40678e173581a6f79d211fc43382cd6667b2ef"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"6dee40a1690242958decfabd9c4721edf5ea4921","unresolved":true,"context_lines":[{"line_number":92,"context_line":"                                \"members for the image.\")"},{"line_number":93,"context_line":"                    raise exception.Forbidden(message)"},{"line_number":94,"context_line":"            elif ownership_check \u003d\u003d \u0027update\u0027:"},{"line_number":95,"context_line":"                if context.owner \u003d\u003d owner:"},{"line_number":96,"context_line":"                    message \u003d _(\"You are not permitted to modify \u0027status\u0027 \""},{"line_number":97,"context_line":"                                \"on this image member.\")"},{"line_number":98,"context_line":"                    raise exception.Forbidden(message)"}],"source_content_type":"text/x-python","patch_set":6,"id":"2167c179_71421842","line":95,"range":{"start_line":95,"start_character":36,"end_line":95,"end_character":41},"updated":"2021-08-10 01:51:59.000000000","message":"Shouldn\u0027t this be \"!\u003d\"?","commit_id":"0fa6bb9c192e2d98ebcb06e3cbb95f1378fa9ebd"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"58f078a1ce39f1d7dcf051a55cec5a9209b21b72","unresolved":true,"context_lines":[{"line_number":92,"context_line":"                                \"members for the image.\")"},{"line_number":93,"context_line":"                    raise exception.Forbidden(message)"},{"line_number":94,"context_line":"            elif ownership_check \u003d\u003d \u0027update\u0027:"},{"line_number":95,"context_line":"                if context.owner \u003d\u003d owner:"},{"line_number":96,"context_line":"                    message \u003d _(\"You are not permitted to modify \u0027status\u0027 \""},{"line_number":97,"context_line":"                                \"on this image member.\")"},{"line_number":98,"context_line":"                    raise exception.Forbidden(message)"}],"source_content_type":"text/x-python","patch_set":6,"id":"ec88f9d5_ffc00303","line":95,"range":{"start_line":95,"start_character":36,"end_line":95,"end_character":41},"in_reply_to":"2167c179_71421842","updated":"2021-08-10 05:35:21.000000000","message":"This is correct. Image owner is not allowed to accept the image shared with another project.","commit_id":"0fa6bb9c192e2d98ebcb06e3cbb95f1378fa9ebd"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"6dee40a1690242958decfabd9c4721edf5ea4921","unresolved":true,"context_lines":[{"line_number":99,"context_line":"            elif ownership_check \u003d\u003d \u0027delete\u0027:"},{"line_number":100,"context_line":"                if context.owner !\u003d owner:"},{"line_number":101,"context_line":"                    message \u003d _(\"You are not permitted to modify \u0027status\u0027 \""},{"line_number":102,"context_line":"                                \"on this image member.\")"},{"line_number":103,"context_line":"                    raise exception.Forbidden(message)"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"    def _lookup_member(self, req, image, member_id, member_repo\u003dNone):"}],"source_content_type":"text/x-python","patch_set":6,"id":"8fbbc41e_2f92bfb7","line":102,"range":{"start_line":102,"start_character":33,"end_line":102,"end_character":35},"updated":"2021-08-10 01:51:59.000000000","message":"Shouldn\u0027t this read \"delete\"? I think it\u0027s a copy/paste from the previous message.","commit_id":"0fa6bb9c192e2d98ebcb06e3cbb95f1378fa9ebd"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"58f078a1ce39f1d7dcf051a55cec5a9209b21b72","unresolved":true,"context_lines":[{"line_number":99,"context_line":"            elif ownership_check \u003d\u003d \u0027delete\u0027:"},{"line_number":100,"context_line":"                if context.owner !\u003d owner:"},{"line_number":101,"context_line":"                    message \u003d _(\"You are not permitted to modify \u0027status\u0027 \""},{"line_number":102,"context_line":"                                \"on this image member.\")"},{"line_number":103,"context_line":"                    raise exception.Forbidden(message)"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"    def _lookup_member(self, req, image, member_id, member_repo\u003dNone):"}],"source_content_type":"text/x-python","patch_set":6,"id":"06c5ae39_725ec932","line":102,"range":{"start_line":102,"start_character":33,"end_line":102,"end_character":35},"in_reply_to":"8fbbc41e_2f92bfb7","updated":"2021-08-10 05:35:21.000000000","message":"Right, this should be something like\nYou are not permitted to delete member of this image.\n\nWill fix it in new PS.","commit_id":"0fa6bb9c192e2d98ebcb06e3cbb95f1378fa9ebd"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d40a5a4f58918a91a3ad498e5cf752afb195a69","unresolved":true,"context_lines":[{"line_number":73,"context_line":"                req.context,"},{"line_number":74,"context_line":"                image,"},{"line_number":75,"context_line":"                enforcer\u003dself.policy).get_image()"},{"line_number":76,"context_line":"        except (exception.NotFound, webob.exc.HTTPForbidden):"},{"line_number":77,"context_line":"            # NOTE (abhishekk): Returning 404 Not Found as the"},{"line_number":78,"context_line":"            # image is outside of this user\u0027s project"},{"line_number":79,"context_line":"            msg \u003d _(\"Image %s not found.\") % image_id"}],"source_content_type":"text/x-python","patch_set":9,"id":"72da60ed_86a581c0","line":76,"range":{"start_line":76,"start_character":36,"end_line":76,"end_character":59},"updated":"2021-08-12 16:22:49.000000000","message":"If this is raised, it\u0027s from the policy module, which would have decided that the image is accessible by the user and thus should see the 403 instead of the 404 right?","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"2caad911b5a83e27d9a70b350ddaac6b4ef7b0a4","unresolved":false,"context_lines":[{"line_number":73,"context_line":"                req.context,"},{"line_number":74,"context_line":"                image,"},{"line_number":75,"context_line":"                enforcer\u003dself.policy).get_image()"},{"line_number":76,"context_line":"        except (exception.NotFound, webob.exc.HTTPForbidden):"},{"line_number":77,"context_line":"            # NOTE (abhishekk): Returning 404 Not Found as the"},{"line_number":78,"context_line":"            # image is outside of this user\u0027s project"},{"line_number":79,"context_line":"            msg \u003d _(\"Image %s not found.\") % image_id"}],"source_content_type":"text/x-python","patch_set":9,"id":"896610cf_8bf02a7f","line":76,"range":{"start_line":76,"start_character":36,"end_line":76,"end_character":59},"in_reply_to":"72da60ed_86a581c0","updated":"2021-08-12 16:32:15.000000000","message":"Ack","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"}],"glance/api/v2/policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d40a5a4f58918a91a3ad498e5cf752afb195a69","unresolved":true,"context_lines":[{"line_number":285,"context_line":"    def get_members(self):"},{"line_number":286,"context_line":"        self._enforce(\"get_members\")"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"    def get_image(self):"},{"line_number":289,"context_line":"        self._enforce(\"get_image\")"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"    def get_member(self):"},{"line_number":292,"context_line":"        self._enforce(\"get_member\")"}],"source_content_type":"text/x-python","patch_set":9,"id":"5be619d3_46cf9cc1","line":289,"range":{"start_line":288,"start_character":0,"end_line":289,"end_character":34},"updated":"2021-08-12 16:22:49.000000000","message":"Hmm, why are we duplicating this? I would think using the image policy module for your _lookup_image() would still do the right thing *and* raise the thing we need.\n\nIf we were to add any other checks to get_image on the ImageAPIPolicy module, we might forget to add them here and have some discrepancy, which might be bad.\n\nI think it would make your _enforce() a little cleaner too. You could just always check get_image first:\n\n def _enforce(self, rule_name):\n     ImageAPIPolicy(self._context, self._image).check(\u0027get_image\u0027)\n     super(...)._enforce(rule_name)\n\nwon\u0027t that always do the right thing? 404 if you can\u0027t see the image, or 403 if you can\u0027t do the $rule_name operation.","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e27d8c88004926a0c3c26fe4f6a575fbe3e728bf","unresolved":true,"context_lines":[{"line_number":285,"context_line":"    def get_members(self):"},{"line_number":286,"context_line":"        self._enforce(\"get_members\")"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"    def get_image(self):"},{"line_number":289,"context_line":"        self._enforce(\"get_image\")"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"    def get_member(self):"},{"line_number":292,"context_line":"        self._enforce(\"get_member\")"}],"source_content_type":"text/x-python","patch_set":9,"id":"117dafb0_4d6eb3dc","line":289,"range":{"start_line":288,"start_character":0,"end_line":289,"end_character":34},"in_reply_to":"00b340b8_f7296c15","updated":"2021-08-12 16:48:48.000000000","message":"I think in order to get behavior what you described I should have something like;\n def _enforce(self, rule_name):\n     ImageAPIPolicy(self._context, self._image)._enforce(\u0027get_image\u0027)\n     super(...)._enforce(rule_name)\n\nRight?","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"398ea4ff2c0f4b5279fda45474b51e209bae5413","unresolved":true,"context_lines":[{"line_number":285,"context_line":"    def get_members(self):"},{"line_number":286,"context_line":"        self._enforce(\"get_members\")"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"    def get_image(self):"},{"line_number":289,"context_line":"        self._enforce(\"get_image\")"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"    def get_member(self):"},{"line_number":292,"context_line":"        self._enforce(\"get_member\")"}],"source_content_type":"text/x-python","patch_set":9,"id":"47c5ab38_e5077352","line":289,"range":{"start_line":288,"start_character":0,"end_line":289,"end_character":34},"in_reply_to":"117dafb0_4d6eb3dc","updated":"2021-08-12 16:57:08.000000000","message":"Yes, sorry I meant enforce behavior, but actually what you want is:\n\n ImageAPIPolicy(self._context, self._image)get_image))","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"12b0deb1eec1b010d2a0f693b9427e58428986a3","unresolved":false,"context_lines":[{"line_number":285,"context_line":"    def get_members(self):"},{"line_number":286,"context_line":"        self._enforce(\"get_members\")"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"    def get_image(self):"},{"line_number":289,"context_line":"        self._enforce(\"get_image\")"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"    def get_member(self):"},{"line_number":292,"context_line":"        self._enforce(\"get_member\")"}],"source_content_type":"text/x-python","patch_set":9,"id":"499374a3_9cfb005c","line":289,"range":{"start_line":288,"start_character":0,"end_line":289,"end_character":34},"in_reply_to":"47c5ab38_e5077352","updated":"2021-08-12 19:41:20.000000000","message":"Done","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"2caad911b5a83e27d9a70b350ddaac6b4ef7b0a4","unresolved":true,"context_lines":[{"line_number":285,"context_line":"    def get_members(self):"},{"line_number":286,"context_line":"        self._enforce(\"get_members\")"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"    def get_image(self):"},{"line_number":289,"context_line":"        self._enforce(\"get_image\")"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"    def get_member(self):"},{"line_number":292,"context_line":"        self._enforce(\"get_member\")"}],"source_content_type":"text/x-python","patch_set":9,"id":"00b340b8_f7296c15","line":289,"range":{"start_line":288,"start_character":0,"end_line":289,"end_character":34},"in_reply_to":"5be619d3_46cf9cc1","updated":"2021-08-12 16:32:15.000000000","message":"Just to Note:\nImageAPIPolicy(self._context, self._image).check(\u0027get_image\u0027) will return False and need to raise NotFound if it is false,","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0d4561e941e6bbe1ee5596f5f853c2d41f299a53","unresolved":true,"context_lines":[{"line_number":271,"context_line":"    def _enforce(self, rule_name):"},{"line_number":272,"context_line":"        ImageAPIPolicy(self._context, self._image,"},{"line_number":273,"context_line":"                       enforcer\u003dself.enforcer).get_image()"},{"line_number":274,"context_line":"        super(MemberAPIPolicy, self)._enforce(rule_name)"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    def get_members(self):"},{"line_number":277,"context_line":"        self._enforce(\"get_members\")"}],"source_content_type":"text/x-python","patch_set":10,"id":"813eb228_48256b00","line":274,"updated":"2021-08-12 20:22:57.000000000","message":"Nice, right?","commit_id":"a1ac21e76f16a82b6e29f42884afe3c906d75759"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"da1247717740049c54ab2df8083ca9cee1f3194a","unresolved":true,"context_lines":[{"line_number":271,"context_line":"    def _enforce(self, rule_name):"},{"line_number":272,"context_line":"        ImageAPIPolicy(self._context, self._image,"},{"line_number":273,"context_line":"                       enforcer\u003dself.enforcer).get_image()"},{"line_number":274,"context_line":"        super(MemberAPIPolicy, self)._enforce(rule_name)"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    def get_members(self):"},{"line_number":277,"context_line":"        self._enforce(\"get_members\")"}],"source_content_type":"text/x-python","patch_set":10,"id":"0d77ac26_0103ac0c","line":274,"in_reply_to":"813eb228_48256b00","updated":"2021-08-12 20:25:42.000000000","message":"No Doubt 👍","commit_id":"a1ac21e76f16a82b6e29f42884afe3c906d75759"}],"glance/policies/base.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"858f4149079a706aaa7eff1324463832a3a50806","unresolved":true,"context_lines":[{"line_number":70,"context_line":"    f\u0027({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})\u0027"},{"line_number":71,"context_line":")"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"ADMIN_OR_SHARED_MEMBER \u003d f\u0027role:admin or {IMAGE_MEMBER_CHECK}\u0027"},{"line_number":74,"context_line":"ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER \u003d ("},{"line_number":75,"context_line":"    f\u0027role:admin or \u0027"},{"line_number":76,"context_line":"    f\u0027role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})\u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"71cb694f_9b275f99","line":73,"range":{"start_line":73,"start_character":42,"end_line":73,"end_character":60},"updated":"2021-08-06 21:56:31.000000000","message":"I think this is failing the protection tests because this check doesn\u0027t actually do anything with roles. It\u0027s only checking that the use has *a* role on the project, which is why ProjectReaders are able to accept images (make a writable change) when they shouldn\u0027t be able to do that.\n\nMaybe something like:\n\n  ADMIN_OR_SHARED_MEMBER \u003d f\u0027role:admin or (role:member and project_id:%(member_id)s)\u0027\n\nThis fixed it for me locally https://review.opendev.org/c/openstack/glance/+/803808\n\nBut, I do notice some issues cleaning up images:\n\n  Aug 06 21:51:09 devstack devstack@g-api.service[801721]: DEBUG glance.api.middleware.version_negotiation [None req-1ac327a2-196c-41db-9747-2c98224ed8bf tempest-ProjectReaderTests-594647252 tempest-ProjectReaderTests-594647252-project-admin] Determining version of request: DELETE /v2/images/bf524c84-be78-4aff-87dd-cc9e19042f29 Accept: application/json {{(pid\u003d801721) process_request /opt/stack/glance/glance/api/middleware/version_negotiation.py:44}}\nAug 06 21:51:09 devstack devstack@g-api.service[801721]: DEBUG glance.api.middleware.version_negotiation [None req-1ac327a2-196c-41db-9747-2c98224ed8bf tempest-ProjectReaderTests-594647252 tempest-ProjectReaderTests-594647252-project-admin] Using url versioning {{(pid\u003d801721) process_request /opt/stack/glance/glance/api/middleware/version_negotiation.py:57}}\nAug 06 21:51:09 devstack devstack@g-api.service[801721]: DEBUG glance.api.middleware.version_negotiation [None req-1ac327a2-196c-41db-9747-2c98224ed8bf tempest-ProjectReaderTests-594647252 tempest-ProjectReaderTests-594647252-project-admin] Matched version: v2 {{(pid\u003d801721) process_request /opt/stack/glance/glance/api/middleware/version_negotiation.py:69}}\nAug 06 21:51:09 devstack devstack@g-api.service[801721]: DEBUG glance.api.middleware.version_negotiation [None req-1ac327a2-196c-41db-9747-2c98224ed8bf tempest-ProjectReaderTests-594647252 tempest-ProjectReaderTests-594647252-project-admin] new path /v2/images/bf524c84-be78-4aff-87dd-cc9e19042f29 {{(pid\u003d801721) process_request /opt/stack/glance/glance/api/middleware/version_negotiation.py:70}}\nAug 06 21:51:09 devstack devstack@g-api.service[801721]: WARNING glance.api.v2.images [None req-32da48ca-5800-44f3-b1ef-80112466c43d tempest-ProjectReaderTests-594647252 tempest-ProjectReaderTests-594647252-project-admin] After upload to backend, deletion of staged image data has failed because it cannot be found at /tmp/staging//bf524c84-be78-4aff-87dd-cc9e19042f29\nAug 06 21:51:09 devstack devstack@g-api.service[801721]: [pid: 801721|app: 0|req: 111/221] 127.0.0.1 () {38 vars in 778 bytes} [Fri Aug  6 21:51:09 2021] DELETE /v2/images/bf524c84-be78-4aff-87dd-cc9e19042f29 \u003d\u003e generated 0 bytes in 57 msecs (HTTP/1.1 204) 4 headers in 171 bytes (1 switches on core 0)","commit_id":"3fa167361a3cea021bf265d5e757bc34ac39dcd7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0f0c1d11c445595ff172b1c2e576cf70b433320f","unresolved":true,"context_lines":[{"line_number":70,"context_line":"    f\u0027({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})\u0027"},{"line_number":71,"context_line":")"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"ADMIN_OR_SHARED_MEMBER \u003d f\u0027role:admin or {IMAGE_MEMBER_CHECK}\u0027"},{"line_number":74,"context_line":"ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER \u003d ("},{"line_number":75,"context_line":"    f\u0027role:admin or \u0027"},{"line_number":76,"context_line":"    f\u0027role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})\u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"e85b2053_25fc59d7","line":73,"range":{"start_line":73,"start_character":42,"end_line":73,"end_character":60},"in_reply_to":"71cb694f_9b275f99","updated":"2021-08-06 22:06:43.000000000","message":"Looking at the gtp change that depends on this change. Are we changing the behavior of who can accept/reject shared images and opening that up to readers?\n\nI\u0027m not sure if I missed a discussion somewhere.","commit_id":"3fa167361a3cea021bf265d5e757bc34ac39dcd7"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"38aed28ac0f10705d0c89e48ac3ea4a7f8088523","unresolved":true,"context_lines":[{"line_number":70,"context_line":"    f\u0027({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})\u0027"},{"line_number":71,"context_line":")"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"ADMIN_OR_SHARED_MEMBER \u003d f\u0027role:admin or {IMAGE_MEMBER_CHECK}\u0027"},{"line_number":74,"context_line":"ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER \u003d ("},{"line_number":75,"context_line":"    f\u0027role:admin or \u0027"},{"line_number":76,"context_line":"    f\u0027role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})\u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"a36e8206_3914aafb","line":73,"range":{"start_line":73,"start_character":42,"end_line":73,"end_character":60},"in_reply_to":"e85b2053_25fc59d7","updated":"2021-08-07 05:02:10.000000000","message":"No You are right, I need to use member role here.\nRegarding cleaning up I have filed another issue in glance-tempest-plugin launchpad","commit_id":"3fa167361a3cea021bf265d5e757bc34ac39dcd7"}],"glance/tests/functional/v2/test_member_api_policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"05a726dbdbd3d842a8a933a3e8345a729ef3c0d3","unresolved":true,"context_lines":[{"line_number":95,"context_line":"            \u0027get_image\u0027: \u0027!\u0027"},{"line_number":96,"context_line":"        })"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"        # Make sure add returns 403"},{"line_number":99,"context_line":"        response \u003d self.api_post(path, json\u003ddata)"},{"line_number":100,"context_line":"        self.assertEqual(404, response.status_code)"},{"line_number":101,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"f9e21bae_0c13ff11","line":98,"range":{"start_line":98,"start_character":32,"end_line":98,"end_character":35},"updated":"2021-08-11 14:38:59.000000000","message":"404","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"fe6568107c2c463d1fa5441e3b6499833116be2b","unresolved":false,"context_lines":[{"line_number":95,"context_line":"            \u0027get_image\u0027: \u0027!\u0027"},{"line_number":96,"context_line":"        })"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"        # Make sure add returns 403"},{"line_number":99,"context_line":"        response \u003d self.api_post(path, json\u003ddata)"},{"line_number":100,"context_line":"        self.assertEqual(404, response.status_code)"},{"line_number":101,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"c6d1122f_7289eebc","line":98,"range":{"start_line":98,"start_character":32,"end_line":98,"end_character":35},"in_reply_to":"f9e21bae_0c13ff11","updated":"2021-08-11 17:49:46.000000000","message":"Ack","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"05a726dbdbd3d842a8a933a3e8345a729ef3c0d3","unresolved":true,"context_lines":[{"line_number":131,"context_line":"            \u0027get_image\u0027: \u0027!\u0027,"},{"line_number":132,"context_line":"            \u0027get_member\u0027: \u0027@\u0027"},{"line_number":133,"context_line":"        })"},{"line_number":134,"context_line":"        # image owner is not allowed to update image membership so"},{"line_number":135,"context_line":"        # passing different project in headers"},{"line_number":136,"context_line":"        headers \u003d self._headers({"},{"line_number":137,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":138,"context_line":"        })"}],"source_content_type":"text/x-python","patch_set":8,"id":"a826f4d0_00f75900","line":135,"range":{"start_line":134,"start_character":8,"end_line":135,"end_character":46},"updated":"2021-08-11 14:38:59.000000000","message":"I\u0027m confused by this. Didn\u0027t the owner update membership on L111 above? I guess I\u0027m also missing where we test that someone that is a member can update, but someone that is not a member cannot. I wonder if we need to use a public image to do that or something? Or, maybe that\u0027s sufficiently covered in the tempest plugin when rbac is enabled?","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d40a5a4f58918a91a3ad498e5cf752afb195a69","unresolved":true,"context_lines":[{"line_number":131,"context_line":"            \u0027get_image\u0027: \u0027!\u0027,"},{"line_number":132,"context_line":"            \u0027get_member\u0027: \u0027@\u0027"},{"line_number":133,"context_line":"        })"},{"line_number":134,"context_line":"        # image owner is not allowed to update image membership so"},{"line_number":135,"context_line":"        # passing different project in headers"},{"line_number":136,"context_line":"        headers \u003d self._headers({"},{"line_number":137,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":138,"context_line":"        })"}],"source_content_type":"text/x-python","patch_set":8,"id":"f07e0730_daaedeaa","line":135,"range":{"start_line":134,"start_character":8,"end_line":135,"end_character":46},"in_reply_to":"2223cc75_7f6744e7","updated":"2021-08-12 16:22:49.000000000","message":"Yeah I got this after this comment from another review, thanks.","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"f8235c1e2965f2f2c4f90957d9eb34c6eceb3572","unresolved":true,"context_lines":[{"line_number":131,"context_line":"            \u0027get_image\u0027: \u0027!\u0027,"},{"line_number":132,"context_line":"            \u0027get_member\u0027: \u0027@\u0027"},{"line_number":133,"context_line":"        })"},{"line_number":134,"context_line":"        # image owner is not allowed to update image membership so"},{"line_number":135,"context_line":"        # passing different project in headers"},{"line_number":136,"context_line":"        headers \u003d self._headers({"},{"line_number":137,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":138,"context_line":"        })"}],"source_content_type":"text/x-python","patch_set":8,"id":"2223cc75_7f6744e7","line":135,"range":{"start_line":134,"start_character":8,"end_line":135,"end_character":46},"in_reply_to":"56e7a51f_33cb6665","updated":"2021-08-12 09:48:18.000000000","message":"Also we have multiple scenarios covered in existing functional test so I avoided to duplicate those here.\n\nhttps://github.com/openstack/glance/blob/master/glance/tests/functional/v2/test_images.py#L4074","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"734c01cf0e3cd53637abe6ff809c1096685f5f7c","unresolved":true,"context_lines":[{"line_number":131,"context_line":"            \u0027get_image\u0027: \u0027!\u0027,"},{"line_number":132,"context_line":"            \u0027get_member\u0027: \u0027@\u0027"},{"line_number":133,"context_line":"        })"},{"line_number":134,"context_line":"        # image owner is not allowed to update image membership so"},{"line_number":135,"context_line":"        # passing different project in headers"},{"line_number":136,"context_line":"        headers \u003d self._headers({"},{"line_number":137,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":138,"context_line":"        })"}],"source_content_type":"text/x-python","patch_set":8,"id":"cff0a8a2_22685849","line":135,"range":{"start_line":134,"start_character":8,"end_line":135,"end_character":46},"in_reply_to":"a826f4d0_00f75900","updated":"2021-08-11 14:50:00.000000000","message":"This is because by default these tests are running using admin role.\nhttps://github.com/openstack/glance/blob/master/glance/tests/functional/__init__.py#L1613","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"fe6568107c2c463d1fa5441e3b6499833116be2b","unresolved":true,"context_lines":[{"line_number":131,"context_line":"            \u0027get_image\u0027: \u0027!\u0027,"},{"line_number":132,"context_line":"            \u0027get_member\u0027: \u0027@\u0027"},{"line_number":133,"context_line":"        })"},{"line_number":134,"context_line":"        # image owner is not allowed to update image membership so"},{"line_number":135,"context_line":"        # passing different project in headers"},{"line_number":136,"context_line":"        headers \u003d self._headers({"},{"line_number":137,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":138,"context_line":"        })"}],"source_content_type":"text/x-python","patch_set":8,"id":"56e7a51f_33cb6665","line":135,"range":{"start_line":134,"start_character":8,"end_line":135,"end_character":46},"in_reply_to":"cff0a8a2_22685849","updated":"2021-08-11 17:49:46.000000000","message":"https://github.com/openstack/glance-tempest-plugin/blob/master/glance_tempest_plugin/tests/rbac/v2/test_images.py#L1365","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"05a726dbdbd3d842a8a933a3e8345a729ef3c0d3","unresolved":true,"context_lines":[{"line_number":165,"context_line":"            \u0027get_image\u0027: \u0027!\u0027,"},{"line_number":166,"context_line":"        })"},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"        # Make sure get returns 403"},{"line_number":169,"context_line":"        response \u003d self.api_get(path)"},{"line_number":170,"context_line":"        self.assertEqual(404, response.status_code)"},{"line_number":171,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"6704afe6_dcbb2008","line":168,"range":{"start_line":168,"start_character":32,"end_line":168,"end_character":35},"updated":"2021-08-11 14:38:59.000000000","message":"404","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"734c01cf0e3cd53637abe6ff809c1096685f5f7c","unresolved":false,"context_lines":[{"line_number":165,"context_line":"            \u0027get_image\u0027: \u0027!\u0027,"},{"line_number":166,"context_line":"        })"},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"        # Make sure get returns 403"},{"line_number":169,"context_line":"        response \u003d self.api_get(path)"},{"line_number":170,"context_line":"        self.assertEqual(404, response.status_code)"},{"line_number":171,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"3837e41c_8274028a","line":168,"range":{"start_line":168,"start_character":32,"end_line":168,"end_character":35},"in_reply_to":"6704afe6_dcbb2008","updated":"2021-08-11 14:50:00.000000000","message":"Ack","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"05a726dbdbd3d842a8a933a3e8345a729ef3c0d3","unresolved":true,"context_lines":[{"line_number":173,"context_line":"        self.set_policy_rules({"},{"line_number":174,"context_line":"            \u0027get_members\u0027: \u0027@\u0027,"},{"line_number":175,"context_line":"            \u0027get_member\u0027: \u0027!\u0027,"},{"line_number":176,"context_line":"        })"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"        # Make sure we get empty list as get_member is disabled"},{"line_number":179,"context_line":"        response \u003d self.api_get(path)"}],"source_content_type":"text/x-python","patch_set":8,"id":"ce57de43_7fad57fd","line":176,"updated":"2021-08-11 14:38:59.000000000","message":"I\u0027m not sure how this behaves in terms of what get_image is still set to. Can you be explicit here about get_image:@ if that\u0027s what you mean?","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"734c01cf0e3cd53637abe6ff809c1096685f5f7c","unresolved":false,"context_lines":[{"line_number":173,"context_line":"        self.set_policy_rules({"},{"line_number":174,"context_line":"            \u0027get_members\u0027: \u0027@\u0027,"},{"line_number":175,"context_line":"            \u0027get_member\u0027: \u0027!\u0027,"},{"line_number":176,"context_line":"        })"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"        # Make sure we get empty list as get_member is disabled"},{"line_number":179,"context_line":"        response \u003d self.api_get(path)"}],"source_content_type":"text/x-python","patch_set":8,"id":"07d515c4_1ba00429","line":176,"in_reply_to":"ce57de43_7fad57fd","updated":"2021-08-11 14:50:00.000000000","message":"Ack","commit_id":"4fdb90354aff1952e1d3411e17691eef6321d243"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d40a5a4f58918a91a3ad498e5cf752afb195a69","unresolved":true,"context_lines":[{"line_number":263,"context_line":"            self.assertEqual(201, response.status_code)"},{"line_number":264,"context_line":"            self.assertEqual(visibility, image[\u0027visibility\u0027])"},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"            # Sharing imgae should return 403 response"},{"line_number":267,"context_line":"            member_path \u003d \u0027/v2/images/%s/members\u0027 % image[\u0027id\u0027]"},{"line_number":268,"context_line":"            data \u003d {"},{"line_number":269,"context_line":"                \u0027member\u0027: uuids.random_member"}],"source_content_type":"text/x-python","patch_set":9,"id":"844e0eaf_a5e7ae85","line":266,"range":{"start_line":266,"start_character":22,"end_line":266,"end_character":27},"updated":"2021-08-12 16:22:49.000000000","message":"image","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"2caad911b5a83e27d9a70b350ddaac6b4ef7b0a4","unresolved":false,"context_lines":[{"line_number":263,"context_line":"            self.assertEqual(201, response.status_code)"},{"line_number":264,"context_line":"            self.assertEqual(visibility, image[\u0027visibility\u0027])"},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"            # Sharing imgae should return 403 response"},{"line_number":267,"context_line":"            member_path \u003d \u0027/v2/images/%s/members\u0027 % image[\u0027id\u0027]"},{"line_number":268,"context_line":"            data \u003d {"},{"line_number":269,"context_line":"                \u0027member\u0027: uuids.random_member"}],"source_content_type":"text/x-python","patch_set":9,"id":"bbff1b68_3fb25280","line":266,"range":{"start_line":266,"start_character":22,"end_line":266,"end_character":27},"in_reply_to":"844e0eaf_a5e7ae85","updated":"2021-08-12 16:32:15.000000000","message":"Ack","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"12b0deb1eec1b010d2a0f693b9427e58428986a3","unresolved":false,"context_lines":[{"line_number":263,"context_line":"            self.assertEqual(201, response.status_code)"},{"line_number":264,"context_line":"            self.assertEqual(visibility, image[\u0027visibility\u0027])"},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"            # Sharing imgae should return 403 response"},{"line_number":267,"context_line":"            member_path \u003d \u0027/v2/images/%s/members\u0027 % image[\u0027id\u0027]"},{"line_number":268,"context_line":"            data \u003d {"},{"line_number":269,"context_line":"                \u0027member\u0027: uuids.random_member"}],"source_content_type":"text/x-python","patch_set":9,"id":"fb5bea5e_8cf6f3a5","line":266,"range":{"start_line":266,"start_character":22,"end_line":266,"end_character":27},"in_reply_to":"bbff1b68_3fb25280","updated":"2021-08-12 19:41:20.000000000","message":"You have an eagle eye 😊","commit_id":"39de45e4cc78b28a8223da28dbe96ad89f9caa5a"}],"glance/tests/unit/v2/test_v2_policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0d4561e941e6bbe1ee5596f5f853c2d41f299a53","unresolved":true,"context_lines":[{"line_number":436,"context_line":"            self.assertTrue(mock_enf.called)"},{"line_number":437,"context_line":""},{"line_number":438,"context_line":"            # Make sure that if while checking modify_member if get_image"},{"line_number":439,"context_line":"            # both returns forbidden then we should get NotFound. This is"},{"line_number":440,"context_line":"            # because we are not allowed to fetch image details."},{"line_number":441,"context_line":"            mock_enf.reset_mock()"},{"line_number":442,"context_line":"            mock_enf.side_effect \u003d exception.Forbidden"}],"source_content_type":"text/x-python","patch_set":10,"id":"412e7d07_9d02d55f","line":439,"range":{"start_line":439,"start_character":27,"end_line":439,"end_character":36},"updated":"2021-08-12 20:22:57.000000000","message":"Forbidden (as before). But, not important :)","commit_id":"a1ac21e76f16a82b6e29f42884afe3c906d75759"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"da1247717740049c54ab2df8083ca9cee1f3194a","unresolved":true,"context_lines":[{"line_number":436,"context_line":"            self.assertTrue(mock_enf.called)"},{"line_number":437,"context_line":""},{"line_number":438,"context_line":"            # Make sure that if while checking modify_member if get_image"},{"line_number":439,"context_line":"            # both returns forbidden then we should get NotFound. This is"},{"line_number":440,"context_line":"            # because we are not allowed to fetch image details."},{"line_number":441,"context_line":"            mock_enf.reset_mock()"},{"line_number":442,"context_line":"            mock_enf.side_effect \u003d exception.Forbidden"}],"source_content_type":"text/x-python","patch_set":10,"id":"e8d4e89b_f1d66d20","line":439,"range":{"start_line":439,"start_character":27,"end_line":439,"end_character":36},"in_reply_to":"412e7d07_9d02d55f","updated":"2021-08-12 20:25:42.000000000","message":"will correct if respin is required.","commit_id":"a1ac21e76f16a82b6e29f42884afe3c906d75759"}]}