)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a0b1876a7d3122a0ba8ee04922ef8a0d9446aa4b","unresolved":true,"context_lines":[{"line_number":13,"context_line":"some confusion in the current approach. We should update the goal to be"},{"line_number":14,"context_line":"consistent with the discussions from the yoga PTG."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"This goal is divided into three different milestones."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Co-Authored-By: Ghanshyam Mann \u003cgmann@ghanshyammann.com\u003e"},{"line_number":19,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"4e32a7c1_b5ca6762","line":16,"range":{"start_line":16,"start_character":42,"end_line":16,"end_character":52},"updated":"2021-11-23 13:20:48.000000000","message":"nit: might want to say \"phases spanning the next few development cycles\"","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0cbd0b1b7237b2404ddb025a4f276ba19a36e8ea","unresolved":false,"context_lines":[{"line_number":13,"context_line":"some confusion in the current approach. We should update the goal to be"},{"line_number":14,"context_line":"consistent with the discussions from the yoga PTG."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"This goal is divided into three different milestones."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Co-Authored-By: Ghanshyam Mann \u003cgmann@ghanshyammann.com\u003e"},{"line_number":19,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":18,"id":"f1bf676d_1fbc9871","line":16,"range":{"start_line":16,"start_character":42,"end_line":16,"end_character":52},"in_reply_to":"4e32a7c1_b5ca6762","updated":"2021-11-23 16:16:57.000000000","message":"Done","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b90c84a60b33e141f8ae0ac713404531a0c5d53a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"fb51e453_8d81f5dc","updated":"2021-10-22 21:37:39.000000000","message":"I need to update this goal with a lot of stuff from this week. Marking as WIP until I do that, but at least putting this up for now so that people know I\u0027m working on it.","commit_id":"99c175b266507abf01c8135282c4d0e9a990b7bd"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"87a409eeb160d1620dc21b410e51cc3d265331d8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0a780642_01034df8","updated":"2021-10-22 21:38:30.000000000","message":"I\u0027m hoping to have this in better shape by the middle of next week.","commit_id":"99c175b266507abf01c8135282c4d0e9a990b7bd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ea82b50a949329d23b8a25b88bffb3cd4037ccb4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"d9f3ab03_169e4bf7","updated":"2021-10-27 09:19:52.000000000","message":"Based on that I guess that there is no need for now to change tempest plugin tests to make them compatible with this whole new RBAC and it will be better to start doing that when this changes will be approved, right?","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ebd26f8ddbb483836f1c92f7ade2d6d3c871f50f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"35d04f2b_da4884c3","updated":"2021-11-02 00:16:02.000000000","message":"I think we should first unselect this goal (remove it from goals/selected folder) to avoid confusion for projects/developers/users who were not part of PTG discussion that this is not final Yoga goal now. and then re-work on goals/proposed folder.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"daa138b1646d43d4db04d004d8aac6fc166801dc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f4c0b9ff_802c0144","updated":"2021-10-26 20:57:39.000000000","message":"Sorry for adding a bunch of people at once, but I want to make sure someone from each project is aware of what we\u0027re proposing for Yoga.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"dc4db976e16ad64bfb8409fafc3bacb6bc75133f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"0e0013c6_332987a6","in_reply_to":"d9f3ab03_169e4bf7","updated":"2021-10-27 13:12:15.000000000","message":"I think tempest plugin support for system testing will still be necessary since we need to test APIs that are truly system-specific, but we\u0027re just going to be testing less with it.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7fc63cf128dfb34696404c18885d7540ca23190b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"d8c93e23_c3d1062d","updated":"2021-11-03 14:25:36.000000000","message":"Some nits, but otherwise lgtm.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d6ad7c627f7fbde5dc9d4df94b4286c528d61e8f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"d9055d75_62633ef6","updated":"2021-11-10 19:58:43.000000000","message":"I\u0027d like to see the stretch goal removed. I believe it is a mistake to try and commit what is functionally scope creep  of the original set in an inconsistent manor.\n\nOtherwise, what I perceived from the rest of the document made sense to me given the conundrum which exists on the project scoped APIs.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"2188eb6a9db65abf2cf9fdd25a8807449f45351a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"26e0435c_a535cc3f","updated":"2021-11-11 17:33:51.000000000","message":"I have added some in-line comments.","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"5317d466_7bebfcc5","updated":"2021-11-18 15:21:46.000000000","message":"Some observations inline.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6c7d61474bdc4f655856efcf7a1a97ccefd7e99b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"5dff07ce_81b87380","updated":"2021-11-18 19:07:12.000000000","message":"Formatting nit noted inline.","commit_id":"c6e84d13de158567cabee4e7bffe108568e3fdff"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"cc59a6273bf5d00b35d8126bd630f4eae83d32c9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"47c5eb8b_fa08fab3","updated":"2021-11-19 16:58:58.000000000","message":"I think this is good, aside from a few minor comments. I too have been very close to the discussion and re-re-re-review of this so I\u0027m a bit glossy-eyed at this point. Might be good to get some people outside the core trio of me, gmann, lbragstad to RC+1 it first?","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6e22cc9ed4cb9896b1a2de749d67e8c6b0ab1ad6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"ebf3f210_358f5819","updated":"2021-11-19 16:18:54.000000000","message":"Thanks, this lgtm now. We have once cycle release gap for \u0027making it default\u0027 and \u0027remove the deprecated one\u0027 which will give enough time to operator to migrate.\n\nwaiting on Rollcall-Vote because of co-author and other members also to check.","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"ada4230365f7f386f2903bffcbc02d3330fdefc3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":18,"id":"6ed88b37_d9793a00","updated":"2021-11-23 13:15:35.000000000","message":"-1: I couldn\u0027t find anything about when services need to implement domain support.  My understanding is that if cinder makes the \"List volumes\" request be governed by a non-system-scoped rule, when enforce_scope\u003dTrue by default, the system-administrator will no longer be able to list all the volumes known to cinder (which is appropriate given how we are defining system-admin in this here spec).  But a project-admin will only be able to list the volumes in a project on which they have an \u0027admin\u0027 role (and do it one at a time, i.e., separate requests with a different token for each project.  In the pop-up meetings we discussed at one point that a domain-scoped token could be used to list all the volumes of all the projects in the domain on which you have an appropriate role (I guess \u0027admin\u0027?), which would work in cinder by changing the meaning of the \u0027?all_tenants\u003dtrue\u0027 query parameter on the list volumes request to mean \"all the projects in your domain\".\n\nAnyway, this affects this part of the Z-release Timeline:\n\n  #. Any service that completed `Phase 1`_ in Yoga can set ``enforce_scope\u003dTrue``\n     by default\n\nIf my analysis above is correct, this will break \"List volumes\" across projects for cinder (and same thing for similar resources for other services).  I think adding domain support to Phase 1 may be scope creep, so maybe we need a Phase 1.5, and then the turn-on in Z is contingent on satisfying through Phase 1.5.\n\nOtherwise, this document captures all the discussions I\u0027ve been part of during the Yoga PTG and followup TC and policy pop-up meetings, and additionally is nicely written.  Thanks, Lance!","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f4ff0c419ece23912418a74bc631e1bb50479919","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":18,"id":"09cdff06_ff06ae24","updated":"2021-11-22 21:54:47.000000000","message":"Looks good for me. Let\u0027s move on with that to have time to work on implementation in the projects 😊","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7507469c91dfa556762d75ec1c1a732e462fd67c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":18,"id":"3aa1f26d_b1417749","updated":"2021-11-19 17:28:01.000000000","message":"thanks. lgtm. \n\nAs Dan mentioned, let\u0027s get more eyes from other TC and community members in case.","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28fcdf73f0102ff3ff8faf7fa27c485f3464fbc6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":19,"id":"53472e95_5447f424","updated":"2021-11-24 18:04:31.000000000","message":"My concern with the proposal to swap Phase 2 and Phase 3 is that Phase 2 implements the system-reader, which is more operator-visible than the \u0027service\u0027 role.  (But I\u0027m \"concerned\", not \"dead set against it\".)\n\nThis version LGTM, and I agree with Slawek that we really need to get this merged soon, given that we\u0027re already past yoga milestone-1.","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6d3606c9755d7beb67841f40f26a3cd5a987b363","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":19,"id":"082c7826_c2f1082a","in_reply_to":"53472e95_5447f424","updated":"2021-11-25 16:44:07.000000000","message":"ack. yeah we are trying to get this merged soon. so doing phase-2 first or phase-3 is after Z cycle things so we have time to discuss it but Yoga things are very clear now. \n\n+1 from me on current version from Yoga perspective and will convert it to Rollcall-Vote +1 once I see few more TC (other than Dan and I) ok with this.","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e89db810daaee570d21fe7d1b97a35843d7e4fe4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"b2c7d0de_57d22816","updated":"2021-11-29 18:03:50.000000000","message":"@Radoslaw @Sean\n\nI\u0027ve proposed a follow-on patch fixing the comments you had here.\n\nhttps://review.opendev.org/c/openstack/governance/+/819664","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"8bfd73c306a8e4f182cb617c7f57f94e1538530e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"492c895c_bde4e507","updated":"2021-11-30 18:08:51.000000000","message":"Couple of nits.  Overall I think this looks good.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"b6bc1383f78c63310f9515a8eb8781c2cfe51e23","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"db7bf13a_be4a87ef","updated":"2021-11-30 11:56:57.000000000","message":"I agree to merge this as is but there are still open comments here to be addressed via the proposed followup.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"c9a80e80_fb7f1e81","updated":"2021-11-29 16:49:54.000000000","message":"I like the direction. I have a few comments that need addressing.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"04c43b9dff0db945220c561538e6adea459e73ff","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"32b83934_12b7b906","updated":"2021-11-29 15:23:19.000000000","message":"I\u0027m going to go ahead and RC+1 this because there were a number of them on the previous set. Re-ordering the service role before the finishing of system-scope stuff makes the most sense to me.\n\nThanks Lance!","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"100040af696c67ceaeb76a4bd9765e3f5f205b5a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"45b5d0e6_f824faef","updated":"2021-11-29 15:27:43.000000000","message":"lgtm, for phase2/3 ordering we can discuss if needed to change but phase1 is very clear and let\u0027s merge this goal to start the Yoga work.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1fa1e98898e7d8d64257ba8237c2abc4257b0f03","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"bcd54b48_06c9539f","updated":"2021-11-29 17:21:55.000000000","message":"over all i think this is a resonable plan.\ni would suggest it might be better to merge this as is and adress some of the nit/issues in a follow up patch. but asuming we are not going to do this i have -1 it just to call atthion to \nhttps://review.opendev.org/c/openstack/governance/+/815158/20/goals/proposed/consistent-and-secure-rbac.rst#528","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"40c530a44d30497f8d34b1c797f5c85ace00cdcf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"466b718f_6f1ce5d1","updated":"2021-11-30 18:03:31.000000000","message":"we have clear direction (implementation and schedule) now, thanks, Lance, Dan and other community members for working and making it in shape. \n\nlet\u0027s merge this and I will work on selecting this goal asap which is https://review.opendev.org/c/openstack/governance/+/818817/4","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"9b4405876ed1b0556aa9aa815aad03b8518464e5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"6e665b17_b087b199","in_reply_to":"32b83934_12b7b906","updated":"2021-11-29 17:28:40.000000000","message":"yes i think the service role needt to be complete as part of phase 1 or before phase 2 so that we can use tokens with the service role to make cross service calls on project scoped resouces like portbinding. but im happy with the overall direction and agree we should merge this as is for now.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ad8f9ac2ad5a1f7104e5521c47db747088a1691d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"4cf737e6_3788b59b","in_reply_to":"a7c1da0f_255e7dd9","updated":"2021-11-29 18:38:58.000000000","message":"ack quickly skiming it the follow up looks ok so ill change my -1 to +1 and we can continue the discussion in the followup if requried.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"ec4ad89e516f23bd92dbb9b15b407eefb6d7bd61","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"a7c1da0f_255e7dd9","in_reply_to":"b2c7d0de_57d22816","updated":"2021-11-29 18:10:19.000000000","message":"Let\u0027s close the other comments via it and this one would be gtg.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"dbe9f87945eaee963b6b1acbd1b4a60a1ea81791","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":20,"id":"04253698_ee40a712","in_reply_to":"c9a80e80_fb7f1e81","updated":"2021-11-29 16:51:07.000000000","message":"And I want to thank all of you who worked on the contents. This goal sounds great. 😊","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"}],"goals/proposed/consistent-and-secure-rbac.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2d10dca28d7c77da8e534a8795cc23c5e125c986","unresolved":false,"context_lines":[{"line_number":94,"context_line":"instance from a host."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Based on the initial discussions of how system-scope would be used, we decided"},{"line_number":97,"context_line":"to allow system-scoped tokens to operate on project-owned resources using"},{"line_number":98,"context_line":"system-scoped tokens."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"It wasn\u0027t until we started applying this idea to various services that we"}],"source_content_type":"text/x-rst","patch_set":14,"id":"cd189885_b3520576","line":97,"range":{"start_line":97,"start_character":9,"end_line":97,"end_character":29},"updated":"2021-11-18 15:58:41.000000000","message":"This doesn\u0027t read very well.\n\ns/system-scoped tokens/operators/","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"643cb58e8b540efe96d2b71867abfbe6cb18fa14","unresolved":true,"context_lines":[{"line_number":133,"context_line":"problem from a user with the `admin` role on a project to anyone with the"},{"line_number":134,"context_line":"`admin` role on the system."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Instead, we decided to relax the assumption that anyone using a system-scoped"},{"line_number":137,"context_line":"token should automatically be able to access any OpenStack API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To clarify, we did agree that system administrators (e.g., operators) should be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1e797b7b_a784988b","line":136,"range":{"start_line":136,"start_character":23,"end_line":136,"end_character":28},"updated":"2021-11-17 20:12:15.000000000","message":"\"Relax\" sounds like the assumption might still be valid. Aren\u0027t we dropping the assumption that system-scoped tokens can *automatically* (emphasis added) access any API? As the next paragraph explains, system admins can give themselves project level access, but the point is they need to take steps (it isn\u0027t automatic).","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f9d44af805b47ac951529c46b46e3e769eec2c05","unresolved":true,"context_lines":[{"line_number":133,"context_line":"problem from a user with the `admin` role on a project to anyone with the"},{"line_number":134,"context_line":"`admin` role on the system."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Instead, we decided to relax the assumption that anyone using a system-scoped"},{"line_number":137,"context_line":"token should automatically be able to access any OpenStack API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To clarify, we did agree that system administrators (e.g., operators) should be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"e25c3187_333cda0a","line":136,"range":{"start_line":136,"start_character":23,"end_line":136,"end_character":28},"in_reply_to":"1e797b7b_a784988b","updated":"2021-11-17 20:35:03.000000000","message":"To be clear, the next paragraph about \"giving themselves access\" means giving themselves a role on that project, not allowing system-scoped tokens to access project resources. If they tried to do the  latter, they would run into all the same trouble as today, which is why we\u0027re correcting this course. Meaning, if they override the policy to allow system tokens to start/stop instances, such requests will fail with a 500. By setting scope_types\u003d[project] on our rules, we remove their ability to grant system-scoped users such access, since that\u0027s defined on the rule and not in the check string.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2d10dca28d7c77da8e534a8795cc23c5e125c986","unresolved":false,"context_lines":[{"line_number":133,"context_line":"problem from a user with the `admin` role on a project to anyone with the"},{"line_number":134,"context_line":"`admin` role on the system."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Instead, we decided to relax the assumption that anyone using a system-scoped"},{"line_number":137,"context_line":"token should automatically be able to access any OpenStack API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To clarify, we did agree that system administrators (e.g., operators) should be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"81ddfec6_a5786c16","line":136,"range":{"start_line":136,"start_character":23,"end_line":136,"end_character":28},"in_reply_to":"4ca8c95c_6c4e94a1","updated":"2021-11-18 15:58:41.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":133,"context_line":"problem from a user with the `admin` role on a project to anyone with the"},{"line_number":134,"context_line":"`admin` role on the system."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Instead, we decided to relax the assumption that anyone using a system-scoped"},{"line_number":137,"context_line":"token should automatically be able to access any OpenStack API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To clarify, we did agree that system administrators (e.g., operators) should be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"7e3e28a8_36920d17","line":136,"range":{"start_line":136,"start_character":23,"end_line":136,"end_character":28},"in_reply_to":"4ca8c95c_6c4e94a1","updated":"2021-11-18 15:21:46.000000000","message":"I agree with Alan about the wording.  We are not relaxing an assumption here, we are imposing a constraint that system-scoped personas *cannot* act on project-level resources.  The points in the \"To clarify\" paragraph below explain that this constraint is not unduly burdensome, but I think we need to be clear that we are tightening things up, not relaxing them.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3b21cc171b27cfb83602f44ffbd304994dcc564a","unresolved":false,"context_lines":[{"line_number":133,"context_line":"problem from a user with the `admin` role on a project to anyone with the"},{"line_number":134,"context_line":"`admin` role on the system."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Instead, we decided to relax the assumption that anyone using a system-scoped"},{"line_number":137,"context_line":"token should automatically be able to access any OpenStack API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To clarify, we did agree that system administrators (e.g., operators) should be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"78d89a68_3002c069","line":136,"range":{"start_line":136,"start_character":23,"end_line":136,"end_character":28},"in_reply_to":"81ddfec6_a5786c16","updated":"2021-11-18 16:33:36.000000000","message":"+1, let\u0027s make it clear about what new direction we are going not the one we did in past and changing it.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"56c6125f34821b3a8d40de796a7ff2ba630fe465","unresolved":true,"context_lines":[{"line_number":133,"context_line":"problem from a user with the `admin` role on a project to anyone with the"},{"line_number":134,"context_line":"`admin` role on the system."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Instead, we decided to relax the assumption that anyone using a system-scoped"},{"line_number":137,"context_line":"token should automatically be able to access any OpenStack API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To clarify, we did agree that system administrators (e.g., operators) should be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"4ca8c95c_6c4e94a1","line":136,"range":{"start_line":136,"start_character":23,"end_line":136,"end_character":28},"in_reply_to":"b6bddf36_4226cc88","updated":"2021-11-17 21:58:17.000000000","message":"Nope, I\u0027m not saying you\u0027re wrong I just wanted to make sure we agreed on what \"giving themselves access\" meant. Sounds like we do. I\u0027m all for pedantry over words and phrases like this, and I think we\u0027ve demonstrated that it\u0027s very important to be precise in these matters :)","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"dc4cbaff922c68dfe9ce7a51fd8e973c845a86ae","unresolved":true,"context_lines":[{"line_number":133,"context_line":"problem from a user with the `admin` role on a project to anyone with the"},{"line_number":134,"context_line":"`admin` role on the system."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Instead, we decided to relax the assumption that anyone using a system-scoped"},{"line_number":137,"context_line":"token should automatically be able to access any OpenStack API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To clarify, we did agree that system administrators (e.g., operators) should be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"b6bddf36_4226cc88","line":136,"range":{"start_line":136,"start_character":23,"end_line":136,"end_character":28},"in_reply_to":"e25c3187_333cda0a","updated":"2021-11-17 20:53:30.000000000","message":"I fully agree. I just interpreted \"relax the assumption\" to mean the assumption might still be valid that system admins \"should *automatically* be able to access any OpenStack API.\" It won\u0027t be automatic; they need to grant themselves access.\n\nMaybe I\u0027m being pedantic, and we can disregard my comment if others are OK with the current wording.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"We need very clear documentation that describes all the potential personas,"},{"line_number":177,"context_line":"what they mean, who they were designed for, and how to use them. By the end of"},{"line_number":178,"context_line":"the Yoga release, this document should included each persona and what it\u0027s"},{"line_number":179,"context_line":"support is across OpenStack services."},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Engineers should use this documentation to determine what the default policy"}],"source_content_type":"text/x-rst","patch_set":14,"id":"de18edf7_7194d918","line":178,"range":{"start_line":178,"start_character":39,"end_line":178,"end_character":47},"updated":"2021-11-18 15:21:46.000000000","message":"nit: \u0027include\u0027 and \u0027its\u0027","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a8cd8fb25b1c37204fe9b5e6444acab0fcf22679","unresolved":false,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"We need very clear documentation that describes all the potential personas,"},{"line_number":177,"context_line":"what they mean, who they were designed for, and how to use them. By the end of"},{"line_number":178,"context_line":"the Yoga release, this document should included each persona and what it\u0027s"},{"line_number":179,"context_line":"support is across OpenStack services."},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Engineers should use this documentation to determine what the default policy"}],"source_content_type":"text/x-rst","patch_set":14,"id":"cfda8b45_79b86d59","line":178,"range":{"start_line":178,"start_character":39,"end_line":178,"end_character":47},"in_reply_to":"de18edf7_7194d918","updated":"2021-11-18 16:12:50.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":179,"context_line":"support is across OpenStack services."},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Engineers should use this documentation to determine what the default policy"},{"line_number":182,"context_line":"should be for APIs they\u0027re developing and maintaining. Operators should use"},{"line_number":183,"context_line":"it to understand what permissions are the most appropriate for their users."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Re-evaluate project-specific API policies"},{"line_number":186,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":14,"id":"8f8ebc60_6d2a2295","line":183,"range":{"start_line":182,"start_character":55,"end_line":183,"end_character":75},"updated":"2021-11-18 15:21:46.000000000","message":"I think we need an additional statement in this documentation for operators.  They will not be able to \"cross the streams\" in a policy.yaml file and make a rule that recognizes a system-* persona work for a project-* persona once the single-scope-type-per-rule is implemented as described in the next section.  I mention this because bugs have been filed against cinder in the past where an operator wanted to loosen up a single policy, but was blocked by an is_admin check in the code (yeah, which shouldn\u0027t have been there, but my point is that we need to constrain the expectations for how customizable the policy file is).","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a8cd8fb25b1c37204fe9b5e6444acab0fcf22679","unresolved":false,"context_lines":[{"line_number":179,"context_line":"support is across OpenStack services."},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Engineers should use this documentation to determine what the default policy"},{"line_number":182,"context_line":"should be for APIs they\u0027re developing and maintaining. Operators should use"},{"line_number":183,"context_line":"it to understand what permissions are the most appropriate for their users."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Re-evaluate project-specific API policies"},{"line_number":186,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":14,"id":"59393105_0e93002f","line":183,"range":{"start_line":182,"start_character":55,"end_line":183,"end_character":75},"in_reply_to":"8f8ebc60_6d2a2295","updated":"2021-11-18 16:12:50.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":186,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"We need to go through each policy across OpenStack services and make sure it"},{"line_number":189,"context_line":"aligns with the direction described above. Ideally, each policy should only"},{"line_number":190,"context_line":"include a single scope type. For example, the following policy was written to"},{"line_number":191,"context_line":"eventually allow system administrators to create instances on a targeted host"},{"line_number":192,"context_line":"using a system-scoped token:"},{"line_number":193,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"e6eba21b_a0e93346","line":190,"range":{"start_line":189,"start_character":43,"end_line":190,"end_character":28},"updated":"2021-11-18 15:21:46.000000000","message":"This is the \"money quote\" for this section, I\u0027d like to see it emphasized somehow (either by making it bold font or pulled out into its own sentence--you don\u0027t want it to get lost in the narrative).  You might also want to give a forward reference to line 285 where you discuss the allowable exceptions.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a8cd8fb25b1c37204fe9b5e6444acab0fcf22679","unresolved":false,"context_lines":[{"line_number":186,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"We need to go through each policy across OpenStack services and make sure it"},{"line_number":189,"context_line":"aligns with the direction described above. Ideally, each policy should only"},{"line_number":190,"context_line":"include a single scope type. For example, the following policy was written to"},{"line_number":191,"context_line":"eventually allow system administrators to create instances on a targeted host"},{"line_number":192,"context_line":"using a system-scoped token:"},{"line_number":193,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"80c5227b_11ddc4eb","line":190,"range":{"start_line":189,"start_character":43,"end_line":190,"end_character":28},"in_reply_to":"e6eba21b_a0e93346","updated":"2021-11-18 16:12:50.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"643cb58e8b540efe96d2b71867abfbe6cb18fa14","unresolved":true,"context_lines":[{"line_number":211,"context_line":"   )"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"This will only allow operators with a project-scoped token containing the"},{"line_number":214,"context_line":"``admin`` role to perform targeted. If or when nova sanitizes hypervisor"},{"line_number":215,"context_line":"discovery to expose information safely to end users, the policy could evolve"},{"line_number":216,"context_line":"further:"},{"line_number":217,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"8c764cff_995cb752","line":214,"range":{"start_line":214,"start_character":15,"end_line":214,"end_character":34},"updated":"2021-11-17 20:12:15.000000000","message":"This sentence ends abruptly, and I suspect something was lost in an edit.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2d10dca28d7c77da8e534a8795cc23c5e125c986","unresolved":false,"context_lines":[{"line_number":211,"context_line":"   )"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"This will only allow operators with a project-scoped token containing the"},{"line_number":214,"context_line":"``admin`` role to perform targeted. If or when nova sanitizes hypervisor"},{"line_number":215,"context_line":"discovery to expose information safely to end users, the policy could evolve"},{"line_number":216,"context_line":"further:"},{"line_number":217,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"73e54d70_f98bda57","line":214,"range":{"start_line":214,"start_character":15,"end_line":214,"end_character":34},"in_reply_to":"8c764cff_995cb752","updated":"2021-11-18 15:58:41.000000000","message":"Yep - you\u0027re right. Fixed.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":269,"context_line":"       check_str\u003d\u0027role:admin\u0027,"},{"line_number":270,"context_line":"       scope_types\u003d[\u0027system\u0027]"},{"line_number":271,"context_line":"   )"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":"Note that each example above only uses a role check in the check string. This"},{"line_number":274,"context_line":"is by design and allows for backwards compatibility while the ``[oslo_policy]"},{"line_number":275,"context_line":"enforce_scope\u003dFalse`` because a user with the ``admin`` role on a project is"},{"line_number":276,"context_line":"still allowed to access that API."},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"Once ``[oslo_policy] enforce_scope\u003dTrue``, the API will only be exposed to"},{"line_number":279,"context_line":"system users. Once we can guarantee that scope enforcement happens in"},{"line_number":280,"context_line":"oslo.policy using ``enforce_scope`` we can re-assess the roles of each policy"},{"line_number":281,"context_line":"and loosen them as necessary (e.g., moving from ``role:admin`` to"},{"line_number":282,"context_line":"``role:member`` or ``role:reader`` where system-member or system-reader is"},{"line_number":283,"context_line":"appropriate)."},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"Crafting check strings for APIs that interact with multiple scopes"},{"line_number":286,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bb915487_c784d95a","line":283,"range":{"start_line":272,"start_character":0,"end_line":283,"end_character":13},"updated":"2021-11-18 15:21:46.000000000","message":"maybe make this a .. note or something ... this is a key point for the people implementing this goal, and it would be good to emphasize it","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a8cd8fb25b1c37204fe9b5e6444acab0fcf22679","unresolved":false,"context_lines":[{"line_number":269,"context_line":"       check_str\u003d\u0027role:admin\u0027,"},{"line_number":270,"context_line":"       scope_types\u003d[\u0027system\u0027]"},{"line_number":271,"context_line":"   )"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":"Note that each example above only uses a role check in the check string. This"},{"line_number":274,"context_line":"is by design and allows for backwards compatibility while the ``[oslo_policy]"},{"line_number":275,"context_line":"enforce_scope\u003dFalse`` because a user with the ``admin`` role on a project is"},{"line_number":276,"context_line":"still allowed to access that API."},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"Once ``[oslo_policy] enforce_scope\u003dTrue``, the API will only be exposed to"},{"line_number":279,"context_line":"system users. Once we can guarantee that scope enforcement happens in"},{"line_number":280,"context_line":"oslo.policy using ``enforce_scope`` we can re-assess the roles of each policy"},{"line_number":281,"context_line":"and loosen them as necessary (e.g., moving from ``role:admin`` to"},{"line_number":282,"context_line":"``role:member`` or ``role:reader`` where system-member or system-reader is"},{"line_number":283,"context_line":"appropriate)."},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"Crafting check strings for APIs that interact with multiple scopes"},{"line_number":286,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":14,"id":"c3a3f09e_aa1d6149","line":283,"range":{"start_line":272,"start_character":0,"end_line":283,"end_character":13},"in_reply_to":"bb915487_c784d95a","updated":"2021-11-18 16:12:50.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"643cb58e8b540efe96d2b71867abfbe6cb18fa14","unresolved":true,"context_lines":[{"line_number":349,"context_line":"- Project Admin"},{"line_number":350,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":351,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"c4096e49_6cb78317","line":352,"range":{"start_line":352,"start_character":54,"end_line":352,"end_character":75},"updated":"2021-11-17 20:12:15.000000000","message":"Wait, what? Maybe I missed the discussion, but it doesn\u0027t feel natural for an admin on project X (but not project Y) to be able to do something that affects project Y. Maybe an example would help me understand the intent.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3b21cc171b27cfb83602f44ffbd304994dcc564a","unresolved":true,"context_lines":[{"line_number":349,"context_line":"- Project Admin"},{"line_number":350,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":351,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"edf66652_e921b4b7","line":352,"range":{"start_line":352,"start_character":54,"end_line":352,"end_character":75},"in_reply_to":"1ef57f92_5da72247","updated":"2021-11-18 16:33:36.000000000","message":"it is little confusing as it can be interpreted as do write operation on other project resoruce. we can make it clear that project admiun can perform such operation within their project which can affect other projects like making image public. Also saying it can perform the read operation for all project resources like list all projects instances.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"dc4cbaff922c68dfe9ce7a51fd8e973c845a86ae","unresolved":true,"context_lines":[{"line_number":349,"context_line":"- Project Admin"},{"line_number":350,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":351,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1ef57f92_5da72247","line":352,"range":{"start_line":352,"start_character":54,"end_line":352,"end_character":75},"in_reply_to":"925c06c5_98b39808","updated":"2021-11-17 20:53:30.000000000","message":"OK, that\u0027s a good example. Changing a project-specific resource to become \"public\" makes it visible to other projects. Thanks!","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f9d44af805b47ac951529c46b46e3e769eec2c05","unresolved":true,"context_lines":[{"line_number":349,"context_line":"- Project Admin"},{"line_number":350,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":351,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"925c06c5_98b39808","line":352,"range":{"start_line":352,"start_character":54,"end_line":352,"end_character":75},"in_reply_to":"c4096e49_6cb78317","updated":"2021-11-17 20:35:03.000000000","message":"I assume this means things like promoting an image in glance to being public. That is something that an admin could do in one project, but by virtue of what \"public\" means in glance, it affects everyone.\n\nIt might also be referring to the discussion relating to seeing all resources, across projects (although \"perform operations on .. resources\" sounds more like write instead of read).","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"9544a94861fa63eb414980955a80cd3f0ead9259","unresolved":true,"context_lines":[{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":356,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"e6734973_685412dc","line":355,"updated":"2021-11-16 10:25:10.000000000","message":"I know that nova current default for resetState is admin only, but that operation can only affect the instance being reset so \"operations on project resources that affect other projects \" does not apply here as far as I see.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"87303746bc5a7c07056369a7527431d62189eea4","unresolved":false,"context_lines":[{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":356,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"c1bfaba0_c4c6629a","line":355,"in_reply_to":"d03bc28f_eeeba2b7","updated":"2021-11-16 16:26:57.000000000","message":"Ack","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8e3ce27af7d803ab27efa2e37aabf26ebb6e846b","unresolved":true,"context_lines":[{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":356,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"f124e587_3a1a115f","line":355,"in_reply_to":"e6734973_685412dc","updated":"2021-11-16 12:38:49.000000000","message":"reset-state is an exmple of an operation that is   \"Intended for operators who need elevated privilege on project resources\"","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b036846ff35d459adc8829e3397a1799585a8d24","unresolved":true,"context_lines":[{"line_number":352,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":353,"context_line":"     the deployment"},{"line_number":354,"context_line":"   - Not intended for end users"},{"line_number":355,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":356,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":14,"id":"d03bc28f_eeeba2b7","line":355,"in_reply_to":"f124e587_3a1a115f","updated":"2021-11-16 13:03:36.000000000","message":"resetting to ACTIVE make sense to be privileged as that probably requires a check in the infra to see if the VM is really healthy. But resetting to ERROR to get out of a stuck situation followed by hard reboot / rebuild should be not require any extra knowledge.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"9544a94861fa63eb414980955a80cd3f0ead9259","unresolved":true,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"95483c67_4f820847","line":360,"updated":"2021-11-16 10:25:10.000000000","message":"Is forcing a nova server to given host also project admin privilege?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ca65e32b10a54fedfe8c7d19f55220c30dc55647","unresolved":true,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"fa1ac404_f341111d","line":360,"in_reply_to":"0a5feaef_63ee284b","updated":"2021-11-16 14:38:07.000000000","message":"\u003e OK, so the intention is still that to forcing a host is project admin.\n\nFor the moment yeah, as it\u0027s not something we can contain or sanitize and requires internal details of the infra in order to complete. Later, we hope to allow the manager role to be able to do this, because it\u0027s elevated privilege, but we need a way to expose the available hosts to them as options without disclosing details such as the hostname.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"87303746bc5a7c07056369a7527431d62189eea4","unresolved":true,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"5f897ff1_4583e04a","line":360,"in_reply_to":"0a5feaef_63ee284b","updated":"2021-11-16 16:26:57.000000000","message":"we might choose to use project manager for that in target 2 but yes right now i think it need to be project admin.\n\nthe new defintion of project admin is a operator so they can use a system admin/reader token to get the host list.\n\nat some point we might want to consier how to expose this to a proejct manager but i think we shoudl discuss that in a nova specs\n------- later ------\n\ndan said more or less the same so i agree with there comment jsut forgot to push this earlier.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3b21cc171b27cfb83602f44ffbd304994dcc564a","unresolved":true,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"7a0863bc_6b992dab","line":360,"in_reply_to":"5f897ff1_4583e04a","updated":"2021-11-18 16:33:36.000000000","message":"I have re-proposed the spec for this use case, let\u0027s see what best we fit there - https://review.opendev.org/c/openstack/nova-specs/+/793011","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b036846ff35d459adc8829e3397a1799585a8d24","unresolved":true,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"0a5feaef_63ee284b","line":360,"in_reply_to":"82f90c21_7b3a28cd","updated":"2021-11-16 13:03:36.000000000","message":"\u003e for server create yes it would be however that is a complicated example as the server create only need project memeber right its just the force host that need the old project admin definiton.\n\u003e \n\u003e so its the force destination that requires project admin not the server create which is easy to misinterpret.\n\nOK, so the intention is still that to forcing a host is project admin.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8e3ce27af7d803ab27efa2e37aabf26ebb6e846b","unresolved":true,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"82f90c21_7b3a28cd","line":360,"in_reply_to":"95483c67_4f820847","updated":"2021-11-16 12:38:49.000000000","message":"for server create yes it would be however that is a complicated example as the server create only need project memeber right its just the force host that need the old project admin definiton.\n\nso its the force destination that requires project admin not the server create which is easy to misinterpret.\n\nwe also dont allow operators to create instance on behalf of another project.\nthey need to give there user a role on that proejct (project member or porject admin which in trun give project memeber) to be able to create that instance as a member of that proejct.\n\nthe token they use in this case has to be created as a project scoped token for the project they are creating the instance on. they cant use the token for there default/admin token for the endusers proejct so its also not a good exampl eof \"operations on project resources that affect other projects\"\n\ni think its better to just avoid that exmaple\n\n\"Making an image public to the entire deployment\" i think is the cannonical example of \"operations on project resources that affect other projects\"","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1bd2df190d613716da26b5bfb1561eea35f0036d","unresolved":false,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"025d808a_1f6d42da","line":360,"in_reply_to":"c7a55169_bef938d5","updated":"2021-11-16 15:54:58.000000000","message":"yeah, for now we need to go with the project admin which will be no change in current access and by exposing host uuid or so to project admin.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"fe668a7b6855dd3f21231190044f34f33a99d3fd","unresolved":false,"context_lines":[{"line_number":357,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":358,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":359,"context_line":"   - *Create physical provider networks*"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"- Project Member"},{"line_number":362,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":363,"context_line":"   - Intended to be used by end users who consume resources within a project"}],"source_content_type":"text/x-rst","patch_set":14,"id":"c7a55169_bef938d5","line":360,"in_reply_to":"fa1ac404_f341111d","updated":"2021-11-16 15:28:24.000000000","message":"Ack","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ca65e32b10a54fedfe8c7d19f55220c30dc55647","unresolved":true,"context_lines":[{"line_number":378,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":379,"context_line":"the authorization associated to administrative tokens."},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"Target 2"},{"line_number":382,"context_line":"--------"},{"line_number":383,"context_line":""},{"line_number":384,"context_line":"#. Create a new role in the hierarchy called ``manager``"}],"source_content_type":"text/x-rst","patch_set":14,"id":"0f87b852_3acbe2b8","line":381,"updated":"2021-11-16 14:38:07.000000000","message":"Unless I missed it above, I absolutely cannot get behind starting with #2 here 😊\n\nPresumably this is the thing we do after \"base goal\", but this reads to me like \"let me count how many apples I have: A, 2, III\" 😊","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1bd2df190d613716da26b5bfb1561eea35f0036d","unresolved":true,"context_lines":[{"line_number":378,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":379,"context_line":"the authorization associated to administrative tokens."},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"Target 2"},{"line_number":382,"context_line":"--------"},{"line_number":383,"context_line":""},{"line_number":384,"context_line":"#. Create a new role in the hierarchy called ``manager``"}],"source_content_type":"text/x-rst","patch_set":14,"id":"69265a41_af9170b8","line":381,"in_reply_to":"0f87b852_3acbe2b8","updated":"2021-11-16 15:54:58.000000000","message":"sure, let me add clear formatting/numbering here.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8e3ce27af7d803ab27efa2e37aabf26ebb6e846b","unresolved":true,"context_lines":[{"line_number":388,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":389,"context_line":"#. Loosen system-admin policies to expose functionality to system-member and"},{"line_number":390,"context_line":"   system-reader where applicable"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"The future goals would enable other useful personas for operators to give to"},{"line_number":393,"context_line":"their peers or end users. The project-manager persona would use the ``manager``"},{"line_number":394,"context_line":"role and its place in the hierarchy would sit in-between the ``admin`` role and"}],"source_content_type":"text/x-rst","patch_set":14,"id":"293797d3_e75f98ea","line":391,"updated":"2021-11-16 12:38:49.000000000","message":"nit i also think we will need a new role in the hierarchy called ``service``\nwhich nova can use to do things like port binding which is currently a system admin api for a project resouce i.e. the port.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ca65e32b10a54fedfe8c7d19f55220c30dc55647","unresolved":true,"context_lines":[{"line_number":388,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":389,"context_line":"#. Loosen system-admin policies to expose functionality to system-member and"},{"line_number":390,"context_line":"   system-reader where applicable"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"The future goals would enable other useful personas for operators to give to"},{"line_number":393,"context_line":"their peers or end users. The project-manager persona would use the ``manager``"},{"line_number":394,"context_line":"role and its place in the hierarchy would sit in-between the ``admin`` role and"}],"source_content_type":"text/x-rst","patch_set":14,"id":"5e85bb8a_a95177f3","line":391,"in_reply_to":"293797d3_e75f98ea","updated":"2021-11-16 14:38:07.000000000","message":"Yeah, we discussed this and I agree. If the first round involves getting the existing personas fleshed out, and target 2 is about making that more fine-grained, then I would think the system role stuff could go in here.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"87303746bc5a7c07056369a7527431d62189eea4","unresolved":false,"context_lines":[{"line_number":388,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":389,"context_line":"#. Loosen system-admin policies to expose functionality to system-member and"},{"line_number":390,"context_line":"   system-reader where applicable"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"The future goals would enable other useful personas for operators to give to"},{"line_number":393,"context_line":"their peers or end users. The project-manager persona would use the ``manager``"},{"line_number":394,"context_line":"role and its place in the hierarchy would sit in-between the ``admin`` role and"}],"source_content_type":"text/x-rst","patch_set":14,"id":"6194d9f1_335867d1","line":391,"in_reply_to":"38227d03_d3f60967","updated":"2021-11-16 16:26:57.000000000","message":"Ack","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1bd2df190d613716da26b5bfb1561eea35f0036d","unresolved":true,"context_lines":[{"line_number":388,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":389,"context_line":"#. Loosen system-admin policies to expose functionality to system-member and"},{"line_number":390,"context_line":"   system-reader where applicable"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"The future goals would enable other useful personas for operators to give to"},{"line_number":393,"context_line":"their peers or end users. The project-manager persona would use the ``manager``"},{"line_number":394,"context_line":"role and its place in the hierarchy would sit in-between the ``admin`` role and"}],"source_content_type":"text/x-rst","patch_set":14,"id":"38227d03_d3f60967","line":391,"in_reply_to":"5e85bb8a_a95177f3","updated":"2021-11-16 15:54:58.000000000","message":"+1 yeah.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2d10dca28d7c77da8e534a8795cc23c5e125c986","unresolved":false,"context_lines":[{"line_number":388,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":389,"context_line":"#. Loosen system-admin policies to expose functionality to system-member and"},{"line_number":390,"context_line":"   system-reader where applicable"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"The future goals would enable other useful personas for operators to give to"},{"line_number":393,"context_line":"their peers or end users. The project-manager persona would use the ``manager``"},{"line_number":394,"context_line":"role and its place in the hierarchy would sit in-between the ``admin`` role and"}],"source_content_type":"text/x-rst","patch_set":14,"id":"dde58b5c_9822fbd6","line":391,"in_reply_to":"6194d9f1_335867d1","updated":"2021-11-18 15:58:41.000000000","message":"Yep - I think that makes a lot of sense.\n\nI hope doing the work defined in this goal will help make those service-specific APIs stick out a bit more, or at least build our awareness of them.\n\nDepending on how much each service needs, we could build the service roles into a separate hierarchy (if they don\u0027t require a bunch of overlap in the current role hierarchy).\n\nBut, yeah, I\u0027m getting ahead of myself. Big +1 from me on isolating the service-specific operations so we can finally implement the principal of least privilege for service users.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8e3ce27af7d803ab27efa2e37aabf26ebb6e846b","unresolved":true,"context_lines":[{"line_number":399,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":400,"context_line":"   - Intended to be used by end users"},{"line_number":401,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":402,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":403,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":404,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":405,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"866b44da_1d3583e9","line":402,"range":{"start_line":402,"start_character":6,"end_line":402,"end_character":36},"updated":"2021-11-16 12:38:49.000000000","message":"this is not a really operations.\n\nthere are very few example of this in nova since we dont have project sepcific default that are user tunable like default volume type.\n\nthe best example i can think of is we might want to change lock/unlock to require proejct manager so a project member cant acidentailly delete or stop an important vm.\n\nwe had the idea of allowing people with the old project-admin role to force hosts when booting vms or movign them. that might be an ok example for project manager but i think lock would still be more correct.\n\nthis is more of a keystone capability but i could see project manager being allow to assign project manager/member/reader roles to users in that project or adding/removing a user from a project they manage too. perhaps even creating a new user whos primary proejct as teh project they manage.\n\nwe can likely leave this out of the goal as that is really a keystone disucssion but force reboots are not a thing so i woudl just remove this line or perhaps use the lock exampel but that will need change to nova to implement if other agree its a vaild usecase.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1bd2df190d613716da26b5bfb1561eea35f0036d","unresolved":true,"context_lines":[{"line_number":399,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":400,"context_line":"   - Intended to be used by end users"},{"line_number":401,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":402,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":403,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":404,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":405,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"d5e49677_244c1684","line":402,"range":{"start_line":402,"start_character":6,"end_line":402,"end_character":36},"in_reply_to":"70db5774_ddcb0529","updated":"2021-11-16 15:54:58.000000000","message":"ack, will update it in next iteration for a real example.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ca65e32b10a54fedfe8c7d19f55220c30dc55647","unresolved":true,"context_lines":[{"line_number":399,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":400,"context_line":"   - Intended to be used by end users"},{"line_number":401,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":402,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":403,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":404,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":405,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"70db5774_ddcb0529","line":402,"range":{"start_line":402,"start_character":6,"end_line":402,"end_character":36},"in_reply_to":"866b44da_1d3583e9","updated":"2021-11-16 14:38:07.000000000","message":"Yeah I think someone (could have been me) squashed together the \"reset state\" and \"force boot to host\" things together and we just started saying \"force reboot\" a bunch of times and it stuck. I mentioned this in a previous iteration, but it was fine when we were whiteboarding, but we should list *actual* things here for clarity.\n\n\u003e the best example i can think of is we might want to change lock/unlock to require proejct manager so a project member cant acidentailly delete or stop an important vm.\n\nYep, that\u0027s a good one for nova.\n\n\u003e we had the idea of allowing people with the old project-admin role to force hosts when booting vms or movign them. that might be an ok example for project manager but i think lock would still be more correct.\n\nI think we are definitely going to do that, but there\u0027s more involved in making that work, and lock is a nice clean example.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2d10dca28d7c77da8e534a8795cc23c5e125c986","unresolved":false,"context_lines":[{"line_number":399,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":400,"context_line":"   - Intended to be used by end users"},{"line_number":401,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":402,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":403,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":404,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":405,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"463ac8bb_6b3d2790","line":402,"range":{"start_line":402,"start_character":6,"end_line":402,"end_character":36},"in_reply_to":"d5e49677_244c1684","updated":"2021-11-18 15:58:41.000000000","message":"Done.\n\nGoing back to Sean\u0027s point about delegating role assignment to the end-user within a project. We\u0027ve approached that use case from the domain level.\n\nFor example, domain users (e.g., administrator) are able to add and remove users to projects within their domain.\n\nWe thought about opening this up to other users at the project level for hierarchical projects (e.g., if project A is a parent of project B, then a project-admin of project A and add and remove users on project B). But, we decided to punt on that functionality until we get a little further down the road. I think we can get a lot of mileage out of the domain personas and fully baking the role assignment work into hierarchical projects felt like we were over-engineering the solution when we weren\u0027t sure if we really needed it yet.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":443,"context_line":"Completion Date \u0026 Criteria"},{"line_number":444,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":445,"context_line":""},{"line_number":446,"context_line":"Milestone 1: Yoga Release R-3 (7th Mar 2022)"},{"line_number":447,"context_line":"--------------------------------------------"},{"line_number":448,"context_line":""},{"line_number":449,"context_line":"#. Keystone (moving to the new policy by default)"}],"source_content_type":"text/x-rst","patch_set":14,"id":"410c390f_b9b813e4","line":446,"range":{"start_line":446,"start_character":0,"end_line":446,"end_character":12},"updated":"2021-11-18 15:21:46.000000000","message":"I suggest not calling these \"milestones\" given that the dates don\u0027t map to the OpenStack Milestone dates for Yoga.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a8cd8fb25b1c37204fe9b5e6444acab0fcf22679","unresolved":false,"context_lines":[{"line_number":443,"context_line":"Completion Date \u0026 Criteria"},{"line_number":444,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":445,"context_line":""},{"line_number":446,"context_line":"Milestone 1: Yoga Release R-3 (7th Mar 2022)"},{"line_number":447,"context_line":"--------------------------------------------"},{"line_number":448,"context_line":""},{"line_number":449,"context_line":"#. Keystone (moving to the new policy by default)"}],"source_content_type":"text/x-rst","patch_set":14,"id":"42b8f417_063c33e6","line":446,"range":{"start_line":446,"start_character":0,"end_line":446,"end_character":12},"in_reply_to":"410c390f_b9b813e4","updated":"2021-11-18 16:12:50.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"643cb58e8b540efe96d2b71867abfbe6cb18fa14","unresolved":true,"context_lines":[{"line_number":452,"context_line":"   domain-admin, domain-member, domain-reader, project-admin, project-member,"},{"line_number":453,"context_line":"   and project-reader since the Train release."},{"line_number":454,"context_line":""},{"line_number":455,"context_line":"   For the Yoga release, Keystone should remove all deprecated policies which"},{"line_number":456,"context_line":"   will require operators to use the new personas. This will be relatively"},{"line_number":457,"context_line":"   low-touch for end-users since Keystone\u0027s API is mostly administrative."},{"line_number":458,"context_line":"   This gives operators the opportunity to experiment with the domain and"}],"source_content_type":"text/x-rst","patch_set":14,"id":"9642861c_ddd24a07","line":455,"range":{"start_line":455,"start_character":63,"end_line":455,"end_character":77},"updated":"2021-11-17 20:12:15.000000000","message":"I had to read this a couple of times before I was sure I understood the target of the \"which.\" I think adding a comma would clarify (\"policies, which\")","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2d10dca28d7c77da8e534a8795cc23c5e125c986","unresolved":false,"context_lines":[{"line_number":452,"context_line":"   domain-admin, domain-member, domain-reader, project-admin, project-member,"},{"line_number":453,"context_line":"   and project-reader since the Train release."},{"line_number":454,"context_line":""},{"line_number":455,"context_line":"   For the Yoga release, Keystone should remove all deprecated policies which"},{"line_number":456,"context_line":"   will require operators to use the new personas. This will be relatively"},{"line_number":457,"context_line":"   low-touch for end-users since Keystone\u0027s API is mostly administrative."},{"line_number":458,"context_line":"   This gives operators the opportunity to experiment with the domain and"}],"source_content_type":"text/x-rst","patch_set":14,"id":"79cca5f4_717ecc69","line":455,"range":{"start_line":455,"start_character":63,"end_line":455,"end_character":77},"in_reply_to":"9642861c_ddd24a07","updated":"2021-11-18 15:58:41.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":458,"context_line":"   This gives operators the opportunity to experiment with the domain and"},{"line_number":459,"context_line":"   system personas."},{"line_number":460,"context_line":""},{"line_number":461,"context_line":"#. Nova (Implement the new policy as experimental)"},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"   Nova will complete the items mentioned in `Target 1`_ but keep new policy"},{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."}],"source_content_type":"text/x-rst","patch_set":14,"id":"b059fff4_e1c553c6","line":461,"range":{"start_line":461,"start_character":9,"end_line":461,"end_character":49},"updated":"2021-11-18 15:21:46.000000000","message":"Dumb question, but how will this be flagged as \u0027experimental\u0027?  Does that just mean the release notes will say \"we have new policies available that are disabled by default, and we do not recommend turning them on in production\"?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3b21cc171b27cfb83602f44ffbd304994dcc564a","unresolved":true,"context_lines":[{"line_number":458,"context_line":"   This gives operators the opportunity to experiment with the domain and"},{"line_number":459,"context_line":"   system personas."},{"line_number":460,"context_line":""},{"line_number":461,"context_line":"#. Nova (Implement the new policy as experimental)"},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"   Nova will complete the items mentioned in `Target 1`_ but keep new policy"},{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."}],"source_content_type":"text/x-rst","patch_set":14,"id":"cdd54a58_66407c13","line":461,"range":{"start_line":461,"start_character":9,"end_line":461,"end_character":49},"in_reply_to":"b059fff4_e1c553c6","updated":"2021-11-18 16:33:36.000000000","message":"humm, this is good question. I am thinking either - \u0027not to mention in release notes at all\u0027 or mention as experimental in releasenotes like you mentioned.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"643cb58e8b540efe96d2b71867abfbe6cb18fa14","unresolved":true,"context_lines":[{"line_number":460,"context_line":""},{"line_number":461,"context_line":"#. Nova (Implement the new policy as experimental)"},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"   Nova will complete the items mentioned in `Target 1`_ but keep new policy"},{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."}],"source_content_type":"text/x-rst","patch_set":14,"id":"6a75f725_e547a536","line":464,"range":{"start_line":463,"start_character":66,"end_line":464,"end_character":21},"updated":"2021-11-17 20:12:15.000000000","message":"This \"new policy disable by default\" sounds like the inverse of oslo\u0027s enforce_new_defaults. Is the ability to disable new policies a nova thing, or will there be a new oslo_policy option?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f9d44af805b47ac951529c46b46e3e769eec2c05","unresolved":true,"context_lines":[{"line_number":460,"context_line":""},{"line_number":461,"context_line":"#. Nova (Implement the new policy as experimental)"},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"   Nova will complete the items mentioned in `Target 1`_ but keep new policy"},{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."}],"source_content_type":"text/x-rst","patch_set":14,"id":"e77e3965_817deec9","line":464,"range":{"start_line":463,"start_character":66,"end_line":464,"end_character":21},"in_reply_to":"6a75f725_e547a536","updated":"2021-11-17 20:35:03.000000000","message":"Are you asking about the mechanics specifically? I think the goal here is that nova would not enable the new rules by default until Z. I guess since oslo controls that default, maybe we need some way to do that, which may or may not exist. Is that your point?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"56c6125f34821b3a8d40de796a7ff2ba630fe465","unresolved":true,"context_lines":[{"line_number":460,"context_line":""},{"line_number":461,"context_line":"#. Nova (Implement the new policy as experimental)"},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"   Nova will complete the items mentioned in `Target 1`_ but keep new policy"},{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."}],"source_content_type":"text/x-rst","patch_set":14,"id":"fcd439ea_458b1f61","line":464,"range":{"start_line":463,"start_character":66,"end_line":464,"end_character":21},"in_reply_to":"8d620368_d492bd96","updated":"2021-11-17 21:58:17.000000000","message":"Yep, okay, good point. Maybe we just need a small action item to enable flipping that logic, or some procedure for ensuring that it gets set to what we expect (like glance currently requires that it matches the state of a glance-specific config, ensuring the operators don\u0027t change it without reading *glance* docs about it).","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"dc4cbaff922c68dfe9ce7a51fd8e973c845a86ae","unresolved":true,"context_lines":[{"line_number":460,"context_line":""},{"line_number":461,"context_line":"#. Nova (Implement the new policy as experimental)"},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"   Nova will complete the items mentioned in `Target 1`_ but keep new policy"},{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."}],"source_content_type":"text/x-rst","patch_set":14,"id":"8d620368_d492bd96","line":464,"range":{"start_line":463,"start_character":66,"end_line":464,"end_character":21},"in_reply_to":"e77e3965_817deec9","updated":"2021-11-17 20:53:30.000000000","message":"Yes. I know oslo can exclude/disable deprecated policies (enforce_new_defaults\u003dTrue), but I\u0027m not aware of it supporting a way to disable new policy rules, and _only_ allow deprecated rules.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3b21cc171b27cfb83602f44ffbd304994dcc564a","unresolved":true,"context_lines":[{"line_number":460,"context_line":""},{"line_number":461,"context_line":"#. Nova (Implement the new policy as experimental)"},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"   Nova will complete the items mentioned in `Target 1`_ but keep new policy"},{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."}],"source_content_type":"text/x-rst","patch_set":14,"id":"4eefd6bf_8615ae48","line":464,"range":{"start_line":463,"start_character":66,"end_line":464,"end_character":21},"in_reply_to":"fcd439ea_458b1f61","updated":"2021-11-18 16:33:36.000000000","message":"disable here mean keep below two oslo per service config option default to false which is they are currently:\n- CONF.enforce_new_defaults\u003dFalse\n- CONF.enforce_scope\u003dFalse\n\nOnce nova is ready in Z then these two config option default value can be changed for nova only using oslo.policy.opts.set_defaults() function so that for nova it will be enabled and rest of other service will be disabled via oslo policy default value.\n\nBasically same way we did for policy file config - https://github.com/openstack/nova/blob/7aa3a0f558ddbcac3cb97a7eef58cd878acc3f7a/nova/policy.py#L44-L48","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"9544a94861fa63eb414980955a80cd3f0ead9259","unresolved":true,"context_lines":[{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"9489d4bf_dd01678f","line":467,"updated":"2021-11-16 10:25:10.000000000","message":"Would be nice to get a spec up on nova side about the impact.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1bd2df190d613716da26b5bfb1561eea35f0036d","unresolved":true,"context_lines":[{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"846231d0_be74f8ec","line":467,"in_reply_to":"79428428_9bea00cb","updated":"2021-11-16 15:54:58.000000000","message":"Yeah, I have already started the audit of all the existing policy and plan is to out that on spec to review. I will push that - https://wiki.openstack.org/wiki/Nova/rbac","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8e3ce27af7d803ab27efa2e37aabf26ebb6e846b","unresolved":true,"context_lines":[{"line_number":464,"context_line":"   disable by default and keep old policy deprecated and working as default."},{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"79428428_9bea00cb","line":467,"in_reply_to":"9489d4bf_dd01678f","updated":"2021-11-16 12:38:49.000000000","message":"+1\ndan has already started some WIP patches to walk back the support we had added for project admin and other system scoped change that are now incorrect but it would be good to have spec even if its just a todo list of what we need to audit/adress to track everything.\n\nthat should not delay this goal document being updated just house keeping on our end.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"9544a94861fa63eb414980955a80cd3f0ead9259","unresolved":true,"context_lines":[{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"70c8c1d6_6aded61f","line":468,"updated":"2021-11-16 10:25:10.000000000","message":"Do we miss other projects completing the Target 1? Like heat, cinder, glance, neutron?\n{quote}\n   - *Forcibly deleting an application stack*\n   - *Setting the default volume type for a project*\n   - *Making an image public to the entire deployment*\n   - *Create physical provider networks*\n{qoute}\n\nor are these already available?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d10345c46748c7fa7ad5e4acf155df235d0d2ab2","unresolved":true,"context_lines":[{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"df40ac18_e2267bd2","line":468,"in_reply_to":"44bbd49d_aad362ac","updated":"2021-11-18 15:21:46.000000000","message":"Question: should other projects NOT complete Target 1 in Y, or are they allowed to as long as they include the \u0027experimental\u0027 tag?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8e3ce27af7d803ab27efa2e37aabf26ebb6e846b","unresolved":true,"context_lines":[{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"e8c6b1b7_8a51e399","line":468,"in_reply_to":"70c8c1d6_6aded61f","updated":"2021-11-16 12:38:49.000000000","message":"they may be using system admin for some of those operations today which really shoudl be project admin\nbased on the new deffintion of that.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"25c86275aed766f5e46d4503d5b90bca1a49f4d1","unresolved":true,"context_lines":[{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"fe8c126c_49c0ccf8","line":468,"in_reply_to":"82d68171_c57e0b63","updated":"2021-11-18 16:17:11.000000000","message":"Right, the reason to delay the other projects is purely for convenience, because they can rely on the fact that personas have been established and are working. If their stuff is ready before that and they want to document (via reno, I guess) the transition procedure in the detail required then that seems fine.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a8cd8fb25b1c37204fe9b5e6444acab0fcf22679","unresolved":true,"context_lines":[{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"82d68171_c57e0b63","line":468,"in_reply_to":"df40ac18_e2267bd2","updated":"2021-11-18 16:12:50.000000000","message":"I have no objection to projects tackling this work sooner.\n\nIt will mean we need to go through and make sure we understand who has done what so that we can provide a concise statement to operators about what they can and cannot do with the release (e.g., nova, cinder, and keystone support secure RBAC and you can enable it by doing X.)","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1bd2df190d613716da26b5bfb1561eea35f0036d","unresolved":true,"context_lines":[{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"eed8ed87_268bf556","line":468,"in_reply_to":"e8c6b1b7_8a51e399","updated":"2021-11-16 15:54:58.000000000","message":"Sure, I am ok to consider other projects also but in last meeting we discussed to try with keystone and nova and see how it goes in usgae point of view and if they are usable by operator then we will have good feedback to start it in other projects.\n\nBut we can add it here like if any projects want to do in parallel then ok or wait until we have things done in keystone and nova first?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"d29a5ac08a6c010300f074a5f291508b304a4e71","unresolved":true,"context_lines":[{"line_number":465,"context_line":"   Also, Keep the new policy as experimental or do not mention in the release"},{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"44bbd49d_aad362ac","line":468,"in_reply_to":"eed8ed87_268bf556","updated":"2021-11-17 13:17:06.000000000","message":"OK, I see now that the rest of Target 1 is mentioned in Milestone 2 below, so we are not forgetting it. Then I\u0027m OK not to do more than keystone + nova in Milestone 1.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"643cb58e8b540efe96d2b71867abfbe6cb18fa14","unresolved":true,"context_lines":[{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. All projects (moving to the new policy by default)"},{"line_number":488,"context_line":""},{"line_number":489,"context_line":"   Remove all deprecated policies which will require operators to use the new"},{"line_number":490,"context_line":"   personas. Enable the new policy as default."},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"   Start implementing the items mentioned in `Target 2`_"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1234422c_47b0b041","line":489,"range":{"start_line":489,"start_character":25,"end_line":489,"end_character":39},"updated":"2021-11-17 20:12:15.000000000","message":"\"policies, which\" (add comma)?","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2d10dca28d7c77da8e534a8795cc23c5e125c986","unresolved":false,"context_lines":[{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. All projects (moving to the new policy by default)"},{"line_number":488,"context_line":""},{"line_number":489,"context_line":"   Remove all deprecated policies which will require operators to use the new"},{"line_number":490,"context_line":"   personas. Enable the new policy as default."},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"   Start implementing the items mentioned in `Target 2`_"}],"source_content_type":"text/x-rst","patch_set":14,"id":"cae688b6_0fb13ad6","line":489,"range":{"start_line":489,"start_character":25,"end_line":489,"end_character":39},"in_reply_to":"1234422c_47b0b041","updated":"2021-11-18 15:58:41.000000000","message":"Done","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8e3ce27af7d803ab27efa2e37aabf26ebb6e846b","unresolved":true,"context_lines":[{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"#. Keystone"},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"   Start implementing the items mentioned in `Target 2`_"},{"line_number":475,"context_line":""},{"line_number":476,"context_line":"#. Other projects (Implement new policy as experimental)"},{"line_number":477,"context_line":""},{"line_number":478,"context_line":"   All other projects will complete the items mentioned in `Target 1`_ but keep"},{"line_number":479,"context_line":"   new policy disable by default and keep old policy deprecated and working as"},{"line_number":480,"context_line":"   default. Also, Keep the new policy as experimental or do not mention in the"},{"line_number":481,"context_line":"   release notes for the Yoga cycle so that we can improve those based on"},{"line_number":482,"context_line":"   feedback from Nova, keystone policy usage."},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Milestone 3: AA Release R-3 (TODO)"},{"line_number":485,"context_line":"----------------------------------"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. All projects (moving to the new policy by default)"},{"line_number":488,"context_line":""},{"line_number":489,"context_line":"   Remove all deprecated policies which will require operators to use the new"},{"line_number":490,"context_line":"   personas. Enable the new policy as default."},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"   Start implementing the items mentioned in `Target 2`_"},{"line_number":493,"context_line":""},{"line_number":494,"context_line":""},{"line_number":495,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":14,"id":"ffbb5d50_e62b6d28","line":492,"range":{"start_line":469,"start_character":0,"end_line":492,"end_character":56},"updated":"2021-11-16 12:38:49.000000000","message":"with the current defeiotns of project member, project admin and system admin nova cannot correctly bind neutron ports. so without adding a service role or misusing system admin to allow nova to bind port which are project scoped resouces we can complete milestone 2 or 3.\n\ni am sure there are other admin only operation on project specric resource like nova external events api and possible cinder attachmenet or cyborg ARQs that also will need the service role.\n\nthe alternitive is to just continue to use system admin in the interim but that woudl not be inline with the persona above.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"87303746bc5a7c07056369a7527431d62189eea4","unresolved":true,"context_lines":[{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"#. Keystone"},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"   Start implementing the items mentioned in `Target 2`_"},{"line_number":475,"context_line":""},{"line_number":476,"context_line":"#. Other projects (Implement new policy as experimental)"},{"line_number":477,"context_line":""},{"line_number":478,"context_line":"   All other projects will complete the items mentioned in `Target 1`_ but keep"},{"line_number":479,"context_line":"   new policy disable by default and keep old policy deprecated and working as"},{"line_number":480,"context_line":"   default. Also, Keep the new policy as experimental or do not mention in the"},{"line_number":481,"context_line":"   release notes for the Yoga cycle so that we can improve those based on"},{"line_number":482,"context_line":"   feedback from Nova, keystone policy usage."},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Milestone 3: AA Release R-3 (TODO)"},{"line_number":485,"context_line":"----------------------------------"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. All projects (moving to the new policy by default)"},{"line_number":488,"context_line":""},{"line_number":489,"context_line":"   Remove all deprecated policies which will require operators to use the new"},{"line_number":490,"context_line":"   personas. Enable the new policy as default."},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"   Start implementing the items mentioned in `Target 2`_"},{"line_number":493,"context_line":""},{"line_number":494,"context_line":""},{"line_number":495,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":14,"id":"aab3ad8a_328fc840","line":492,"range":{"start_line":469,"start_character":0,"end_line":492,"end_character":56},"in_reply_to":"c61c42ff_86fdad91","updated":"2021-11-16 16:26:57.000000000","message":"the issue with project admin is the user token we used to bind a port or bind an ARQ is the admin token generated form nova cofnig. and that use will not be a project admin on every proejct in the cloud.\n\nthat is why its system_Admin today since it was previous  global admin to avoid the nova user needing to be admin on every project","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ca65e32b10a54fedfe8c7d19f55220c30dc55647","unresolved":true,"context_lines":[{"line_number":466,"context_line":"   notes for the Yoga cycle so that we can improve those based on feedback from"},{"line_number":467,"context_line":"   keystone policy usage."},{"line_number":468,"context_line":""},{"line_number":469,"context_line":"Milestone 2: Z Release R-3 (TODO)"},{"line_number":470,"context_line":"---------------------------------"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"#. Keystone"},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"   Start implementing the items mentioned in `Target 2`_"},{"line_number":475,"context_line":""},{"line_number":476,"context_line":"#. Other projects (Implement new policy as experimental)"},{"line_number":477,"context_line":""},{"line_number":478,"context_line":"   All other projects will complete the items mentioned in `Target 1`_ but keep"},{"line_number":479,"context_line":"   new policy disable by default and keep old policy deprecated and working as"},{"line_number":480,"context_line":"   default. Also, Keep the new policy as experimental or do not mention in the"},{"line_number":481,"context_line":"   release notes for the Yoga cycle so that we can improve those based on"},{"line_number":482,"context_line":"   feedback from Nova, keystone policy usage."},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Milestone 3: AA Release R-3 (TODO)"},{"line_number":485,"context_line":"----------------------------------"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. All projects (moving to the new policy by default)"},{"line_number":488,"context_line":""},{"line_number":489,"context_line":"   Remove all deprecated policies which will require operators to use the new"},{"line_number":490,"context_line":"   personas. Enable the new policy as default."},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"   Start implementing the items mentioned in `Target 2`_"},{"line_number":493,"context_line":""},{"line_number":494,"context_line":""},{"line_number":495,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":14,"id":"c61c42ff_86fdad91","line":492,"range":{"start_line":469,"start_character":0,"end_line":492,"end_character":56},"in_reply_to":"ffbb5d50_e62b6d28","updated":"2021-11-16 14:38:07.000000000","message":"This would be project admin for now, just like today. It\u0027s more granular than we have today because that user would have project admin, but not system admin and thus not be able to create and delete users like it can today.","commit_id":"75825b9796ce2c702fcdb37bda20817dce7af57f"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6c7d61474bdc4f655856efcf7a1a97ccefd7e99b","unresolved":true,"context_lines":[{"line_number":387,"context_line":"the authorization associated to administrative tokens."},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"Target 2"},{"line_number":390,"context_line":"--------"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":393,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"}],"source_content_type":"text/x-rst","patch_set":15,"id":"b0b755b7_ff9eceb4","line":390,"range":{"start_line":390,"start_character":0,"end_line":390,"end_character":8},"updated":"2021-11-18 19:07:12.000000000","message":"I think this should be \u003d\u003d\u003d\u003d\u003d\u003d to match line 167","commit_id":"c6e84d13de158567cabee4e7bffe108568e3fdff"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e9ff57839fa4cb4626352bfaf0167cea21d6f003","unresolved":false,"context_lines":[{"line_number":387,"context_line":"the authorization associated to administrative tokens."},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"Target 2"},{"line_number":390,"context_line":"--------"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":393,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"}],"source_content_type":"text/x-rst","patch_set":15,"id":"d77eb441_d3ee2f4b","line":390,"range":{"start_line":390,"start_character":0,"end_line":390,"end_character":8},"in_reply_to":"b0b755b7_ff9eceb4","updated":"2021-11-19 14:19:32.000000000","message":"Done","commit_id":"c6e84d13de158567cabee4e7bffe108568e3fdff"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0cf69c5d2e726f33e4cfabb5ee933d976a0ab17d","unresolved":true,"context_lines":[{"line_number":490,"context_line":"   default. Also, Keep the new policy as experimental or do not mention in the"},{"line_number":491,"context_line":"   release notes for the Yoga cycle so that we can improve those based on"},{"line_number":492,"context_line":"   feedback from Nova, keystone policy usage."},{"line_number":493,"context_line":""},{"line_number":494,"context_line":"Checkpoint 3: AA Release R-3 (TODO)"},{"line_number":495,"context_line":"-----------------------------------"},{"line_number":496,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"5a9eaeab_0f781f82","line":493,"range":{"start_line":493,"start_character":0,"end_line":493,"end_character":0},"updated":"2021-11-18 16:41:33.000000000","message":"as discussed, should we make nova adopts secure RBAC by default in Z so that we know the feedback and challenges for one service for new policy before we make it default in other projects in AA ?\n\nThat was main indent to do nova in Y so that along with keystone, we can try the things in Nova first (implement as experimental and make it default) before other projects start. If we want all projects to make it default togehter in AA then in Yoga itself we can ask other projects also to implement as experimental ?\n\nLet\u0027s discuss this in today call anyways.","commit_id":"c6e84d13de158567cabee4e7bffe108568e3fdff"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828d1d47714934ee8da3359e1a07e93fdcefbdd3","unresolved":true,"context_lines":[{"line_number":480,"context_line":"   must have `Phase 1`_ complete, ideally either nova or cinder. `Phase 1`_"},{"line_number":481,"context_line":"   introduces the new personas but allows operators to opt into the new"},{"line_number":482,"context_line":"   behavior for services that complete `Phase 1`_. If multiple services"},{"line_number":483,"context_line":"   complete `Phase 1`_, the TC should discuss which service should update their"},{"line_number":484,"context_line":"   default policy settings to opt into the new personas."},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"   `Phase 1`_ introduces the new policies but doesn\u0027t remove deprecated"},{"line_number":487,"context_line":"   policies, allowing operators to upgrade smoothly to the new permission"}],"source_content_type":"text/x-rst","patch_set":16,"id":"c461cc6d_3a1fefe8","line":484,"range":{"start_line":483,"start_character":24,"end_line":484,"end_character":56},"updated":"2021-11-18 23:47:14.000000000","message":"I think in Yoga timeline we agreed none of the services will not enforce new policy by default (disable by default but operator can enable them via config) and in Z we can do for nova, cinder?","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828d1d47714934ee8da3359e1a07e93fdcefbdd3","unresolved":true,"context_lines":[{"line_number":486,"context_line":"   `Phase 1`_ introduces the new policies but doesn\u0027t remove deprecated"},{"line_number":487,"context_line":"   policies, allowing operators to upgrade smoothly to the new permission"},{"line_number":488,"context_line":"   model on a per-service basis."},{"line_number":489,"context_line":""},{"line_number":490,"context_line":"   It\u0027s important that we have an OpenStack-wide release note or statement that"},{"line_number":491,"context_line":"   explicitly states the status of this work and how permissions behavior"},{"line_number":492,"context_line":"   across OpenStack services."}],"source_content_type":"text/x-rst","patch_set":16,"id":"edc7d6ad_9cbe95c0","line":489,"range":{"start_line":489,"start_character":0,"end_line":489,"end_character":0},"updated":"2021-11-18 23:47:14.000000000","message":"we can explicitly state that keep new policy disable by default","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c789e7ae3c29b0fd17d007804d3466ce09d1b078","unresolved":true,"context_lines":[{"line_number":508,"context_line":"   scopes won\u0027t be supported in future releases."},{"line_number":509,"context_line":""},{"line_number":510,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":511,"context_line":"the deprecated policies will be gone. They must also run at least one service,"},{"line_number":512,"context_line":"agreed upon by the TC, using the personas delivered by `Phase 1`_. We can refer"},{"line_number":513,"context_line":"to this service as the *point service*. For example, nova would require using"},{"line_number":514,"context_line":"system-admin, project-admin, project-manager, project-member, and"},{"line_number":515,"context_line":"project-reader."},{"line_number":516,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"c2c2281b_80629152","line":513,"range":{"start_line":511,"start_character":38,"end_line":513,"end_character":40},"updated":"2021-11-18 23:57:40.000000000","message":"or I will say we can decide now itself with project agreement. Like nova is definitely ok and we can do for cinder too if cinder team ok?","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fb5859e1b07d0e1559ab665b29de7adbfde64759","unresolved":false,"context_lines":[{"line_number":508,"context_line":"   scopes won\u0027t be supported in future releases."},{"line_number":509,"context_line":""},{"line_number":510,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":511,"context_line":"the deprecated policies will be gone. They must also run at least one service,"},{"line_number":512,"context_line":"agreed upon by the TC, using the personas delivered by `Phase 1`_. We can refer"},{"line_number":513,"context_line":"to this service as the *point service*. For example, nova would require using"},{"line_number":514,"context_line":"system-admin, project-admin, project-manager, project-member, and"},{"line_number":515,"context_line":"project-reader."},{"line_number":516,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"1ffc1264_8f7f8d5b","line":513,"range":{"start_line":511,"start_character":38,"end_line":513,"end_character":40},"in_reply_to":"c2c2281b_80629152","updated":"2021-11-19 15:36:15.000000000","message":"Done","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828d1d47714934ee8da3359e1a07e93fdcefbdd3","unresolved":true,"context_lines":[{"line_number":527,"context_line":"   and system scopes. Keystone has supported system-admin, system-member, and"},{"line_number":528,"context_line":"   system-reader since Train, which completes the `Phase 3`_ goals"},{"line_number":529,"context_line":""},{"line_number":530,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"#. The *point service* can remove all deprecated policies"},{"line_number":533,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"cd6033a9_902d9ab1","line":530,"range":{"start_line":530,"start_character":0,"end_line":530,"end_character":41},"updated":"2021-11-18 23:47:14.000000000","message":"+1, If we can achieve this even in Z, it will be a great progress.","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fb5859e1b07d0e1559ab665b29de7adbfde64759","unresolved":false,"context_lines":[{"line_number":527,"context_line":"   and system scopes. Keystone has supported system-admin, system-member, and"},{"line_number":528,"context_line":"   system-reader since Train, which completes the `Phase 3`_ goals"},{"line_number":529,"context_line":""},{"line_number":530,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"#. The *point service* can remove all deprecated policies"},{"line_number":533,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"756d35e9_60a1b46d","line":530,"range":{"start_line":530,"start_character":0,"end_line":530,"end_character":41},"in_reply_to":"cd6033a9_902d9ab1","updated":"2021-11-19 15:36:15.000000000","message":"Done","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828d1d47714934ee8da3359e1a07e93fdcefbdd3","unresolved":true,"context_lines":[{"line_number":529,"context_line":""},{"line_number":530,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"#. The *point service* can remove all deprecated policies"},{"line_number":533,"context_line":""},{"line_number":534,"context_line":"#. The *point service* can implement `Phase 2`_"},{"line_number":535,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"ed30d843_88538afa","line":532,"range":{"start_line":532,"start_character":0,"end_line":532,"end_character":57},"updated":"2021-11-18 23:47:14.000000000","message":"this also, we said to do after services enable the new policy by default (enforce_scope\u003dTrue and enforce_new_default\u003dTrue). And in the next cycle after \u0027enable by default\u0027 we can start removing the deprecated rules.","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fb5859e1b07d0e1559ab665b29de7adbfde64759","unresolved":false,"context_lines":[{"line_number":529,"context_line":""},{"line_number":530,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"#. The *point service* can remove all deprecated policies"},{"line_number":533,"context_line":""},{"line_number":534,"context_line":"#. The *point service* can implement `Phase 2`_"},{"line_number":535,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"cd1894f3_40296c58","line":532,"range":{"start_line":532,"start_character":0,"end_line":532,"end_character":57},"in_reply_to":"1c2dac6e_3882889b","updated":"2021-11-19 15:36:15.000000000","message":"Done","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c789e7ae3c29b0fd17d007804d3466ce09d1b078","unresolved":true,"context_lines":[{"line_number":529,"context_line":""},{"line_number":530,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"#. The *point service* can remove all deprecated policies"},{"line_number":533,"context_line":""},{"line_number":534,"context_line":"#. The *point service* can implement `Phase 2`_"},{"line_number":535,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"1c2dac6e_3882889b","line":532,"range":{"start_line":532,"start_character":0,"end_line":532,"end_character":57},"in_reply_to":"ed30d843_88538afa","updated":"2021-11-18 23:57:40.000000000","message":"for example if nova, cinder are the *point service* then in Z they enable it by default and then in AA remove all the deprecated policies.","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828d1d47714934ee8da3359e1a07e93fdcefbdd3","unresolved":true,"context_lines":[{"line_number":536,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":537,"context_line":"allows operators to opt into using system-admin, project-admin,"},{"line_number":538,"context_line":"project-manager, project-member, and project-reader across their entire"},{"line_number":539,"context_line":"deployment. The next release we can enforce scope by default."},{"line_number":540,"context_line":""},{"line_number":541,"context_line":"To summarize, operators will need to update every service configuration file"},{"line_number":542,"context_line":"where they want to use system-admin, project-admin, project-manager,"}],"source_content_type":"text/x-rst","patch_set":16,"id":"3e2906b1_90266ec4","line":539,"range":{"start_line":539,"start_character":11,"end_line":539,"end_character":61},"updated":"2021-11-18 23:47:14.000000000","message":"In Z, I think nova and cinder can enable it by default.","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fb5859e1b07d0e1559ab665b29de7adbfde64759","unresolved":false,"context_lines":[{"line_number":536,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":537,"context_line":"allows operators to opt into using system-admin, project-admin,"},{"line_number":538,"context_line":"project-manager, project-member, and project-reader across their entire"},{"line_number":539,"context_line":"deployment. The next release we can enforce scope by default."},{"line_number":540,"context_line":""},{"line_number":541,"context_line":"To summarize, operators will need to update every service configuration file"},{"line_number":542,"context_line":"where they want to use system-admin, project-admin, project-manager,"}],"source_content_type":"text/x-rst","patch_set":16,"id":"2aac1d76_937ef211","line":539,"range":{"start_line":539,"start_character":11,"end_line":539,"end_character":61},"in_reply_to":"3e2906b1_90266ec4","updated":"2021-11-19 15:36:15.000000000","message":"Done","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828d1d47714934ee8da3359e1a07e93fdcefbdd3","unresolved":true,"context_lines":[{"line_number":557,"context_line":"AA-Release Timeline"},{"line_number":558,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":559,"context_line":""},{"line_number":560,"context_line":"#. Update oslo.policy ``enforce_scope\u003dTrue``"},{"line_number":561,"context_line":""},{"line_number":562,"context_line":"   Since all services have completed `Phase 1`_, we can update the default in"},{"line_number":563,"context_line":"   oslo.policy so that enforcement checks scope by default."}],"source_content_type":"text/x-rst","patch_set":16,"id":"080bd9b0_d8b22198","line":560,"range":{"start_line":560,"start_character":0,"end_line":560,"end_character":44},"updated":"2021-11-18 23:47:14.000000000","message":"+1. this will make all services enable the new policy and operators should switch to new one or disable it explicitly.","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fb5859e1b07d0e1559ab665b29de7adbfde64759","unresolved":false,"context_lines":[{"line_number":557,"context_line":"AA-Release Timeline"},{"line_number":558,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":559,"context_line":""},{"line_number":560,"context_line":"#. Update oslo.policy ``enforce_scope\u003dTrue``"},{"line_number":561,"context_line":""},{"line_number":562,"context_line":"   Since all services have completed `Phase 1`_, we can update the default in"},{"line_number":563,"context_line":"   oslo.policy so that enforcement checks scope by default."}],"source_content_type":"text/x-rst","patch_set":16,"id":"e9427a66_d2f80836","line":560,"range":{"start_line":560,"start_character":0,"end_line":560,"end_character":44},"in_reply_to":"080bd9b0_d8b22198","updated":"2021-11-19 15:36:15.000000000","message":"Ack","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828d1d47714934ee8da3359e1a07e93fdcefbdd3","unresolved":true,"context_lines":[{"line_number":562,"context_line":"   Since all services have completed `Phase 1`_, we can update the default in"},{"line_number":563,"context_line":"   oslo.policy so that enforcement checks scope by default."},{"line_number":564,"context_line":""},{"line_number":565,"context_line":"#. All services can remove deprecated policies used to implement `Phase 1`_"},{"line_number":566,"context_line":""},{"line_number":567,"context_line":"#. All services can start implementing `Phase 2`_"},{"line_number":568,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"54ba7f74_bcf3708d","line":565,"range":{"start_line":565,"start_character":0,"end_line":565,"end_character":73},"updated":"2021-11-18 23:47:14.000000000","message":"I think once they have enabled it by default then after that cycle they can remove the deprecated policies. (as \u0027deprecated policies used to implement `Phase 1`_\u0027 is our legacy policy)\n\nFlow for each services can be:\n- 1st cycle: implement phase_1\n- 2nd cycle: make new policy enable by default\n- 3rd cycle: remove the deprecated policy (this is what we are hoping but I think we might need to extend it depends on operator feedback. sooner we can do this will be great for us)\n\nfor nova, cinder 2nd cycle can be Z and 3rd can be AA. rest all other services 2nd cycle can be AA and 3rd can be BB.","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fb5859e1b07d0e1559ab665b29de7adbfde64759","unresolved":false,"context_lines":[{"line_number":562,"context_line":"   Since all services have completed `Phase 1`_, we can update the default in"},{"line_number":563,"context_line":"   oslo.policy so that enforcement checks scope by default."},{"line_number":564,"context_line":""},{"line_number":565,"context_line":"#. All services can remove deprecated policies used to implement `Phase 1`_"},{"line_number":566,"context_line":""},{"line_number":567,"context_line":"#. All services can start implementing `Phase 2`_"},{"line_number":568,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"ef83f7b3_8ef45217","line":565,"range":{"start_line":565,"start_character":0,"end_line":565,"end_character":73},"in_reply_to":"54ba7f74_bcf3708d","updated":"2021-11-19 15:36:15.000000000","message":"Done","commit_id":"9df0e2a249de5f0fb4c9b6e77d3636d72dbebec4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6e22cc9ed4cb9896b1a2de749d67e8c6b0ab1ad6","unresolved":true,"context_lines":[{"line_number":524,"context_line":""},{"line_number":525,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":526,"context_line":""},{"line_number":527,"context_line":"#. Any service that completed `Phase 1`_ in Yoga can set ``enforce_scope\u003dTrue``"},{"line_number":528,"context_line":"   by default"},{"line_number":529,"context_line":""},{"line_number":530,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":531,"context_line":"allows operators to opt into using system-admin, project-admin,"}],"source_content_type":"text/x-rst","patch_set":17,"id":"278f3fbe_51a7d498","line":528,"range":{"start_line":527,"start_character":0,"end_line":528,"end_character":13},"updated":"2021-11-19 16:18:54.000000000","message":"+1","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"cc59a6273bf5d00b35d8126bd630f4eae83d32c9","unresolved":true,"context_lines":[{"line_number":524,"context_line":""},{"line_number":525,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":526,"context_line":""},{"line_number":527,"context_line":"#. Any service that completed `Phase 1`_ in Yoga can set ``enforce_scope\u003dTrue``"},{"line_number":528,"context_line":"   by default"},{"line_number":529,"context_line":""},{"line_number":530,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":531,"context_line":"allows operators to opt into using system-admin, project-admin,"}],"source_content_type":"text/x-rst","patch_set":17,"id":"7d1ad0ad_b5c177d7","line":528,"range":{"start_line":527,"start_character":0,"end_line":528,"end_character":13},"in_reply_to":"278f3fbe_51a7d498","updated":"2021-11-19 16:58:58.000000000","message":"I think the implication is obvious, but in order to have this defaulting to on, they have to have it enabled in a job. Meaning, nova has to make sure that neutron and cinder are able to call it with service-scoped tokens for those APIs affected by the scope check.\n\nI think it\u0027s obvious that we should be testing defaults, but just in case anyone thinks they could disable scope checking in devstack but otherwise default it to be on..that won\u0027t work.","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"cc59a6273bf5d00b35d8126bd630f4eae83d32c9","unresolved":true,"context_lines":[{"line_number":572,"context_line":"BB-Release Timeline"},{"line_number":573,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"#. All services can removed deprecated policies used to implement `Phase 1`_"},{"line_number":576,"context_line":""},{"line_number":577,"context_line":"#. All services must implement `Phase 2`_"},{"line_number":578,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"af668eba_be3b5dfc","line":575,"range":{"start_line":575,"start_character":20,"end_line":575,"end_character":27},"updated":"2021-11-19 16:58:58.000000000","message":"remove","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"835fcf18060fb8bb1f9ca8b8e704cd283c886b1a","unresolved":false,"context_lines":[{"line_number":572,"context_line":"BB-Release Timeline"},{"line_number":573,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"#. All services can removed deprecated policies used to implement `Phase 1`_"},{"line_number":576,"context_line":""},{"line_number":577,"context_line":"#. All services must implement `Phase 2`_"},{"line_number":578,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"0e8fbc1a_8f93bf0e","line":575,"range":{"start_line":575,"start_character":20,"end_line":575,"end_character":27},"in_reply_to":"af668eba_be3b5dfc","updated":"2021-11-19 17:24:44.000000000","message":"Done","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6e22cc9ed4cb9896b1a2de749d67e8c6b0ab1ad6","unresolved":true,"context_lines":[{"line_number":589,"context_line":""},{"line_number":590,"context_line":"#. All services can remove deprecated policies used to implement `Phase 2`_"},{"line_number":591,"context_line":""},{"line_number":592,"context_line":"#. All services must implement `Phase 3`_"},{"line_number":593,"context_line":""},{"line_number":594,"context_line":"#. Any service that completed `Phase 3`_ in the BB release can remove the"},{"line_number":595,"context_line":"   deprecated policies used to implement `Phase 3`_"}],"source_content_type":"text/x-rst","patch_set":17,"id":"a875d3ea_2901be2c","line":592,"range":{"start_line":592,"start_character":40,"end_line":592,"end_character":41},"updated":"2021-11-19 16:18:54.000000000","message":"and on the comment below: here itself we can say remove the deprecated policy done to implement in phase3 in next cycle.","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"835fcf18060fb8bb1f9ca8b8e704cd283c886b1a","unresolved":false,"context_lines":[{"line_number":589,"context_line":""},{"line_number":590,"context_line":"#. All services can remove deprecated policies used to implement `Phase 2`_"},{"line_number":591,"context_line":""},{"line_number":592,"context_line":"#. All services must implement `Phase 3`_"},{"line_number":593,"context_line":""},{"line_number":594,"context_line":"#. Any service that completed `Phase 3`_ in the BB release can remove the"},{"line_number":595,"context_line":"   deprecated policies used to implement `Phase 3`_"}],"source_content_type":"text/x-rst","patch_set":17,"id":"ba3ee250_a53a6603","line":592,"range":{"start_line":592,"start_character":40,"end_line":592,"end_character":41},"in_reply_to":"a875d3ea_2901be2c","updated":"2021-11-19 17:24:44.000000000","message":"I left this a bit more open-ended. Let me know if you\u0027d like me to adjust.\n\nI was trying to be really prescriptive in each release so that it\u0027s clear what exactly people need to do, but I agree these parts are redundant.","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6e22cc9ed4cb9896b1a2de749d67e8c6b0ab1ad6","unresolved":true,"context_lines":[{"line_number":598,"context_line":"service role that is dedicated to service-to-service communication. The reduces"},{"line_number":599,"context_line":"the impact of a service token."},{"line_number":600,"context_line":""},{"line_number":601,"context_line":"DD-Release Timeline"},{"line_number":602,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":603,"context_line":""},{"line_number":604,"context_line":"#. All services can remove deprecated policies used to implement `Phase 3`_"},{"line_number":605,"context_line":""},{"line_number":606,"context_line":"References"},{"line_number":607,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":17,"id":"e34a5f17_b9254551","line":604,"range":{"start_line":601,"start_character":0,"end_line":604,"end_character":75},"updated":"2021-11-19 16:18:54.000000000","message":"so these are usual deprecation phase everyone have to follow for any policy change. I was thinking to remove it and projects following policy deprecation phase will automatically take care of it. So that it does not seems like we are extended this work until DD release.\n\nBut if it is making deprecation phase very clear then i am fine.","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"835fcf18060fb8bb1f9ca8b8e704cd283c886b1a","unresolved":false,"context_lines":[{"line_number":598,"context_line":"service role that is dedicated to service-to-service communication. The reduces"},{"line_number":599,"context_line":"the impact of a service token."},{"line_number":600,"context_line":""},{"line_number":601,"context_line":"DD-Release Timeline"},{"line_number":602,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":603,"context_line":""},{"line_number":604,"context_line":"#. All services can remove deprecated policies used to implement `Phase 3`_"},{"line_number":605,"context_line":""},{"line_number":606,"context_line":"References"},{"line_number":607,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":17,"id":"e4140af9_ac3a297f","line":604,"range":{"start_line":601,"start_character":0,"end_line":604,"end_character":75},"in_reply_to":"a2ddfa7e_311a2eae","updated":"2021-11-19 17:24:44.000000000","message":"Done","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"cc59a6273bf5d00b35d8126bd630f4eae83d32c9","unresolved":true,"context_lines":[{"line_number":598,"context_line":"service role that is dedicated to service-to-service communication. The reduces"},{"line_number":599,"context_line":"the impact of a service token."},{"line_number":600,"context_line":""},{"line_number":601,"context_line":"DD-Release Timeline"},{"line_number":602,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":603,"context_line":""},{"line_number":604,"context_line":"#. All services can remove deprecated policies used to implement `Phase 3`_"},{"line_number":605,"context_line":""},{"line_number":606,"context_line":"References"},{"line_number":607,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":17,"id":"a2ddfa7e_311a2eae","line":604,"range":{"start_line":601,"start_character":0,"end_line":604,"end_character":75},"in_reply_to":"e34a5f17_b9254551","updated":"2021-11-19 16:58:58.000000000","message":"I think in reality, DD is too far out to realistically expect proper forecasting at this point. Laying this stuff out as *A* possible sequence if everything goes to plan is very helpful, but these last few release prescriptions are pretty speculative at this point.","commit_id":"c40680af55218b9afc260105f1c74b9ff363482c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f4ff0c419ece23912418a74bc631e1bb50479919","unresolved":true,"context_lines":[{"line_number":382,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":383,"context_line":"the authorization associated to administrative tokens."},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"Phase 2"},{"line_number":386,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Implement system-member and system-reader personas. This allows operators to"}],"source_content_type":"text/x-rst","patch_set":18,"id":"5d9ff538_786b06e8","line":385,"updated":"2021-11-22 21:54:47.000000000","message":"is this phase 2 also targeted for Yoga? Or for next releases?","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"bb23afc37e074ff2d7fb2e2389bdd6d093456fa8","unresolved":true,"context_lines":[{"line_number":382,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":383,"context_line":"the authorization associated to administrative tokens."},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"Phase 2"},{"line_number":386,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Implement system-member and system-reader personas. This allows operators to"}],"source_content_type":"text/x-rst","patch_set":18,"id":"97b6a9ef_f01985a2","line":385,"in_reply_to":"5d9ff538_786b06e8","updated":"2021-11-22 22:24:57.000000000","message":"it\u0027s for the next releases. You can see the complete schedule @L442 for what all things to do in Yoga and what all to in next releases.","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0cbd0b1b7237b2404ddb025a4f276ba19a36e8ea","unresolved":false,"context_lines":[{"line_number":382,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":383,"context_line":"the authorization associated to administrative tokens."},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"Phase 2"},{"line_number":386,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Implement system-member and system-reader personas. This allows operators to"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfde37c3_af260e0c","line":385,"in_reply_to":"97b6a9ef_f01985a2","updated":"2021-11-23 16:16:57.000000000","message":"Done","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"ada4230365f7f386f2903bffcbc02d3330fdefc3","unresolved":true,"context_lines":[{"line_number":409,"context_line":"   - Intended for operators or auditors for system-specific resources"},{"line_number":410,"context_line":"   - Not intended for end users"},{"line_number":411,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":412,"context_line":"   - *View volume types*"},{"line_number":413,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":414,"context_line":""},{"line_number":415,"context_line":"Phase 3"}],"source_content_type":"text/x-rst","patch_set":18,"id":"474de3b5_d6338bce","line":412,"range":{"start_line":412,"start_character":6,"end_line":412,"end_character":23},"updated":"2021-11-23 13:15:35.000000000","message":"nit: this isn\u0027t a good example because project-scoped personas need to do this too.  I suggest replacing with \"List all cinder services\".","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0cbd0b1b7237b2404ddb025a4f276ba19a36e8ea","unresolved":false,"context_lines":[{"line_number":409,"context_line":"   - Intended for operators or auditors for system-specific resources"},{"line_number":410,"context_line":"   - Not intended for end users"},{"line_number":411,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":412,"context_line":"   - *View volume types*"},{"line_number":413,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":414,"context_line":""},{"line_number":415,"context_line":"Phase 3"}],"source_content_type":"text/x-rst","patch_set":18,"id":"96e101f9_224faa50","line":412,"range":{"start_line":412,"start_character":6,"end_line":412,"end_character":23},"in_reply_to":"474de3b5_d6338bce","updated":"2021-11-23 16:16:57.000000000","message":"Done","commit_id":"8b5fdbbca0d5d516c27028d8e913fdbe89f801d1"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5cf3626e9866006ad70e9e62cfd319c432d7ce64","unresolved":true,"context_lines":[{"line_number":481,"context_line":"   - *List all cinder services*"},{"line_number":482,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Phase 3"},{"line_number":485,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. Isolate service-to-service APIs to the ``service`` role"}],"source_content_type":"text/x-rst","patch_set":19,"id":"6e6f27c2_0e0909b9","line":484,"updated":"2021-11-23 20:18:51.000000000","message":"Thinking about this more in the last few days, and discussing with a few people...I feel like this probably brings more benefit than phase 2. Is there any reason we couldn\u0027t swap this position with phase 2 so we get the service role earlier?\n\nIn trying to weigh what operators get for all of this investment, I definitely think that service users are already too powerful, and the system scope stuff in phase 2 likely provides very small benefit to many people. If we\u0027re arranging these in order of \"most bang for the buck\" and \"what are users most interested in,\" wouldn\u0027t we put the service role formalization and tightening the policy for them ahead of the system scope stuff?\n\nMaybe I\u0027m missing some dependency that makes the ordering have to be like this, but if not...maybe it\u0027d be better to flip these?","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c318c2add9f0fb80b37c05860310d17e3f55363","unresolved":true,"context_lines":[{"line_number":481,"context_line":"   - *List all cinder services*"},{"line_number":482,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Phase 3"},{"line_number":485,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. Isolate service-to-service APIs to the ``service`` role"}],"source_content_type":"text/x-rst","patch_set":19,"id":"ac734e92_74459ed4","line":484,"in_reply_to":"3e95f8e4_860c9886","updated":"2021-11-23 21:05:37.000000000","message":"Well, the way I look at it is: Phase 1 is about two things: standardizing roles and making sure project_foo doesn\u0027t automatically have the same amount of power as member. The service role thing is similar: standardizing another role and massively reducing the scope of stuff it can do in our default policy (i.e. not having to get admin or member to machines). That leaves system scope to come after the roles are sorted, and really is a totally different thing, which is categorizing some APIs as \"system-only and thus no need for project assignments for access control.\" Put that way, we\u0027re not only getting the most bang stuff earlier, but we\u0027re also grouping similar activities into adjacent windows (IMO at least).\n\nKnow what I mean?","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"36c66c5b196cc331fa2a356e17efb18e3f34cd61","unresolved":true,"context_lines":[{"line_number":481,"context_line":"   - *List all cinder services*"},{"line_number":482,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Phase 3"},{"line_number":485,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. Isolate service-to-service APIs to the ``service`` role"}],"source_content_type":"text/x-rst","patch_set":19,"id":"e019a5ec_e72b66ce","line":484,"in_reply_to":"3fd0fbdf_c4ee0ed4","updated":"2021-11-24 15:00:53.000000000","message":"I too agree with Dan proposal of moving phase3 first. \n\nI think yes? system admin still be there in phase-1 and only system member and reader to move after service role.","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a22e67b0c13d7d4d3cc5e5747f30469698c75a39","unresolved":true,"context_lines":[{"line_number":481,"context_line":"   - *List all cinder services*"},{"line_number":482,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Phase 3"},{"line_number":485,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. Isolate service-to-service APIs to the ``service`` role"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3e95f8e4_860c9886","line":484,"in_reply_to":"6e6f27c2_0e0909b9","updated":"2021-11-23 20:58:36.000000000","message":"Yeah - that\u0027s a good point.\n\nI don\u0027t think there is a hard dependency where the system-member and system-reader work must be done before the service role.\n\nOne advantage to keeping things grouped together would be maintaining the momentum on a single idea (system-scope), but that\u0027s an organizational opinion and I can\u0027t justify it in any meaningful way compared to the benefits we get applying the principle of least privilege to service accounts (which would be a huge win).","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9fc555571efc1ebf64615ca4fb86f5d3b678b623","unresolved":true,"context_lines":[{"line_number":481,"context_line":"   - *List all cinder services*"},{"line_number":482,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Phase 3"},{"line_number":485,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. Isolate service-to-service APIs to the ``service`` role"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fd0fbdf_c4ee0ed4","line":484,"in_reply_to":"ac734e92_74459ed4","updated":"2021-11-23 23:00:07.000000000","message":"Yeah - I think so.\n\nPhase 1 is still going include moving some of the functionality out of the project-admin persona and into the system-admin persona, right?","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0fdffb869ae7a06145fb2b50498057e4f06c251e","unresolved":false,"context_lines":[{"line_number":481,"context_line":"   - *List all cinder services*"},{"line_number":482,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Phase 3"},{"line_number":485,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"#. Isolate service-to-service APIs to the ``service`` role"}],"source_content_type":"text/x-rst","patch_set":19,"id":"b5935fc8_615fb726","line":484,"in_reply_to":"e019a5ec_e72b66ce","updated":"2021-11-29 15:24:10.000000000","message":"Yep - Ok. I think that makes sense. Flipping phase 2 and phase 3 allows us to roll out the service role bit sooner, which would be another huge win.\n\nUpdating that and posting a new version.","commit_id":"5931c1932c966ad696c51fae1237c0afa75d5c58"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Existing policy defaults suffer from three major faults:"}],"source_content_type":"text/x-rst","patch_set":20,"id":"523bd888_6fb53964","side":"PARENT","line":2,"updated":"2021-11-29 16:49:54.000000000","message":"The in-file goal name changed but the file name stayed the same. I think the original goal name matches the ultimate \"goal of this goal\".","commit_id":"bf1b5848934ab209dea2255c22ca0f177719db3b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Existing policy defaults suffer from three major faults:"}],"source_content_type":"text/x-rst","patch_set":20,"id":"c9a44586_59b200b1","side":"PARENT","line":2,"in_reply_to":"523bd888_6fb53964","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"bf1b5848934ab209dea2255c22ca0f177719db3b"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"8bfd73c306a8e4f182cb617c7f57f94e1538530e","unresolved":true,"context_lines":[{"line_number":16,"context_line":"engine. This allowed the community to develop rich APIs, across services, that"},{"line_number":17,"context_line":"operate on different layers of the infrastructure. For example, OpenStack has"},{"line_number":18,"context_line":"APIs that manage compute hosts, services, endpoints, domains, physical"},{"line_number":19,"context_line":"networks, and storage pools. All of these resources require knowledge of the"},{"line_number":20,"context_line":"underlying hardware of deployment architecture and usage within a given"},{"line_number":21,"context_line":"organization. These APIs are clearly targeted at different users from APIs that"},{"line_number":22,"context_line":"expose resources, like instance, block storage devices, or virtual networks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"c4bcb217_75e7b610","line":20,"range":{"start_line":19,"start_character":60,"end_line":20,"end_character":33},"updated":"2021-11-30 18:08:51.000000000","message":"nit:  This is worded awkwardly.  Do you mean \u0027knowedge of the underlying hardware, of the deployment architecture and usage within a given organization\u0027?","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"336aa1f24ad955444107634f8c88238467866569","unresolved":false,"context_lines":[{"line_number":16,"context_line":"engine. This allowed the community to develop rich APIs, across services, that"},{"line_number":17,"context_line":"operate on different layers of the infrastructure. For example, OpenStack has"},{"line_number":18,"context_line":"APIs that manage compute hosts, services, endpoints, domains, physical"},{"line_number":19,"context_line":"networks, and storage pools. All of these resources require knowledge of the"},{"line_number":20,"context_line":"underlying hardware of deployment architecture and usage within a given"},{"line_number":21,"context_line":"organization. These APIs are clearly targeted at different users from APIs that"},{"line_number":22,"context_line":"expose resources, like instance, block storage devices, or virtual networks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"0977c60d_7a350550","line":20,"range":{"start_line":19,"start_character":60,"end_line":20,"end_character":33},"in_reply_to":"c4bcb217_75e7b610","updated":"2021-12-06 16:19:02.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":22,"context_line":"expose resources, like instance, block storage devices, or virtual networks."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"The authorization strategy didn\u0027t age gracefully with the rest of OpenStack."},{"line_number":25,"context_line":"This means we use the best available tools at the time to protect the API we"},{"line_number":26,"context_line":"were developing across OpenStack."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"This led to the following problems:"}],"source_content_type":"text/x-rst","patch_set":20,"id":"ae1ae6f4_c06292c5","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":18},"updated":"2021-11-29 16:49:54.000000000","message":"nit: used","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":22,"context_line":"expose resources, like instance, block storage devices, or virtual networks."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"The authorization strategy didn\u0027t age gracefully with the rest of OpenStack."},{"line_number":25,"context_line":"This means we use the best available tools at the time to protect the API we"},{"line_number":26,"context_line":"were developing across OpenStack."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"This led to the following problems:"}],"source_content_type":"text/x-rst","patch_set":20,"id":"a5142448_abc2876f","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":18},"in_reply_to":"ae1ae6f4_c06292c5","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":35,"context_line":"#. Operators need to be intimately familiar with the policy implementation to"},{"line_number":36,"context_line":"   supply overrides for valid use cases (read-only privileges)"},{"line_number":37,"context_line":"#. Auditing OpenStack APIs requires administrative access"},{"line_number":38,"context_line":"#. No role hierarchy makes it hard to establish any low-level collection"},{"line_number":39,"context_line":"   permission collection, like a role for read-only access, which is"},{"line_number":40,"context_line":"   implemented inconsistently across deployments"},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"54c33758_52a9a480","line":38,"range":{"start_line":38,"start_character":3,"end_line":38,"end_character":20},"updated":"2021-11-29 16:49:54.000000000","message":"\"Having no role hierarchy\"","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":35,"context_line":"#. Operators need to be intimately familiar with the policy implementation to"},{"line_number":36,"context_line":"   supply overrides for valid use cases (read-only privileges)"},{"line_number":37,"context_line":"#. Auditing OpenStack APIs requires administrative access"},{"line_number":38,"context_line":"#. No role hierarchy makes it hard to establish any low-level collection"},{"line_number":39,"context_line":"   permission collection, like a role for read-only access, which is"},{"line_number":40,"context_line":"   implemented inconsistently across deployments"},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"6c0f3ce0_c5e8f4d0","line":38,"range":{"start_line":38,"start_character":3,"end_line":38,"end_character":20},"in_reply_to":"54c33758_52a9a480","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":148,"context_line":"So, where do we go from here?"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"},{"line_number":151,"context_line":"idea that it should be used on project-specific resources. Other services have"},{"line_number":152,"context_line":"yet to adopt the system-scope feature."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Currently, none of the policy work we\u0027ve done since Queens is widely usable by"}],"source_content_type":"text/x-rst","patch_set":20,"id":"263b8ae6_dad51dd2","line":151,"range":{"start_line":151,"start_character":31,"end_line":151,"end_character":47},"updated":"2021-11-29 16:49:54.000000000","message":"not \"non-project-specific\"?","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":true,"context_lines":[{"line_number":148,"context_line":"So, where do we go from here?"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"},{"line_number":151,"context_line":"idea that it should be used on project-specific resources. Other services have"},{"line_number":152,"context_line":"yet to adopt the system-scope feature."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Currently, none of the policy work we\u0027ve done since Queens is widely usable by"}],"source_content_type":"text/x-rst","patch_set":20,"id":"6a7a800d_7ddf2cac","line":151,"range":{"start_line":151,"start_character":31,"end_line":151,"end_character":47},"in_reply_to":"263b8ae6_dad51dd2","updated":"2021-11-29 18:01:13.000000000","message":"What I\u0027m attempting to describe here is that we have an idea that\u0027s been half-adopted. We applied the system-scope work to project-specific resources when it should only be applied to system-level resources.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"336aa1f24ad955444107634f8c88238467866569","unresolved":false,"context_lines":[{"line_number":148,"context_line":"So, where do we go from here?"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"},{"line_number":151,"context_line":"idea that it should be used on project-specific resources. Other services have"},{"line_number":152,"context_line":"yet to adopt the system-scope feature."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Currently, none of the policy work we\u0027ve done since Queens is widely usable by"}],"source_content_type":"text/x-rst","patch_set":20,"id":"dd1243dd_7c6dc0e3","line":151,"range":{"start_line":151,"start_character":31,"end_line":151,"end_character":47},"in_reply_to":"2d6ea935_acc60bbc","updated":"2021-12-06 16:19:02.000000000","message":"Attempted to fix this in the follow-up.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"796648af0374c1e1f33df1c1ee4b90b7906a082d","unresolved":true,"context_lines":[{"line_number":148,"context_line":"So, where do we go from here?"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"},{"line_number":151,"context_line":"idea that it should be used on project-specific resources. Other services have"},{"line_number":152,"context_line":"yet to adopt the system-scope feature."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Currently, none of the policy work we\u0027ve done since Queens is widely usable by"}],"source_content_type":"text/x-rst","patch_set":20,"id":"2d6ea935_acc60bbc","line":151,"range":{"start_line":151,"start_character":31,"end_line":151,"end_character":47},"in_reply_to":"6a7a800d_7ddf2cac","updated":"2021-11-29 18:07:23.000000000","message":"Then maybe: \"We have a set of OpenStack services that have adopted system-scope with the idea that it should also work on project-specific resources regardless of project (apart from non-project-specific ones).\" That would convey the proper message.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"8bfd73c306a8e4f182cb617c7f57f94e1538530e","unresolved":true,"context_lines":[{"line_number":267,"context_line":""},{"line_number":268,"context_line":".. note::"},{"line_number":269,"context_line":"   Each example above only uses a role check in the check string. This is by"},{"line_number":270,"context_line":"   design and allows for backwards compatibility while the ``[oslo_policy]"},{"line_number":271,"context_line":"   enforce_scope\u003dFalse`` because a user with the ``admin`` role on a project is"},{"line_number":272,"context_line":"   still allowed to access that API."},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"   Once ``[oslo_policy] enforce_scope\u003dTrue``, the API will only be exposed to"}],"source_content_type":"text/x-rst","patch_set":20,"id":"04c53ef9_c8462c32","line":271,"range":{"start_line":270,"start_character":25,"end_line":271,"end_character":24},"updated":"2021-11-30 18:08:51.000000000","message":"Not sure what is being said here.  Do you mean \u0027backwards compatibility while ``[oslo_policy] enroce_scope\u003dFalse`` is set, \u0027","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":290,"context_line":"users should be able to view flavors available for them to use. Additionally,"},{"line_number":291,"context_line":"users with authorization on a domain should also be able to view flavors."},{"line_number":292,"context_line":""},{"line_number":293,"context_line":"The following show how you can specify multiple scopes for a single rule:"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":".. code-block:: python"},{"line_number":296,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"aafcb0ff_0e1914fc","line":293,"range":{"start_line":293,"start_character":14,"end_line":293,"end_character":19},"updated":"2021-11-29 16:49:54.000000000","message":"nit: shows","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":290,"context_line":"users should be able to view flavors available for them to use. Additionally,"},{"line_number":291,"context_line":"users with authorization on a domain should also be able to view flavors."},{"line_number":292,"context_line":""},{"line_number":293,"context_line":"The following show how you can specify multiple scopes for a single rule:"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":".. code-block:: python"},{"line_number":296,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a5b15e7_58b72630","line":293,"range":{"start_line":293,"start_character":14,"end_line":293,"end_character":19},"in_reply_to":"aafcb0ff_0e1914fc","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"Enhance python-openstackclient"},{"line_number":300,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"Listing project resources across the deployment"},{"line_number":303,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":304,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"a57e25a2_e6c20f54","line":301,"updated":"2021-11-29 16:49:54.000000000","message":"This section is empty. There is probably a need to fix section hierarchy.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"796648af0374c1e1f33df1c1ee4b90b7906a082d","unresolved":true,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"Enhance python-openstackclient"},{"line_number":300,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"Listing project resources across the deployment"},{"line_number":303,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":304,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"f72c7c64_3f51903e","line":301,"in_reply_to":"1d57b16b_56c19917","updated":"2021-11-29 18:07:23.000000000","message":"I guess then it\u0027s better to simply remove this heading as it\u0027s confusing.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":true,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"Enhance python-openstackclient"},{"line_number":300,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"Listing project resources across the deployment"},{"line_number":303,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":304,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1d57b16b_56c19917","line":301,"in_reply_to":"a57e25a2_e6c20f54","updated":"2021-11-29 18:01:13.000000000","message":"This approach is actually detailed on line 327. I\u0027m not sure we want to target anythings else for Yoga, but I do anticipate some client-side work (e.g., how does a system-admin find the project that contains a resource they need to work on).\n\nIt\u0027s not critical to do for Yoga, but we might want to think about when we should do that work in the client (Z?).","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"ec4ad89e516f23bd92dbb9b15b407eefb6d7bd61","unresolved":false,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"Enhance python-openstackclient"},{"line_number":300,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"Listing project resources across the deployment"},{"line_number":303,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":304,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"af65cf05_059e9c1b","line":301,"in_reply_to":"f72c7c64_3f51903e","updated":"2021-11-29 18:10:19.000000000","message":"Ah, you\u0027ve done it in the followup.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":393,"context_line":"project-scoped tokens for each project in the deployment::"},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"  $ openstack role add --os-cloud system-admin --user 2c0865 --domain foo --inherited reader"},{"line_number":396,"context_line":"  $ openstack role add  --os-cloud system-admin --group b3dbc2 --domain foo --inherited admin"},{"line_number":397,"context_line":""},{"line_number":398,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":399,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"201de9a2_de85beaa","line":396,"range":{"start_line":396,"start_character":23,"end_line":396,"end_character":24},"updated":"2021-11-29 16:49:54.000000000","message":"nit: extra space","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":393,"context_line":"project-scoped tokens for each project in the deployment::"},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"  $ openstack role add --os-cloud system-admin --user 2c0865 --domain foo --inherited reader"},{"line_number":396,"context_line":"  $ openstack role add  --os-cloud system-admin --group b3dbc2 --domain foo --inherited admin"},{"line_number":397,"context_line":""},{"line_number":398,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":399,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"48aa5753_4571b4f0","line":396,"range":{"start_line":396,"start_character":23,"end_line":396,"end_character":24},"in_reply_to":"201de9a2_de85beaa","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":395,"context_line":"  $ openstack role add --os-cloud system-admin --user 2c0865 --domain foo --inherited reader"},{"line_number":396,"context_line":"  $ openstack role add  --os-cloud system-admin --group b3dbc2 --domain foo --inherited admin"},{"line_number":397,"context_line":""},{"line_number":398,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":399,"context_line":""},{"line_number":400,"context_line":"- System Administrator"},{"line_number":401,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"}],"source_content_type":"text/x-rst","patch_set":20,"id":"a5c55f22_cf10a987","line":398,"range":{"start_line":398,"start_character":0,"end_line":398,"end_character":18},"updated":"2021-11-29 16:49:54.000000000","message":"The paragraph above breaks the discussed matter flow and would work better being put below the listing as \"this configuration\" refers to the config in the ini file and not the \"config\" done on roles.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":395,"context_line":"  $ openstack role add --os-cloud system-admin --user 2c0865 --domain foo --inherited reader"},{"line_number":396,"context_line":"  $ openstack role add  --os-cloud system-admin --group b3dbc2 --domain foo --inherited admin"},{"line_number":397,"context_line":""},{"line_number":398,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":399,"context_line":""},{"line_number":400,"context_line":"- System Administrator"},{"line_number":401,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"}],"source_content_type":"text/x-rst","patch_set":20,"id":"238729ef_49641053","line":398,"range":{"start_line":398,"start_character":0,"end_line":398,"end_character":18},"in_reply_to":"a5c55f22_cf10a987","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"9c07dbbe564f375d4ee5854523ac6e89a885c7df","unresolved":true,"context_lines":[{"line_number":419,"context_line":"   - Not intended for end users"},{"line_number":420,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":421,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":422,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":423,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":424,"context_line":"   - *Create physical provider networks*"},{"line_number":425,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"f892e0db_f5ed1303","line":422,"range":{"start_line":422,"start_character":0,"end_line":422,"end_character":52},"updated":"2021-12-01 10:31:29.000000000","message":"i think we should remove this since it suits more with the Project manager persona (and is already included in that list)","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":491,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":492,"context_line":"   - *List all cinder services*"},{"line_number":493,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":494,"context_line":""},{"line_number":495,"context_line":"Champion"},{"line_number":496,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":497,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"03080d4d_c06ca6d1","line":494,"updated":"2021-11-29 16:49:54.000000000","message":"Somehow the \"Listing project resources across the deployment\" is not reminded in neither \"Phase 2\" nor \"Phase 3\" but it was said to be postponed.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":true,"context_lines":[{"line_number":491,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":492,"context_line":"   - *List all cinder services*"},{"line_number":493,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":494,"context_line":""},{"line_number":495,"context_line":"Champion"},{"line_number":496,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":497,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"2e263d19_19393035","line":494,"in_reply_to":"03080d4d_c06ca6d1","updated":"2021-11-29 18:01:13.000000000","message":"That section is specifically calling out that OpenStack APIs that provide some way for an administrator to list all resources across tenants should continue to work as it does today (even though it is wrong).\n\nFor example, we\u0027re going to continue allowing someone with the \u0027admin\u0027 role on a project to list all instances in the entire deployment, even though it violates the tenancy of the project that token is scoped to.\n\nEventually, this behavior should be updated so that ?all_tenants\u003dTrue should be called with a domain-scoped token and it will return all the resources for all projects within that domain.\n\nI think we\u0027ve agreed that using domain tokens in this way makes sense organizationally and from a security perspective, but we\u0027ve already got a full plate for the next few releases. When we get the point where services can start implementing domain user support, we should refactor that work then and not allow project-admins to view all instance/volumes in the entire deployment.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"796648af0374c1e1f33df1c1ee4b90b7906a082d","unresolved":true,"context_lines":[{"line_number":491,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":492,"context_line":"   - *List all cinder services*"},{"line_number":493,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":494,"context_line":""},{"line_number":495,"context_line":"Champion"},{"line_number":496,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":497,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"c05d5043_c497d814","line":494,"in_reply_to":"2e263d19_19393035","updated":"2021-11-29 18:07:23.000000000","message":"Yeah, that I understand, but I think these phases\u0027 descriptions deserve at least a mention that such a switch is to happen.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1fa1e98898e7d8d64257ba8237c2abc4257b0f03","unresolved":true,"context_lines":[{"line_number":520,"context_line":"   between the ``admin`` and ``member`` roles. This work requires a keystone"},{"line_number":521,"context_line":"   specification."},{"line_number":522,"context_line":""},{"line_number":523,"context_line":"#. Keystone implements a new default role called ``service``"},{"line_number":524,"context_line":""},{"line_number":525,"context_line":"   The ``service`` will standardize a role that\u0027s already required in some"},{"line_number":526,"context_line":"   default policies across OpenStack. This role must be built outside the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"25a6a470_c208502f","line":523,"range":{"start_line":523,"start_character":3,"end_line":523,"end_character":60},"updated":"2021-11-29 17:21:55.000000000","message":"by the way all service would really need to support the service role i think before we can move to phase 2 as well correct.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1fa1e98898e7d8d64257ba8237c2abc4257b0f03","unresolved":true,"context_lines":[{"line_number":524,"context_line":""},{"line_number":525,"context_line":"   The ``service`` will standardize a role that\u0027s already required in some"},{"line_number":526,"context_line":"   default policies across OpenStack. This role must be built outside the"},{"line_number":527,"context_line":"   existing role hierarchy, where ``reader`` implies ``member`` implies"},{"line_number":528,"context_line":"   ``manager`` implies ``admin``. This work requires a keystone specification."},{"line_number":529,"context_line":""},{"line_number":530,"context_line":"#. Keystone enforces scope by default"},{"line_number":531,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"ba9c3fa0_c8398f9e","line":528,"range":{"start_line":527,"start_character":34,"end_line":528,"end_character":31},"updated":"2021-11-29 17:21:55.000000000","message":"this is backword\n\n ``reader`` implies ``member`` implies``manager`` implies ``admin``\n\nshould be\n\n``reader`` implied by ``member`` implied by ``manager`` implied by ``admin``\nor\n ``admin`` implies ``manager`` implies``member`` implies ``reader``\n\n-1 is really for this although this can be fixed in a follow up patch too as long as its eventually fixed.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":524,"context_line":""},{"line_number":525,"context_line":"   The ``service`` will standardize a role that\u0027s already required in some"},{"line_number":526,"context_line":"   default policies across OpenStack. This role must be built outside the"},{"line_number":527,"context_line":"   existing role hierarchy, where ``reader`` implies ``member`` implies"},{"line_number":528,"context_line":"   ``manager`` implies ``admin``. This work requires a keystone specification."},{"line_number":529,"context_line":""},{"line_number":530,"context_line":"#. Keystone enforces scope by default"},{"line_number":531,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"2a38d0b3_4f845e66","line":528,"range":{"start_line":527,"start_character":34,"end_line":528,"end_character":31},"in_reply_to":"ba9c3fa0_c8398f9e","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1fa1e98898e7d8d64257ba8237c2abc4257b0f03","unresolved":true,"context_lines":[{"line_number":551,"context_line":"   `Phase 1`_, allowing operators to upgrade smoothly to the new permission"},{"line_number":552,"context_line":"   model on a per-service basis."},{"line_number":553,"context_line":""},{"line_number":554,"context_line":"   It\u0027s important that we have an OpenStack-wide release note or statement that"},{"line_number":555,"context_line":"   explicitly states the status of this work and how permissions behave across"},{"line_number":556,"context_line":"   OpenStack services."},{"line_number":557,"context_line":""},{"line_number":558,"context_line":"#. OpenStack-wide Personas Documentation"},{"line_number":559,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"76f74f73_1dd74ccc","line":556,"range":{"start_line":554,"start_character":3,"end_line":556,"end_character":22},"updated":"2021-11-29 17:21:55.000000000","message":"by the way i think that haveing a new governacne tag for support secure rbac woudl make\nsense to add at some point and we should also incopreate that into the interop requirements at some point.\n\nthat does not need to be part of this spec by the way.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"796648af0374c1e1f33df1c1ee4b90b7906a082d","unresolved":true,"context_lines":[{"line_number":551,"context_line":"   `Phase 1`_, allowing operators to upgrade smoothly to the new permission"},{"line_number":552,"context_line":"   model on a per-service basis."},{"line_number":553,"context_line":""},{"line_number":554,"context_line":"   It\u0027s important that we have an OpenStack-wide release note or statement that"},{"line_number":555,"context_line":"   explicitly states the status of this work and how permissions behave across"},{"line_number":556,"context_line":"   OpenStack services."},{"line_number":557,"context_line":""},{"line_number":558,"context_line":"#. OpenStack-wide Personas Documentation"},{"line_number":559,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"5170a66a_17f08a5f","line":556,"range":{"start_line":554,"start_character":3,"end_line":556,"end_character":22},"in_reply_to":"16de8b67_24c015c2","updated":"2021-11-29 18:07:23.000000000","message":"TC is dropping the tags framework. Let\u0027s track this differently but +1 for tracking well.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":true,"context_lines":[{"line_number":551,"context_line":"   `Phase 1`_, allowing operators to upgrade smoothly to the new permission"},{"line_number":552,"context_line":"   model on a per-service basis."},{"line_number":553,"context_line":""},{"line_number":554,"context_line":"   It\u0027s important that we have an OpenStack-wide release note or statement that"},{"line_number":555,"context_line":"   explicitly states the status of this work and how permissions behave across"},{"line_number":556,"context_line":"   OpenStack services."},{"line_number":557,"context_line":""},{"line_number":558,"context_line":"#. OpenStack-wide Personas Documentation"},{"line_number":559,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"16de8b67_24c015c2","line":556,"range":{"start_line":554,"start_character":3,"end_line":556,"end_character":22},"in_reply_to":"76f74f73_1dd74ccc","updated":"2021-11-29 18:01:13.000000000","message":"+1\n\nI\u0027d like to raise that to the TC somewhere and see how we can start formalizing that. I think that would be a huge improvement for people consuming this stuff, instead of hunting through the code or default policies for what a service supports.\n\nIf/when we can agree on that tag, I can add it to this document in a follow up.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":572,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":573,"context_line":"   in future releases."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":576,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":577,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":578,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":20,"id":"b5a2e8e4_ad85cd1f","line":575,"range":{"start_line":575,"start_character":15,"end_line":575,"end_character":71},"updated":"2021-11-29 16:49:54.000000000","message":"What\u0027s then the purpose of this config option if the world breaks with the other value? Will the default be adjusted for Keystone? (As I understand the config option comes from oslo.policy)","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"336aa1f24ad955444107634f8c88238467866569","unresolved":false,"context_lines":[{"line_number":572,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":573,"context_line":"   in future releases."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":576,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":577,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":578,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":20,"id":"ec8761d8_68494b20","line":575,"range":{"start_line":575,"start_character":15,"end_line":575,"end_character":71},"in_reply_to":"9e8f7fa3_5905b7bb","updated":"2021-12-06 16:19:02.000000000","message":"Correct, the option does come from oslo.policy, but it\u0027s set on a per-service basis. The configuration option still serves a purpose for other services.\n\nAs Ghanshyam noted, this is called out explicitly on line 530, but I\u0027ve attempted to clarify this further in the follow up.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"796648af0374c1e1f33df1c1ee4b90b7906a082d","unresolved":true,"context_lines":[{"line_number":572,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":573,"context_line":"   in future releases."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":576,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":577,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":578,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":20,"id":"9e8f7fa3_5905b7bb","line":575,"range":{"start_line":575,"start_character":15,"end_line":575,"end_character":71},"in_reply_to":"aee3a5d4_24743141","updated":"2021-11-29 18:07:23.000000000","message":"The question is whether we could improve wording here. Perhaps with a parenthesised sentence that this is the new default and changing it is explicitly unsupported.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1fa1e98898e7d8d64257ba8237c2abc4257b0f03","unresolved":true,"context_lines":[{"line_number":572,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":573,"context_line":"   in future releases."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":576,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":577,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":578,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":20,"id":"df6eb211_125a72f4","line":575,"range":{"start_line":575,"start_character":15,"end_line":575,"end_character":71},"in_reply_to":"b5a2e8e4_ad85cd1f","updated":"2021-11-29 17:21:55.000000000","message":"if the old polices are removed then i guess  it could be remvoed but perhaps not enforcing scops will be required in some upgrade senarios or for a transtion period.\n\nso we might want to have the ablity to disable scope enforcement for keystone because other services do not support it.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":true,"context_lines":[{"line_number":572,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":573,"context_line":"   in future releases."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":576,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":577,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":578,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":20,"id":"aee3a5d4_24743141","line":575,"range":{"start_line":575,"start_character":15,"end_line":575,"end_character":71},"in_reply_to":"df6eb211_125a72f4","updated":"2021-11-29 18:01:13.000000000","message":"Is the question if we can remove enforce_scope or enforce_new_defaults?","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"52091d243f5e234ff6835fef1cac63b8d04c951f","unresolved":true,"context_lines":[{"line_number":572,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":573,"context_line":"   in future releases."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":576,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":577,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":578,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":20,"id":"a2196567_32f8345c","line":575,"range":{"start_line":575,"start_character":15,"end_line":575,"end_character":71},"in_reply_to":"df6eb211_125a72f4","updated":"2021-11-29 17:53:05.000000000","message":"yeah, that si L530 where this config option default value will be set to True for keystone.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"208cbda947587128c8751c791d519637a39532fd","unresolved":true,"context_lines":[{"line_number":579,"context_line":"chose to adopt the new behavior for services that support it."},{"line_number":580,"context_line":""},{"line_number":581,"context_line":"This means that operators must use the correct scope when interacting with"},{"line_number":582,"context_line":"keystone or nova APIs (e.g., services, endpoints, domains, hypervisors,"},{"line_number":583,"context_line":"aggregates.)"},{"line_number":584,"context_line":""},{"line_number":585,"context_line":"Z-Release Timeline"}],"source_content_type":"text/x-rst","patch_set":20,"id":"2b011b52_53766fd2","line":582,"range":{"start_line":582,"start_character":0,"end_line":582,"end_character":21},"updated":"2021-11-29 16:49:54.000000000","message":"I think \"nova\" should be mentioned as a separate example as only keystone\u0027s behaviour is set in stone (pun not intended but happened) with this change.","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2154f75e4dd205d7aeca8a78fdc927c4833fd6b6","unresolved":false,"context_lines":[{"line_number":579,"context_line":"chose to adopt the new behavior for services that support it."},{"line_number":580,"context_line":""},{"line_number":581,"context_line":"This means that operators must use the correct scope when interacting with"},{"line_number":582,"context_line":"keystone or nova APIs (e.g., services, endpoints, domains, hypervisors,"},{"line_number":583,"context_line":"aggregates.)"},{"line_number":584,"context_line":""},{"line_number":585,"context_line":"Z-Release Timeline"}],"source_content_type":"text/x-rst","patch_set":20,"id":"61912880_910559a9","line":582,"range":{"start_line":582,"start_character":0,"end_line":582,"end_character":21},"in_reply_to":"2b011b52_53766fd2","updated":"2021-11-29 18:01:13.000000000","message":"Done","commit_id":"4a2df7517100db18a782c70462e6293a8ffc3d78"}],"goals/selected/yoga/consistent-and-secure-rbac.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Problem Summary"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bffda8d3_8b440545","line":2,"updated":"2021-10-26 21:16:02.000000000","message":"We could update this to be more specific to exactly what we\u0027re doing in Yoga.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Problem Summary"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ae00832f_722bda11","line":2,"in_reply_to":"09e3c797_1200161d","updated":"2021-11-02 20:40:47.000000000","message":"Every time I try to rename this I feel like it should be pointing to an overall theme of what we\u0027re trying to do. I\u0027m just not sure where that should live.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ebd26f8ddbb483836f1c92f7ade2d6d3c871f50f","unresolved":true,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Problem Summary"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b74f7f6f_94af26bf","line":2,"in_reply_to":"401698ac_cb7b9b28","updated":"2021-11-02 00:16:02.000000000","message":"yeah, as we are going to de-couple the goal from release, we can split this goal work into the different milestone/steps.\n\nI agree to target \u0027Persona support\u0027 first which is more work (than other two) as it need policy granularity also like we did in nova for many policies.\n\nOther important point I feel we should do is we need to finalize the design/implementation for all these three (or anything more things we target to do) first and then start implementing them. otherwise we can face similar situation again what we faced currently  (going back to system scope things when project level operation were required the system level info)","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ae87fd96be7b8d0e82e2a6194efc7bf17bdee2d8","unresolved":true,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Problem Summary"}],"source_content_type":"text/x-rst","patch_set":2,"id":"401698ac_cb7b9b28","line":2,"in_reply_to":"8f570e5f_0fbc6a08","updated":"2021-11-01 18:45:54.000000000","message":"FWIW, I like that split Dan has proposed there. It might help focus the discussion better on Wednesday.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ce8ea04582eaa3cd8c7d9ac23f25c6bd366c9a1e","unresolved":true,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Problem Summary"}],"source_content_type":"text/x-rst","patch_set":2,"id":"09e3c797_1200161d","line":2,"in_reply_to":"b74f7f6f_94af26bf","updated":"2021-11-02 13:42:56.000000000","message":"I think the admin/member/reader part of personas is pretty well set at this point, no? In fairness, it wasn\u0027t clear how the previous plan was going to be a problem until we went through it on multiple projects _and_ tried to make them work together. I definitely agree we shouldn\u0027t have a goal of undefined or unattainable things, but at some point there has to be a bit of a leap for things like this I think. This is far more complicated and self-contained than things like policy json to yaml, etc.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ddd613a3f86e9f7282bbf9929e321f835497262b","unresolved":true,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Problem Summary"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8f570e5f_0fbc6a08","line":2,"in_reply_to":"bffda8d3_8b440545","updated":"2021-11-01 14:12:06.000000000","message":"I think we probably would really do ourselves a favor by breaking this into at least three actual goals, perhaps as items under a larger multicycle theme or whatever. Maybe the following split makes sense?\n\n1. Persona support (almost done)\n2. System scope for system APIs\n3. Deconstructing the admin\n\nThe last item would be your stretch goals below, including adding the manager role for the things where it makes sense and allowing domain tokens to list across all projects.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":2,"context_line":"Consistent and Secure Default RBAC"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Problem Summary"},{"line_number":6,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"OpenStack\u0027s initial goal to be a multi-tenant platform drove the idea that"}],"source_content_type":"text/x-rst","patch_set":2,"id":"39ff3699_682b0ab2","line":5,"updated":"2021-10-26 21:16:02.000000000","message":"This problem summary isn\u0027t specific to this community goal, but it is important for understanding what happened during the PTG last week (detailed in a separate section below).","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":24,"context_line":"This means we use the best available tools at the time to protect the API we"},{"line_number":25,"context_line":"were developing across OpenStack."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"This led to the following problems:"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"#. By default, users were either average end-users or operators, which is far"},{"line_number":30,"context_line":"   too restrict for read-world clouds"}],"source_content_type":"text/x-rst","patch_set":2,"id":"97206746_a20e7882","line":27,"updated":"2021-10-26 21:16:02.000000000","message":"This could reference bug 968696","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":24,"context_line":"This means we use the best available tools at the time to protect the API we"},{"line_number":25,"context_line":"were developing across OpenStack."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"This led to the following problems:"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"#. By default, users were either average end-users or operators, which is far"},{"line_number":30,"context_line":"   too restrict for read-world clouds"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7bb6be18_efd36c68","line":27,"in_reply_to":"97206746_a20e7882","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":45,"context_line":"- Not providing a role hierarchy that allows for easy authorization management"},{"line_number":46,"context_line":"- Not providing a granular set of permissions"},{"line_number":47,"context_line":"- Not providing an easy way for operators to audit what a particular user can"},{"line_number":48,"context_line":"  do within the deployment"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Where are we today?"},{"line_number":51,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"aa65eb55_d2dde35f","line":48,"updated":"2021-10-26 21:16:02.000000000","message":"Perhaps other operators have things to add here if I\u0027m missing anything.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":52,"context_line":""},{"line_number":53,"context_line":"The following initiatives are in progress or complete:"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"#. Moved policy and documentation into the code"},{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"09ba4306_3f3e3dce","line":55,"updated":"2021-10-26 21:16:02.000000000","message":"This should link to the community goal\n\nhttps://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":52,"context_line":""},{"line_number":53,"context_line":"The following initiatives are in progress or complete:"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"#. Moved policy and documentation into the code"},{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"192aab91_fdb3f5cd","line":55,"in_reply_to":"09ba4306_3f3e3dce","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":53,"context_line":"The following initiatives are in progress or complete:"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"#. Moved policy and documentation into the code"},{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8182cea9_24590c03","line":56,"updated":"2021-10-26 21:16:02.000000000","message":"This should link to the keystone specification\n\nhttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":53,"context_line":"The following initiatives are in progress or complete:"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"#. Moved policy and documentation into the code"},{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"}],"source_content_type":"text/x-rst","patch_set":2,"id":"de034d84_9302cede","line":56,"in_reply_to":"8182cea9_24590c03","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":54,"context_line":""},{"line_number":55,"context_line":"#. Moved policy and documentation into the code"},{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"}],"source_content_type":"text/x-rst","patch_set":2,"id":"10619dae_d747a491","line":57,"updated":"2021-10-26 21:16:02.000000000","message":"This should link to the keystone specification\n\nhttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":54,"context_line":""},{"line_number":55,"context_line":"#. Moved policy and documentation into the code"},{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"}],"source_content_type":"text/x-rst","patch_set":2,"id":"18cf8d5f_4052c384","line":57,"in_reply_to":"10619dae_d747a491","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":55,"context_line":"#. Moved policy and documentation into the code"},{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"},{"line_number":61,"context_line":"   projects as a reference for other teams to use"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9c9face4_b6751405","line":58,"updated":"2021-10-26 21:16:02.000000000","message":"Some of this is tracked here\n\nhttps://review.opendev.org/q/topic:%22bp%252Fsystem-scope%22+(status:open%20OR%20status:merged)","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"},{"line_number":61,"context_line":"   projects as a reference for other teams to use"},{"line_number":62,"context_line":"#. Audited every active OpenStack project API and mapped administrative"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5406af86_5c4a320e","line":59,"updated":"2021-10-26 21:16:02.000000000","message":"This should link to \n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":56,"context_line":"#. Created a default role hierarchy in keystone"},{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"},{"line_number":61,"context_line":"   projects as a reference for other teams to use"},{"line_number":62,"context_line":"#. Audited every active OpenStack project API and mapped administrative"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1b88a3e1_5c32590e","line":59,"in_reply_to":"5406af86_5c4a320e","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"},{"line_number":61,"context_line":"   projects as a reference for other teams to use"},{"line_number":62,"context_line":"#. Audited every active OpenStack project API and mapped administrative"},{"line_number":63,"context_line":"   functionality into the system-scope personas"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8669b9e7_18365cb5","line":60,"updated":"2021-10-26 21:16:02.000000000","message":"Think could link to\n\nhttps://review.opendev.org/q/(project:openstack/keystone-tempest-plugin+OR+project:openstack/glance-tempest-plugin+)+topic:secure-rbac","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"},{"line_number":61,"context_line":"   projects as a reference for other teams to use"},{"line_number":62,"context_line":"#. Audited every active OpenStack project API and mapped administrative"},{"line_number":63,"context_line":"   functionality into the system-scope personas"}],"source_content_type":"text/x-rst","patch_set":2,"id":"eeb2d90b_b347f5d6","line":60,"in_reply_to":"7efd4615_0dc16ebb","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ebd26f8ddbb483836f1c92f7ade2d6d3c871f50f","unresolved":true,"context_lines":[{"line_number":57,"context_line":"#. Added a new scope to keystone"},{"line_number":58,"context_line":"#. Updated all libraries to understand the new scope"},{"line_number":59,"context_line":"#. Documented the idea of personas"},{"line_number":60,"context_line":"#. Introduced complete protection testing using tempest for a handful for"},{"line_number":61,"context_line":"   projects as a reference for other teams to use"},{"line_number":62,"context_line":"#. Audited every active OpenStack project API and mapped administrative"},{"line_number":63,"context_line":"   functionality into the system-scope personas"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7efd4615_0dc16ebb","line":60,"in_reply_to":"8669b9e7_18365cb5","updated":"2021-11-02 00:16:02.000000000","message":"we can add unit/functional tests as option also where running full operation for RBAC checks is costly like Nova server APIs.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47e867acd3b9e625b6484526fcc65969d5a89cf5","unresolved":true,"context_lines":[{"line_number":61,"context_line":"   projects as a reference for other teams to use"},{"line_number":62,"context_line":"#. Audited every active OpenStack project API and mapped administrative"},{"line_number":63,"context_line":"   functionality into the system-scope personas"},{"line_number":64,"context_line":"#. Applied the reader and member role consistently to project-scoped resources"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"To date, the work to audit each API, propose new default policies, and"},{"line_number":67,"context_line":"implement unit, functional, or tempest tests has accumulated more than 130,000"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f2ccc260_33f56e8a","line":64,"updated":"2021-10-26 21:28:59.000000000","message":"We also need to add a reference to the great JSON to YAML migration https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":61,"context_line":"   projects as a reference for other teams to use"},{"line_number":62,"context_line":"#. Audited every active OpenStack project API and mapped administrative"},{"line_number":63,"context_line":"   functionality into the system-scope personas"},{"line_number":64,"context_line":"#. Applied the reader and member role consistently to project-scoped resources"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"To date, the work to audit each API, propose new default policies, and"},{"line_number":67,"context_line":"implement unit, functional, or tempest tests has accumulated more than 130,000"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6dee5a05_ead90226","line":64,"in_reply_to":"f2ccc260_33f56e8a","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":80,"context_line":"Based on the initial discussions of how system-scope would be used, we decided"},{"line_number":81,"context_line":"to allow system-scoped tokens to operate on project-owned resources."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"It wasn\u0027t until we started applying this idea to various services that we"},{"line_number":84,"context_line":"realized it was going to cause significant issues service-to-service"},{"line_number":85,"context_line":"communication. For example, if an operator uses a system-scoped token to create"},{"line_number":86,"context_line":"an instance for a user in a specific project, they need to specify the project"}],"source_content_type":"text/x-rst","patch_set":2,"id":"0d2a2f95_6d583aa0","line":83,"updated":"2021-10-26 21:16:02.000000000","message":"This could link to the specific neutron-nova issue where neutron needs to access the external events API in nova, which is system-specific.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ddd613a3f86e9f7282bbf9929e321f835497262b","unresolved":true,"context_lines":[{"line_number":81,"context_line":"to allow system-scoped tokens to operate on project-owned resources."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"It wasn\u0027t until we started applying this idea to various services that we"},{"line_number":84,"context_line":"realized it was going to cause significant issues service-to-service"},{"line_number":85,"context_line":"communication. For example, if an operator uses a system-scoped token to create"},{"line_number":86,"context_line":"an instance for a user in a specific project, they need to specify the project"},{"line_number":87,"context_line":"ID that owns the instance and they need to pass their system-scoped token to"}],"source_content_type":"text/x-rst","patch_set":2,"id":"fb557fbf_1cd0c857","line":84,"range":{"start_line":84,"start_character":43,"end_line":84,"end_character":49},"updated":"2021-11-01 14:12:06.000000000","message":"\"issues with\"","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":81,"context_line":"to allow system-scoped tokens to operate on project-owned resources."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"It wasn\u0027t until we started applying this idea to various services that we"},{"line_number":84,"context_line":"realized it was going to cause significant issues service-to-service"},{"line_number":85,"context_line":"communication. For example, if an operator uses a system-scoped token to create"},{"line_number":86,"context_line":"an instance for a user in a specific project, they need to specify the project"},{"line_number":87,"context_line":"ID that owns the instance and they need to pass their system-scoped token to"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8aed639f_89c27f08","line":84,"range":{"start_line":84,"start_character":43,"end_line":84,"end_character":49},"in_reply_to":"fb557fbf_1cd0c857","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":90,"context_line":"especially since each OpenStack service can have multiple clients to other"},{"line_number":91,"context_line":"services."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"We spent significant amount of time during the Yoga PTG discussing this"},{"line_number":94,"context_line":"problem. Ultimately, we stepped back and realized that the primary use case for"},{"line_number":95,"context_line":"allowing system users to operate on project-owner resources was to allow for"},{"line_number":96,"context_line":"backwards compatibility."}],"source_content_type":"text/x-rst","patch_set":2,"id":"cb1b29b8_33860b29","line":93,"updated":"2021-10-26 21:16:02.000000000","message":"Include a link to the etherpad here.\n\nhttps://etherpad.opendev.org/p/policy-popup-yoga-ptg","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":90,"context_line":"especially since each OpenStack service can have multiple clients to other"},{"line_number":91,"context_line":"services."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"We spent significant amount of time during the Yoga PTG discussing this"},{"line_number":94,"context_line":"problem. Ultimately, we stepped back and realized that the primary use case for"},{"line_number":95,"context_line":"allowing system users to operate on project-owner resources was to allow for"},{"line_number":96,"context_line":"backwards compatibility."}],"source_content_type":"text/x-rst","patch_set":2,"id":"61d4c78d_d3eca2ae","line":93,"in_reply_to":"cb1b29b8_33860b29","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ea82b50a949329d23b8a25b88bffb3cd4037ccb4","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"ed4a16a1_75a87d2b","line":136,"updated":"2021-10-27 09:19:52.000000000","message":"so who will be e.g. allowed to create provider network in neutron? It\u0027s still resource which belongs to some project so should it be allowed for project-admin now or only for \"manager\" mentioned below as it requires knowledge about hardware and physical configuration of the cluster?","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f2b5952bae4dc291fc7da7a74f6f0a51bf4f41fb","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9e4c546e_f125f8d5","line":136,"in_reply_to":"240a8680_8cae4b08","updated":"2021-11-02 22:22:25.000000000","message":"+1. I think considering the ownership of the resource and deciding the \u0027who should be able to do this\u0027 make sense. But at same time where project-resource operation needs system level info then switch the profile is needed.\n\nLet\u0027s take the example of \u0027create server on specific host\u0027 (from where we started re-iterating the scope things), this is a project level operation as server is owned by project but the project does not know about host info which is only visible to the system user. \nSo our take here is (as per current discussion is going): \n\nStep 1. system user which can access the host info will make note of the host uuid.\nStep 2. switch to project-admin token and then create the server on a specific host (with host uuid they know as system user)\"\n\nHere we allowed project admin as default for \u0027create server on specific host\u0027 policy, but they as only project-admin cannot do this instead system user can only do by switching to project-admin. We need to discuss this or at least very well explained with reason otherwise it can be confusing for many operatos/users as we are saying- \"system user cannot \u0027create server on specific host\u0027 but you need to be system user to \u0027create server on specific host\u0027\"\n\nLet\u0027s discuss it in tomorrow call.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ce8ea04582eaa3cd8c7d9ac23f25c6bd366c9a1e","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"cf365517_cee31e6c","line":136,"in_reply_to":"72d49318_24e53692","updated":"2021-11-02 13:42:56.000000000","message":"I think project admin *would* have access and control over those things, as in this case project admin is truly an operator-level person.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ebd26f8ddbb483836f1c92f7ade2d6d3c871f50f","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"72d49318_24e53692","line":136,"in_reply_to":"8dacb7a9_3bcb27df","updated":"2021-11-02 00:16:02.000000000","message":"in case of it need system level knowledge (physical hardware/topology knowledge) then we are not allowing project admin to access those right?\n\nIMO, admin/manager split will create more confusion on who can do what.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"59799d533a48a4f9caf43c1c46ea04512b2e77c3","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"02954a07_fecd668d","line":136,"in_reply_to":"9e4c546e_f125f8d5","updated":"2021-11-03 14:39:21.000000000","message":"I guess I\u0027m not sure how this really changes things for that scenario. The system user can see the raw host information, sure, and could have (if we made it possible with lots of changees) booted  an instance on behalf of some user on that host. However, the project-scoped slightly-more-super user (i.e. manager) still has the same position here as it did before, needing to see only a fraction of the hosts, with sensitive information (i.e. hostnames) properly sanitized, both incoming and outgoing.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ddd613a3f86e9f7282bbf9929e321f835497262b","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"8dacb7a9_3bcb27df","line":136,"in_reply_to":"b61bc78e_1695afbe","updated":"2021-11-01 14:12:06.000000000","message":"Yeah, and if it requires physical hardware/topology knowledge, it makes sense for that to be an admin role, not project manager. This is probably a good example of a project-scoped resource that requires more-than-project-scoped knowledge, and demonstrates the need for the admin/manager split.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"240a8680_8cae4b08","line":136,"in_reply_to":"cf365517_cee31e6c","updated":"2021-11-02 20:40:47.000000000","message":"Before, I looked at questions like this as \"who should be able to do this?\"\n\nCertainly, operators should be allowed to create provider networks, but  not necessarily using a system-scoped token. Instead, I think the important part is that we\u0027re acknowledging the owner of the resource and not mixing the ownership with scope (e.g., if a resource is truly project-scoped, like networks, then you must use a project-scoped token to interact with them.)\n\nOtherwise, the thing we\u0027ve discovered is that mixing the ability for system users to interact with project or domain resources just allows operators to continue using their big hammers.\n\nNow, I think I\u0027m trying to look at these questions from the perspective of what owns the resource (e.g., project, domain, or system) since operators can switch profiles when needed and that leads to a cleaner, more secure design.\n\nIf doing anything useful with a provider network requires knowledge of the underlying network topology in the lab, then I\u0027d say it should be limited to project-admin personas so long as the provider network is always owned by a project.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"dc4db976e16ad64bfb8409fafc3bacb6bc75133f","unresolved":true,"context_lines":[{"line_number":133,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":134,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":135,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":136,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":137,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":138,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b61bc78e_1695afbe","line":136,"in_reply_to":"ed4a16a1_75a87d2b","updated":"2021-10-27 13:12:15.000000000","message":"If a provider network is a project-specific resource, and if changes to it would affect other projects in the deployment, then I\u0027d say that project-admins are the right persona to invoke that action. The manager role is intended for people with some extra privileges on top of member. So, project-managers might be able to forcibly reboot an instance for example.\n\nIf provider networks are completely isolated to a single project, then maybe we consider delegating it to project-managers.\n\nGreat question, Slawek.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ddd613a3f86e9f7282bbf9929e321f835497262b","unresolved":true,"context_lines":[{"line_number":141,"context_line":"configure each service to opt into the new defaults::"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"55ad48ce_ae1b391d","line":144,"updated":"2021-11-01 14:12:06.000000000","message":"You might want to be more specific about the goal for moving us past the current new/deprecated stalemate. Specifically that we\u0027re stuck with an ever-growing set of new policy rules which aren\u0027t really enable-able because of the tie to system scope. We really need to pare that down to something people can eat in a single release without the big-bang of going to full scope. Then we can remove the deprecated path so that we have room for another iteration moving to the next thing.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":true,"context_lines":[{"line_number":141,"context_line":"configure each service to opt into the new defaults::"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3ca9115e_4b733b3a","line":144,"in_reply_to":"11fc3540_b088e7e7","updated":"2021-11-02 20:40:47.000000000","message":"\u003e Lance and I had a good thought on Friday, but couldn\u0027t pull you in before EOD. I\u0027m thinking of a way in nova that we could only allow the list-all-tenants thing to work if you have a domain-scoped token. That way if you set admin on the domain, you get it on all the projects *and* get to look across all of them in a list. We can also make get-instance work with a domain-scoped token and not require a project token by fetching the instance you requested and ask keystone \"is instance.project_id in domain context.domain?\" That will address several of our workflow issues I think.\n\u003e \n\nSpecifically, keystone populates the domain for each project in the project response, regardless of where it is in the project tree.\n\nIf the token is domain-scoped, nova could use the user\u0027s token to make that call, too. Keystone won\u0027t return a project for a domain user if it\u0027s outside their tree.\n\nJust some thoughts on the implementation details.\n\n\u003e We can discuss more on Wednesday.\n\nI took a stab at describing what exactly would be delivered to deployers if we took these steps. Let me know if I missed the mark.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ae87fd96be7b8d0e82e2a6194efc7bf17bdee2d8","unresolved":true,"context_lines":[{"line_number":141,"context_line":"configure each service to opt into the new defaults::"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7fbb0211_c0189ff1","line":144,"in_reply_to":"55ad48ce_ae1b391d","updated":"2021-11-01 18:45:54.000000000","message":"+1 Dan here. This is my sticking point, how do we enforce member/reader/admin without a scope check.\n\nMaybe we simply want to say our defaults should never have scope checks in the check string? At least in the Nova case, that answers a bunch of the questions.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c4105a5a51ab1f6f796fb202e0c04d72564b50a4","unresolved":true,"context_lines":[{"line_number":141,"context_line":"configure each service to opt into the new defaults::"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"11fc3540_b088e7e7","line":144,"in_reply_to":"7fbb0211_c0189ff1","updated":"2021-11-01 18:57:41.000000000","message":"Lance and I had a good thought on Friday, but couldn\u0027t pull you in before EOD. I\u0027m thinking of a way in nova that we could only allow the list-all-tenants thing to work if you have a domain-scoped token. That way if you set admin on the domain, you get it on all the projects *and* get to look across all of them in a list. We can also make get-instance work with a domain-scoped token and not require a project token by fetching the instance you requested and ask keystone \"is instance.project_id in domain context.domain?\" That will address several of our workflow issues I think.\n\nWe can discuss more on Wednesday.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ae87fd96be7b8d0e82e2a6194efc7bf17bdee2d8","unresolved":true,"context_lines":[{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7eb90463_b950558a","line":145,"updated":"2021-11-01 18:45:54.000000000","message":"The next discussion point for me is does admin in any one project mean you can reboot an instance in any other project? I think that should (correctly) also break during the conversion to remove the scope check. In Nova I think we can switch the scope check for the project check for the \"system admin\" non-sense we added so far.\n\nFWIW, I think what we loose here is operators having a single clouds.yaml to do things across all projects, having the option to do that is no bad thing at all.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ebd26f8ddbb483836f1c92f7ade2d6d3c871f50f","unresolved":true,"context_lines":[{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"2a0487c4_faf791ea","line":145,"in_reply_to":"276bec8b_70b63ab8","updated":"2021-11-02 00:16:02.000000000","message":"humm, I am little bit confused with \u0027the domain admin allow to do operations(read + write-if-we-allow) in all projects\u0027. In that way we need to introduce domain scope in Nova which can solve list all servers from all projects in one domain. but what about cross domain (projects in different domain) who will be able to list servers from them (where domain admin is admin of that domain not all domains)?","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ce8ea04582eaa3cd8c7d9ac23f25c6bd366c9a1e","unresolved":true,"context_lines":[{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7e829b21_0b04a1f0","line":145,"in_reply_to":"2a0487c4_faf791ea","updated":"2021-11-02 13:42:56.000000000","message":"This admin on the domain would not have global read permissions on all projects, other than permissions for listing across projects. Just checking the domain token and admin role for gating that is not a big deal I think. Making nova properly support slicing instance lists across domains is, of course, as we would need to start storing the domain with the instance (or a mapping table). But again, admin (especially on a domain) would be something you give only to your most privileged operator staff, not delegate to superusers.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":true,"context_lines":[{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"d50577c9_8dc3839f","line":145,"in_reply_to":"7e829b21_0b04a1f0","updated":"2021-11-02 20:40:47.000000000","message":"There are some folks who do want to leverage domains for customer accounts (I think Vexxhost was trying to do this a while back).\n\nI\u0027d be curious if Mohammed can weigh in here.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c4105a5a51ab1f6f796fb202e0c04d72564b50a4","unresolved":true,"context_lines":[{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  [oslo_policy]"},{"line_number":144,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":145,"context_line":"  enforce_scope\u003dTrue"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"276bec8b_70b63ab8","line":145,"in_reply_to":"7eb90463_b950558a","updated":"2021-11-01 18:57:41.000000000","message":"Lance has been pretty adamant that this should not be the case, and that you should have to have admin on *the* project (either directly or inherited) to be able to do that. It didn\u0027t quite click for me earlier why that\u0027s so important, but I think he\u0027s right and it\u0027s pretty critical.\n\nInheriting from the domain means you don\u0027t have to explicitly be admin everywhere, and yet you *could* give someone admin on only one project, meaning they can do seriously system-admin-y things on only one set of instances. If they can\u0027t get a domain-scoped admin token, then they can\u0027t even list instances outside that project (per design above).","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"b7da74596c648850874c4786917a00ed1e09fa03","unresolved":true,"context_lines":[{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. Create a new role in the hierarchy called manager"},{"line_number":150,"context_line":"#. Update any policies formally targeted for project-admin to project-member"},{"line_number":151,"context_line":"   (live migrate, set default volume type for project, force reboot instance)"},{"line_number":152,"context_line":"#. Implement domain support into each service (the --all-project flag returns"},{"line_number":153,"context_line":"   all resources, like instances, in a domain)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"43ce6493_6c3f6dac","line":150,"range":{"start_line":150,"start_character":70,"end_line":150,"end_character":76},"updated":"2021-10-28 17:40:39.000000000","message":"Do you mean project-manager?","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ddd613a3f86e9f7282bbf9929e321f835497262b","unresolved":true,"context_lines":[{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. Create a new role in the hierarchy called manager"},{"line_number":150,"context_line":"#. Update any policies formally targeted for project-admin to project-member"},{"line_number":151,"context_line":"   (live migrate, set default volume type for project, force reboot instance)"},{"line_number":152,"context_line":"#. Implement domain support into each service (the --all-project flag returns"},{"line_number":153,"context_line":"   all resources, like instances, in a domain)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c8356cac_cc6c7da5","line":150,"range":{"start_line":150,"start_character":70,"end_line":150,"end_character":76},"in_reply_to":"43ce6493_6c3f6dac","updated":"2021-11-01 14:12:06.000000000","message":"Yeah","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":147,"context_line":"Stretch goal(s)"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. Create a new role in the hierarchy called manager"},{"line_number":150,"context_line":"#. Update any policies formally targeted for project-admin to project-member"},{"line_number":151,"context_line":"   (live migrate, set default volume type for project, force reboot instance)"},{"line_number":152,"context_line":"#. Implement domain support into each service (the --all-project flag returns"},{"line_number":153,"context_line":"   all resources, like instances, in a domain)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"65322059_c047e8a2","line":150,"range":{"start_line":150,"start_character":70,"end_line":150,"end_character":76},"in_reply_to":"c8356cac_cc6c7da5","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ddd613a3f86e9f7282bbf9929e321f835497262b","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. Create a new role in the hierarchy called manager"},{"line_number":150,"context_line":"#. Update any policies formally targeted for project-admin to project-member"},{"line_number":151,"context_line":"   (live migrate, set default volume type for project, force reboot instance)"},{"line_number":152,"context_line":"#. Implement domain support into each service (the --all-project flag returns"},{"line_number":153,"context_line":"   all resources, like instances, in a domain)"},{"line_number":154,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b0b9093d_ebe3ea30","line":151,"range":{"start_line":151,"start_character":4,"end_line":151,"end_character":16},"updated":"2021-11-01 14:12:06.000000000","message":"I don\u0027t know that you want this to be the default. *Some* deployers want live-migrate to be usable by non-deity users, but most will not.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4c3070d747d8a0f99bdca5e38b5d1e6614e28014","unresolved":false,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. Create a new role in the hierarchy called manager"},{"line_number":150,"context_line":"#. Update any policies formally targeted for project-admin to project-member"},{"line_number":151,"context_line":"   (live migrate, set default volume type for project, force reboot instance)"},{"line_number":152,"context_line":"#. Implement domain support into each service (the --all-project flag returns"},{"line_number":153,"context_line":"   all resources, like instances, in a domain)"},{"line_number":154,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"4dd2864d_a4bc5c2a","line":151,"range":{"start_line":151,"start_character":4,"end_line":151,"end_character":16},"in_reply_to":"0e0cace6_f5ec7ca9","updated":"2021-11-02 20:40:47.000000000","message":"Done","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ce8ea04582eaa3cd8c7d9ac23f25c6bd366c9a1e","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. Create a new role in the hierarchy called manager"},{"line_number":150,"context_line":"#. Update any policies formally targeted for project-admin to project-member"},{"line_number":151,"context_line":"   (live migrate, set default volume type for project, force reboot instance)"},{"line_number":152,"context_line":"#. Implement domain support into each service (the --all-project flag returns"},{"line_number":153,"context_line":"   all resources, like instances, in a domain)"},{"line_number":154,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"0e0cace6_f5ec7ca9","line":151,"range":{"start_line":151,"start_character":4,"end_line":151,"end_character":16},"in_reply_to":"60c3f93e_ed006a82","updated":"2021-11-02 13:42:56.000000000","message":"This item *is* the admin/manager/member split I think. It would involve separating actual admin things (i.e. create public flavor, images) from manager (force reboot). I think member and reader would remain unchanged here.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ebd26f8ddbb483836f1c92f7ade2d6d3c871f50f","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. Create a new role in the hierarchy called manager"},{"line_number":150,"context_line":"#. Update any policies formally targeted for project-admin to project-member"},{"line_number":151,"context_line":"   (live migrate, set default volume type for project, force reboot instance)"},{"line_number":152,"context_line":"#. Implement domain support into each service (the --all-project flag returns"},{"line_number":153,"context_line":"   all resources, like instances, in a domain)"},{"line_number":154,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"60c3f93e_ed006a82","line":151,"range":{"start_line":151,"start_character":4,"end_line":151,"end_character":16},"in_reply_to":"b0b9093d_ebe3ea30","updated":"2021-11-02 00:16:02.000000000","message":"so we are just renaming project admin to project manager right? no any other updates in term of access things like split of admin/manager Dan mentioned above?","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":155,"context_line":"Future goals"},{"line_number":156,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Existing policy defaults suffer from three major faults:"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"#. The admin-ness problem: use of policy rules like \u0027is_admin\u0027 or hard-coded"},{"line_number":161,"context_line":"   is-admin checks results in the admin-anywhere-admin-everywhere problem and"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a26f3a35_bdae1ea1","line":158,"updated":"2021-10-26 21:16:02.000000000","message":"We need to walk through the remaining bits of this document if we decide to consider the above changes.","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e066c5c00be1858aab47e981e64832283520d7c6","unresolved":true,"context_lines":[{"line_number":240,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"#. Migrate the API policies to new defaults. But keep legacy policies"},{"line_number":243,"context_line":"   rule supported as deprecated rules."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"#. Add ``scope_type`` to the policies. By default, scope checks will be"},{"line_number":246,"context_line":"   disabled."}],"source_content_type":"text/x-rst","patch_set":2,"id":"9e317c7d_f828c551","line":243,"updated":"2021-10-26 21:16:02.000000000","message":"This will need to be updated to be more specific about what each project needs to do, since this will likely change based on each project (e.g., nova and neutron need to back out some changes, cinder and glance need to implement system-scope support for system-specific APIs)","commit_id":"c36734795932637e10fb1f1061a3049293671385"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b1facf6a127d0c5e55ecfded0f6edd7ef98abaff","unresolved":true,"context_lines":[{"line_number":155,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"#. System Administrator"},{"line_number":158,"context_line":"   #. Denoted by someone with the `admin` role on the `system`"},{"line_number":159,"context_line":"   #. Intended for operators or support personnel"},{"line_number":160,"context_line":"   #. Not intended for end users"},{"line_number":161,"context_line":"   #. Can operate on project-specific resources with the proper access"}],"source_content_type":"text/x-rst","patch_set":3,"id":"def4c57d_fe9e88f2","line":158,"updated":"2021-11-02 21:21:28.000000000","message":"Apparently this type of nested lists isn\u0027t supported in RST.","commit_id":"fea3b33c065a34a63188075b918c9686a07776d0"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7fc63cf128dfb34696404c18885d7540ca23190b","unresolved":true,"context_lines":[{"line_number":8,"context_line":"OpenStack\u0027s initial goal to be a multi-tenant platform drove the idea that"},{"line_number":9,"context_line":"users operate within the confines of one project at a time. Early versions of"},{"line_number":10,"context_line":"the authorization system, which included keystone and various middleware,"},{"line_number":11,"context_line":"filled this requirement."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"However, OpenStack\u0027s explosive growth and adoption added services and API"},{"line_number":14,"context_line":"surface area to the ecosystem. This growth quickly outpaced the authorization"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fd4e1208_2dd2f62c","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":6},"updated":"2021-11-03 14:25:36.000000000","message":"nit: fulfilled","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7b007d523bb2086d5778e00b8f9a61e6096be041","unresolved":false,"context_lines":[{"line_number":8,"context_line":"OpenStack\u0027s initial goal to be a multi-tenant platform drove the idea that"},{"line_number":9,"context_line":"users operate within the confines of one project at a time. Early versions of"},{"line_number":10,"context_line":"the authorization system, which included keystone and various middleware,"},{"line_number":11,"context_line":"filled this requirement."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"However, OpenStack\u0027s explosive growth and adoption added services and API"},{"line_number":14,"context_line":"surface area to the ecosystem. This growth quickly outpaced the authorization"}],"source_content_type":"text/x-rst","patch_set":6,"id":"6a3712e0_49da2ea3","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":6},"in_reply_to":"fd4e1208_2dd2f62c","updated":"2021-11-04 14:07:19.000000000","message":"Done","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7fc63cf128dfb34696404c18885d7540ca23190b","unresolved":true,"context_lines":[{"line_number":27,"context_line":"This led to the following problems:"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"#. By default, users were either average end-users or operators, which is far"},{"line_number":30,"context_line":"   too `restrict \u003chttps://launchpad.net/bugs/968696\u003e`_ for read-world clouds"},{"line_number":31,"context_line":"#. The design violated the principle of least privilege"},{"line_number":32,"context_line":"#. Inconsistent authorization behavior across services"},{"line_number":33,"context_line":"#. Operators need to be intimately familiar with the policy implementation to"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c0f2fb19_8ed93597","line":30,"range":{"start_line":30,"start_character":8,"end_line":30,"end_character":16},"updated":"2021-11-03 14:25:36.000000000","message":"nit: restrictive","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7b007d523bb2086d5778e00b8f9a61e6096be041","unresolved":false,"context_lines":[{"line_number":27,"context_line":"This led to the following problems:"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"#. By default, users were either average end-users or operators, which is far"},{"line_number":30,"context_line":"   too `restrict \u003chttps://launchpad.net/bugs/968696\u003e`_ for read-world clouds"},{"line_number":31,"context_line":"#. The design violated the principle of least privilege"},{"line_number":32,"context_line":"#. Inconsistent authorization behavior across services"},{"line_number":33,"context_line":"#. Operators need to be intimately familiar with the policy implementation to"}],"source_content_type":"text/x-rst","patch_set":6,"id":"2a8d639e_7c181624","line":30,"range":{"start_line":30,"start_character":8,"end_line":30,"end_character":16},"in_reply_to":"c0f2fb19_8ed93597","updated":"2021-11-04 14:07:19.000000000","message":"Done","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7fc63cf128dfb34696404c18885d7540ca23190b","unresolved":true,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Throughout this process we\u0027ve communicated with operators and end users about"},{"line_number":80,"context_line":"the changes to implement a new scope type. Early feedback on the approach to"},{"line_number":81,"context_line":"isolate system-level APIs behind a new authorization target eluded to the"},{"line_number":82,"context_line":"ability for operators to continue supporting their users by interacting with"},{"line_number":83,"context_line":"project-owned resources. A good example of this use case is when an end user"},{"line_number":84,"context_line":"needs to have an operator forcibly reboot an instance."}],"source_content_type":"text/x-rst","patch_set":6,"id":"0df326ed_53cfaafe","line":81,"range":{"start_line":81,"start_character":60,"end_line":81,"end_character":66},"updated":"2021-11-03 14:25:36.000000000","message":"I\u0027m having trouble parsing this sentence. Do you mean \"alluded\"?","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7b007d523bb2086d5778e00b8f9a61e6096be041","unresolved":false,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Throughout this process we\u0027ve communicated with operators and end users about"},{"line_number":80,"context_line":"the changes to implement a new scope type. Early feedback on the approach to"},{"line_number":81,"context_line":"isolate system-level APIs behind a new authorization target eluded to the"},{"line_number":82,"context_line":"ability for operators to continue supporting their users by interacting with"},{"line_number":83,"context_line":"project-owned resources. A good example of this use case is when an end user"},{"line_number":84,"context_line":"needs to have an operator forcibly reboot an instance."}],"source_content_type":"text/x-rst","patch_set":6,"id":"d6331a46_4ae9d89a","line":81,"range":{"start_line":81,"start_character":60,"end_line":81,"end_character":66},"in_reply_to":"0df326ed_53cfaafe","updated":"2021-11-04 14:07:19.000000000","message":"Yes - good catch. Thank you.","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7fc63cf128dfb34696404c18885d7540ca23190b","unresolved":true,"context_lines":[{"line_number":115,"context_line":""},{"line_number":116,"context_line":"We did agree that operators should be able to manage resources within a"},{"line_number":117,"context_line":"project, but we don\u0027t want to conflate that use case into the system-scope"},{"line_number":118,"context_line":"construct. System administrators users have the ability to grant themselves"},{"line_number":119,"context_line":"authorization to domains and projects within the deployment. A few extra steps"},{"line_number":120,"context_line":"would allow them to get the correct authorization to the intended project and"},{"line_number":121,"context_line":"perform the necessary operations using a token flow that\u0027s already supported."}],"source_content_type":"text/x-rst","patch_set":6,"id":"1aff72bc_edff31a5","line":118,"range":{"start_line":118,"start_character":33,"end_line":118,"end_character":38},"updated":"2021-11-03 14:25:36.000000000","message":"I think you just mean \"system administrators\" (delete \"users\")?","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7b007d523bb2086d5778e00b8f9a61e6096be041","unresolved":false,"context_lines":[{"line_number":115,"context_line":""},{"line_number":116,"context_line":"We did agree that operators should be able to manage resources within a"},{"line_number":117,"context_line":"project, but we don\u0027t want to conflate that use case into the system-scope"},{"line_number":118,"context_line":"construct. System administrators users have the ability to grant themselves"},{"line_number":119,"context_line":"authorization to domains and projects within the deployment. A few extra steps"},{"line_number":120,"context_line":"would allow them to get the correct authorization to the intended project and"},{"line_number":121,"context_line":"perform the necessary operations using a token flow that\u0027s already supported."}],"source_content_type":"text/x-rst","patch_set":6,"id":"8fd2ad55_6f3db405","line":118,"range":{"start_line":118,"start_character":33,"end_line":118,"end_character":38},"in_reply_to":"1aff72bc_edff31a5","updated":"2021-11-04 14:07:19.000000000","message":"Done","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7fc63cf128dfb34696404c18885d7540ca23190b","unresolved":true,"context_lines":[{"line_number":285,"context_line":""},{"line_number":286,"context_line":"* In the victoria cycle, we completed the oslo policy framework to `migrate"},{"line_number":287,"context_line":"  default policy format from JSON to YAML"},{"line_number":288,"context_line":"  \u003coslo specs \u003chttps://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html\u003e`_"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":"* In the wallaby cycle, we completed the community-wide goal of migrating the"},{"line_number":291,"context_line":"  policy format from JSON to YAML for `all the OpenStack services"}],"source_content_type":"text/x-rst","patch_set":6,"id":"b9cf74db_4e08c7d3","line":288,"range":{"start_line":288,"start_character":2,"end_line":288,"end_character":3},"updated":"2021-11-03 14:25:36.000000000","message":"This \u0027\u003c\u0027 should be a back-tick \u0027`\u0027","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7b007d523bb2086d5778e00b8f9a61e6096be041","unresolved":false,"context_lines":[{"line_number":285,"context_line":""},{"line_number":286,"context_line":"* In the victoria cycle, we completed the oslo policy framework to `migrate"},{"line_number":287,"context_line":"  default policy format from JSON to YAML"},{"line_number":288,"context_line":"  \u003coslo specs \u003chttps://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html\u003e`_"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":"* In the wallaby cycle, we completed the community-wide goal of migrating the"},{"line_number":291,"context_line":"  policy format from JSON to YAML for `all the OpenStack services"}],"source_content_type":"text/x-rst","patch_set":6,"id":"cb8b1d59_7641b488","line":288,"range":{"start_line":288,"start_character":2,"end_line":288,"end_character":3},"in_reply_to":"b9cf74db_4e08c7d3","updated":"2021-11-04 14:07:19.000000000","message":"Done","commit_id":"f645a6d31b8e2da4823d57267ee099e4ac15fb31"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":true,"context_lines":[{"line_number":80,"context_line":"the changes to implement a new scope type. Early feedback on the approach to"},{"line_number":81,"context_line":"isolate system-level APIs behind a new authorization target eluded to the"},{"line_number":82,"context_line":"ability for operators to continue supporting their users by interacting with"},{"line_number":83,"context_line":"project-owned resources. A good example of this use case is when an end user"},{"line_number":84,"context_line":"needs to have an operator forcibly reboot an instance."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Based on the initial discussions of how system-scope would be used, we decided"},{"line_number":87,"context_line":"to allow system-scoped tokens to operate on project-owned resources."}],"source_content_type":"text/x-rst","patch_set":7,"id":"b2e56818_f2d4d082","line":84,"range":{"start_line":83,"start_character":25,"end_line":84,"end_character":54},"updated":"2021-11-04 14:58:03.000000000","message":"im not sure this si a good example in that there is nothing the operator can do that a normal user cant do in this case.\n\nin both instnace the operator or end user woudl just use the hard-reboot instance action\n\nim not saying its invlaid to allow operators to do the reboot by im just saying that as a usecase this si pretty weak since the user can already do eveything the operator can with to gard to rebooting the instance.\n\na better example usecause  maybe server delete for example after a tenant closes there account with the cloud provider without  cleaning up all the resouces the cretaed such as instances.\n\nin that case the operator need to be able to forcabliy remove the workloads that the customer is no longer paying for.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"721871cd4adc8abab4494ccf7438ce90dbfdb509","unresolved":false,"context_lines":[{"line_number":80,"context_line":"the changes to implement a new scope type. Early feedback on the approach to"},{"line_number":81,"context_line":"isolate system-level APIs behind a new authorization target eluded to the"},{"line_number":82,"context_line":"ability for operators to continue supporting their users by interacting with"},{"line_number":83,"context_line":"project-owned resources. A good example of this use case is when an end user"},{"line_number":84,"context_line":"needs to have an operator forcibly reboot an instance."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Based on the initial discussions of how system-scope would be used, we decided"},{"line_number":87,"context_line":"to allow system-scoped tokens to operate on project-owned resources."}],"source_content_type":"text/x-rst","patch_set":7,"id":"344a4f39_112d29a7","line":84,"range":{"start_line":83,"start_character":25,"end_line":84,"end_character":54},"in_reply_to":"1f2c760b_e4b67261","updated":"2021-11-04 17:42:10.000000000","message":"Done","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3f28b7e7462271d5751c648ce26bbac7997b2fbf","unresolved":false,"context_lines":[{"line_number":80,"context_line":"the changes to implement a new scope type. Early feedback on the approach to"},{"line_number":81,"context_line":"isolate system-level APIs behind a new authorization target eluded to the"},{"line_number":82,"context_line":"ability for operators to continue supporting their users by interacting with"},{"line_number":83,"context_line":"project-owned resources. A good example of this use case is when an end user"},{"line_number":84,"context_line":"needs to have an operator forcibly reboot an instance."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Based on the initial discussions of how system-scope would be used, we decided"},{"line_number":87,"context_line":"to allow system-scoped tokens to operate on project-owned resources."}],"source_content_type":"text/x-rst","patch_set":7,"id":"4d813cfc_d19067d5","line":84,"range":{"start_line":83,"start_character":25,"end_line":84,"end_character":54},"in_reply_to":"344a4f39_112d29a7","updated":"2021-11-04 18:03:49.000000000","message":"ack ya reset-state, evaucate, livemigraton woudl be more in the operator helping tenaant camp ya.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fec1cfe95fbd567047362db3ad5107471c11b38","unresolved":false,"context_lines":[{"line_number":80,"context_line":"the changes to implement a new scope type. Early feedback on the approach to"},{"line_number":81,"context_line":"isolate system-level APIs behind a new authorization target eluded to the"},{"line_number":82,"context_line":"ability for operators to continue supporting their users by interacting with"},{"line_number":83,"context_line":"project-owned resources. A good example of this use case is when an end user"},{"line_number":84,"context_line":"needs to have an operator forcibly reboot an instance."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Based on the initial discussions of how system-scope would be used, we decided"},{"line_number":87,"context_line":"to allow system-scoped tokens to operate on project-owned resources."}],"source_content_type":"text/x-rst","patch_set":7,"id":"a5951479_ac9195ce","line":84,"range":{"start_line":83,"start_character":25,"end_line":84,"end_character":54},"in_reply_to":"4d813cfc_d19067d5","updated":"2021-11-04 18:28:21.000000000","message":"Yep, thanks for calling this out. We\u0027ve been throwing around references to things, but having actual concrete examples here of what operations fall into each basket is clearly what we need to make this solid.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c8f666d0888c5ed17fcda4d1bad3cacb12fcba5","unresolved":true,"context_lines":[{"line_number":80,"context_line":"the changes to implement a new scope type. Early feedback on the approach to"},{"line_number":81,"context_line":"isolate system-level APIs behind a new authorization target eluded to the"},{"line_number":82,"context_line":"ability for operators to continue supporting their users by interacting with"},{"line_number":83,"context_line":"project-owned resources. A good example of this use case is when an end user"},{"line_number":84,"context_line":"needs to have an operator forcibly reboot an instance."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Based on the initial discussions of how system-scope would be used, we decided"},{"line_number":87,"context_line":"to allow system-scoped tokens to operate on project-owned resources."}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f2c760b_e4b67261","line":84,"range":{"start_line":83,"start_character":25,"end_line":84,"end_character":54},"in_reply_to":"b2e56818_f2d4d082","updated":"2021-11-04 16:27:30.000000000","message":"I think this comes from us just throwing around examples of things we might want to delegate to slightly more privileged users (i.e. the new manager role). Someone brought up force reboot, and I thought we did have a limit on the hard reboot option but looks like we don\u0027t. However, something like \"reset state\" is probably in this camp.\n\nBut as I think you\u0027re noting, this paragraph is really about the operator taking action on project resources. Deleting resources from old tenants might be one, but it\u0027s less \"operator helping tenant\" since they\u0027re gone. Maybe something like live migration or evacuate might be appropriate.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":true,"context_lines":[{"line_number":101,"context_line":"Ultimately, we stepped back and realized that the primary use case for allowing"},{"line_number":102,"context_line":"system users to operate on project-owner resources was to allow for backwards"},{"line_number":103,"context_line":"compatibility."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"While we certainly want to make things as easy as possible operators to use,"},{"line_number":106,"context_line":"we\u0027re not sure the additional overhead required to teach each OpenStack service"},{"line_number":107,"context_line":"about system-scope in this way would be beneficial. This is especially true"}],"source_content_type":"text/x-rst","patch_set":7,"id":"294ed953_637feb5b","line":104,"updated":"2021-11-04 14:58:03.000000000","message":"yes the need to ensure that its possible for an operator to use a privladge token to be abel to take acation on resouce in any project without needing to become a member of that project even transitivly for the short period of the oepration.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":true,"context_lines":[{"line_number":120,"context_line":"would allow them to get the correct authorization to the intended project and"},{"line_number":121,"context_line":"perform the necessary operations using a token flow that\u0027s already supported."},{"line_number":122,"context_line":"Additionally, it provides a very clear audit trail."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So, where do we go from here?"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"}],"source_content_type":"text/x-rst","patch_set":7,"id":"e2c84711_d5b41a78","line":123,"updated":"2021-11-04 14:58:03.000000000","message":"-1 i really dont think this is an acccpetable sollution without exposting the root domain.\n\nif we expose the root doamin of all domains/project form keystone and allow operators to grant them seleve role on that domain which are then inhirtied to all subdomains and projects that can be accpatbale but require extra stped to add and remove roel sin domains and project to do a server delete for a tenant that closed there account without cleaning all the resouces i think is an unaccpatbale burden that makes it easy to leak roles and permissions in a number fo failure modes.\n\ni also dont think that automating this in the sdk or client is approate\n\nthe system adminsitration must be abel to get a single keystone token and then call any project scopted api with that provided it has the correct roles.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3f28b7e7462271d5751c648ce26bbac7997b2fbf","unresolved":true,"context_lines":[{"line_number":120,"context_line":"would allow them to get the correct authorization to the intended project and"},{"line_number":121,"context_line":"perform the necessary operations using a token flow that\u0027s already supported."},{"line_number":122,"context_line":"Additionally, it provides a very clear audit trail."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So, where do we go from here?"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"}],"source_content_type":"text/x-rst","patch_set":7,"id":"541c5db8_8fde084f","line":123,"in_reply_to":"24ac0821_70bbb755","updated":"2021-11-04 18:03:49.000000000","message":"there would still be autiting since the token is asscoated with the user and we can therefor track everything they did.\n\nthe token i was expecting to create was a domain scoped token with for a given user with the admin role on that domain.\n\nif its the root doamin that token woudl be valid on all domain and projects via role inheritnace, if the user was a an admin of a speics child tomain it would be scoped to jsut the porject in that domain.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fec1cfe95fbd567047362db3ad5107471c11b38","unresolved":true,"context_lines":[{"line_number":120,"context_line":"would allow them to get the correct authorization to the intended project and"},{"line_number":121,"context_line":"perform the necessary operations using a token flow that\u0027s already supported."},{"line_number":122,"context_line":"Additionally, it provides a very clear audit trail."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So, where do we go from here?"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"}],"source_content_type":"text/x-rst","patch_set":7,"id":"d1abb748_d5ab005c","line":123,"in_reply_to":"541c5db8_8fde084f","updated":"2021-11-04 18:28:21.000000000","message":"\u003e there would still be autiting since the token is asscoated with the user and we can therefor track everything they did.\n\nThey would have been issued a domain token, but not a project one for the resource they\u0027re going to take action on. More on that below.\n\n\u003e the token i was expecting to create was a domain scoped token with for a given user with the admin role on that domain.\n\u003e \n\u003e if its the root doamin that token woudl be valid on all domain and projects via role inheritnace, if the user was a an admin of a speics child tomain it would be scoped to jsut the porject in that domain.\n\nThat is not how it works AFAIK. An admin starting with a domain-scoped token has just that: a domain-scoped token that carries roles assigned on that domain. That token is as useless for taking action on a project resource as a system-scoped token in that it has no project affiliation. IF the role assignment on the domain is marked as inherited on projects within, then that user would also be able to grab a project-scoped token with those inherited roles to take action on a project resource, and the act of doing so would be an auditable event.\n\nIf the user has the domain role, but it is not inherited to the projects, then they could do things like the project-wide list, but not grab a token and take action on those resources. Similarly, a user may have the admin role on a project, giving them that power for those resources, but without the ability to list across all projects, or the implication that they have the same power on sibling projects.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c8f666d0888c5ed17fcda4d1bad3cacb12fcba5","unresolved":true,"context_lines":[{"line_number":120,"context_line":"would allow them to get the correct authorization to the intended project and"},{"line_number":121,"context_line":"perform the necessary operations using a token flow that\u0027s already supported."},{"line_number":122,"context_line":"Additionally, it provides a very clear audit trail."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So, where do we go from here?"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"}],"source_content_type":"text/x-rst","patch_set":7,"id":"24ac0821_70bbb755","line":123,"in_reply_to":"e2c84711_d5b41a78","updated":"2021-11-04 16:27:30.000000000","message":"I disagree with the assertion that there must be a single god user that can do anything without any auditing. Even modern operating system design specifies that nobody logs in interactively as root and does everything through sudo for the purposes of auditing.\n\nI don\u0027t think domains need to be considered ephemeral, or that we need to worry about domains being created at a high rate. Further, I expect that domain creation involves a fair bit of automation which can add roles to admin users upon creation.\n\nI do think it would be nice if we could add roles on the root to make this automatic, but that\u0027s a keystone design decision which I expect will require some discussion and obviously a change in how things are currently exposed. Currently there\u0027s no actual isolation between domains and an admin anywhere is admin everywhere, so some additional work in complex environments that allows us some incremental progress towards decomposing that seems totally reasonable to me.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0df9d7d7d955e17547f8ed94b47b3c2d6da9c955","unresolved":true,"context_lines":[{"line_number":142,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":143,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":144,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":145,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":146,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":147,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"6b90451a_0eb5f69c","line":145,"range":{"start_line":145,"start_character":6,"end_line":145,"end_character":20},"updated":"2021-11-05 18:05:32.000000000","message":"We might want to change this to be less specific to actions, and I just realized this implies that maybe system users can *see* project resources too.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7b26bfb097de9d1e54a74ad630741262664027a5","unresolved":true,"context_lines":[{"line_number":142,"context_line":"#. Include complete use cases in persona documentation (who exactly is a"},{"line_number":143,"context_line":"   project-admin, who is a project-member, who is a system-admin?)"},{"line_number":144,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":145,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":146,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":147,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"523954e0_e238fc0a","line":145,"range":{"start_line":145,"start_character":6,"end_line":145,"end_character":20},"in_reply_to":"6b90451a_0eb5f69c","updated":"2021-11-05 19:32:02.000000000","message":"I tried removing this and using policy examples below. Does that cover your concern?","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":true,"context_lines":[{"line_number":144,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":145,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":146,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":147,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"If we can complete this across the community in Yoga, operators will be able to"},{"line_number":150,"context_line":"configure each service to opt into the new defaults::"}],"source_content_type":"text/x-rst","patch_set":7,"id":"62244a23_0e29c4cc","line":147,"range":{"start_line":147,"start_character":0,"end_line":147,"end_character":80},"updated":"2021-11-04 14:58:03.000000000","message":"i dont think osc is succicnet we need to havce a solution that will work for curl\n\ne.g. curl keyston to get a vlaid token for your system admsinstrato\n     curl service api with that token and no addtional step before or after.\n\nto enable that i think we need to impelemtn the keystone feature to expose the root domains as we discussed during the ptg.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c8f666d0888c5ed17fcda4d1bad3cacb12fcba5","unresolved":true,"context_lines":[{"line_number":144,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":145,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":146,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":147,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"If we can complete this across the community in Yoga, operators will be able to"},{"line_number":150,"context_line":"configure each service to opt into the new defaults::"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a0330f26_2c00f3cc","line":147,"range":{"start_line":147,"start_character":0,"end_line":147,"end_character":80},"in_reply_to":"62244a23_0e29c4cc","updated":"2021-11-04 16:27:30.000000000","message":"I do not agree that everything needs to be doable with a single curl command.\n\nIt would be nice if the root domain was exposed for the purposes of role assignment, but I don\u0027t think it solves the multi-step problem of needing to get a project-scoped token for a given resource, once you\u0027ve determined what project it is in.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fec1cfe95fbd567047362db3ad5107471c11b38","unresolved":true,"context_lines":[{"line_number":144,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":145,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":146,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":147,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"If we can complete this across the community in Yoga, operators will be able to"},{"line_number":150,"context_line":"configure each service to opt into the new defaults::"}],"source_content_type":"text/x-rst","patch_set":7,"id":"444464a5_7cebdaca","line":147,"range":{"start_line":147,"start_character":0,"end_line":147,"end_character":80},"in_reply_to":"94b8840b_72a3ae4a","updated":"2021-11-04 18:28:21.000000000","message":"\u003e i thought it woudl sicne you would be abel to get a domain scoped token (scoped to the root domain of all domains) and with the role inheritance form that root domain down to all project that would eneble you to perform oepratoin on those project specific resouces with the domain scoped token.\n\nNot AFAIK, the domain-scoped token (either root or actual domain) has no project affiliation and thus isn\u0027t useful for the project resource action.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3f28b7e7462271d5751c648ce26bbac7997b2fbf","unresolved":true,"context_lines":[{"line_number":144,"context_line":"#. Re-audit every policy change and revert any policies that allow system-users"},{"line_number":145,"context_line":"   to invoke actions on project-scoped resources"},{"line_number":146,"context_line":"#. Describe what personas are supported across all services by default"},{"line_number":147,"context_line":"#. Add the ability for OSC to find project resources using a system-scoped token"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"If we can complete this across the community in Yoga, operators will be able to"},{"line_number":150,"context_line":"configure each service to opt into the new defaults::"}],"source_content_type":"text/x-rst","patch_set":7,"id":"94b8840b_72a3ae4a","line":147,"range":{"start_line":147,"start_character":0,"end_line":147,"end_character":80},"in_reply_to":"a0330f26_2c00f3cc","updated":"2021-11-04 18:03:49.000000000","message":"i thought it woudl sicne you would be abel to get a domain scoped token (scoped to the root domain of all domains) and with the role inheritance form that root domain down to all project that would eneble you to perform oepratoin on those project specific resouces with the domain scoped token.\n\nperhaps i miss understood but if my assertion above is correct then appart form initally granting member or admin on that top level domain i think it would allow the single curl appchec to work.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":true,"context_lines":[{"line_number":156,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- System Administrator"},{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"}],"source_content_type":"text/x-rst","patch_set":7,"id":"298e19c8_d57acdae","line":159,"range":{"start_line":159,"start_character":49,"end_line":159,"end_character":65},"updated":"2021-11-04 14:58:03.000000000","message":"what does this actully mean.\n\nis the system a special project or the root domain?\nor is its something else like system_scope.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c8f666d0888c5ed17fcda4d1bad3cacb12fcba5","unresolved":true,"context_lines":[{"line_number":156,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- System Administrator"},{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a70700bd_4e3d506d","line":159,"range":{"start_line":159,"start_character":49,"end_line":159,"end_character":65},"in_reply_to":"298e19c8_d57acdae","updated":"2021-11-04 16:27:30.000000000","message":"This means admin role in system scope, exactly what role\u003dadmin,scope\u003dsystem means today.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3f28b7e7462271d5751c648ce26bbac7997b2fbf","unresolved":false,"context_lines":[{"line_number":156,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- System Administrator"},{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"}],"source_content_type":"text/x-rst","patch_set":7,"id":"d96764ba_e165933d","line":159,"range":{"start_line":159,"start_character":49,"end_line":159,"end_character":65},"in_reply_to":"a70700bd_4e3d506d","updated":"2021-11-04 18:03:49.000000000","message":"Ack","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"259a9b030b051ba8743b36d08219e8ae9144f72c","unresolved":true,"context_lines":[{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"},{"line_number":163,"context_line":"   - *Add or delete services and endpoints*"},{"line_number":164,"context_line":"   - *Create new volume types*"},{"line_number":165,"context_line":"   - *Create or delete HSM transport keys*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"9a0c480d_3953a5b4","line":162,"updated":"2021-11-03 14:44:37.000000000","message":"I thought we were *not* doing this. Maybe an example would be helpful?","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a38d6f280e746591020a947bf875372343f2d6ab","unresolved":true,"context_lines":[{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"},{"line_number":163,"context_line":"   - *Add or delete services and endpoints*"},{"line_number":164,"context_line":"   - *Create new volume types*"},{"line_number":165,"context_line":"   - *Create or delete HSM transport keys*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"43cb66e5_591c89d8","line":162,"in_reply_to":"2b55afca_f532567f","updated":"2021-11-04 14:03:47.000000000","message":"We discussed the confusion here yesterday during the secure RBAC TC meeting. I\u0027ve updated it this to be more clear and include the agreement we came to on the call.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7b007d523bb2086d5778e00b8f9a61e6096be041","unresolved":false,"context_lines":[{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"},{"line_number":163,"context_line":"   - *Add or delete services and endpoints*"},{"line_number":164,"context_line":"   - *Create new volume types*"},{"line_number":165,"context_line":"   - *Create or delete HSM transport keys*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a89c65e3_833bfb4e","line":162,"in_reply_to":"43cb66e5_591c89d8","updated":"2021-11-04 14:07:19.000000000","message":"Done","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c8f666d0888c5ed17fcda4d1bad3cacb12fcba5","unresolved":false,"context_lines":[{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"},{"line_number":163,"context_line":"   - *Add or delete services and endpoints*"},{"line_number":164,"context_line":"   - *Create new volume types*"},{"line_number":165,"context_line":"   - *Create or delete HSM transport keys*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"d03e87b7_d13557f1","line":162,"in_reply_to":"8e5410a4_eca3dda7","updated":"2021-11-04 16:27:30.000000000","message":"We discussed this in the meeting and it\u0027s just poorly-worded, so I think we\u0027re all on the same page here and it\u0027ll be updated soon.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"f6851e4306e297306ab2cfa69136874e073b9f5b","unresolved":true,"context_lines":[{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"},{"line_number":163,"context_line":"   - *Add or delete services and endpoints*"},{"line_number":164,"context_line":"   - *Create new volume types*"},{"line_number":165,"context_line":"   - *Create or delete HSM transport keys*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"2b55afca_f532567f","line":162,"in_reply_to":"9a0c480d_3953a5b4","updated":"2021-11-03 15:03:32.000000000","message":"You know what, I think this is the basis of all our confusion.\n\nWhen trying to access a project scoped resource, we are saying you need a project scoped token.\n\nBefore I had wrongly assumed system admin tokens could monkey around with project scoped resources.\n\nThe above was because I wanted to keep the operator experience the same, howerver I think the existing one token to hurt everything was really a bug, we probably want operators to explicity request which project they want to modify. You probably want system scope admin to be able to list all instances, indeed I think System reader should. But probably nothing else.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":false,"context_lines":[{"line_number":159,"context_line":"   - Denoted by someone with the ``admin`` role on the ``system``"},{"line_number":160,"context_line":"   - Intended for operators or support personnel"},{"line_number":161,"context_line":"   - Not intended for end users"},{"line_number":162,"context_line":"   - Can operate on project-specific resources with the proper access"},{"line_number":163,"context_line":"   - *Add or delete services and endpoints*"},{"line_number":164,"context_line":"   - *Create new volume types*"},{"line_number":165,"context_line":"   - *Create or delete HSM transport keys*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"8e5410a4_eca3dda7","line":162,"in_reply_to":"a89c65e3_833bfb4e","updated":"2021-11-04 14:58:03.000000000","message":"i guess there is another version that i should review after i finish with v7 but i also though we were goign to do this differently.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":true,"context_lines":[{"line_number":181,"context_line":""},{"line_number":182,"context_line":"- Project Admin"},{"line_number":183,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":184,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":185,"context_line":"   - Not intended for end users"},{"line_number":186,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":187,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"b275b561_f34517d9","line":184,"range":{"start_line":184,"start_character":5,"end_line":184,"end_character":76},"updated":"2021-11-04 14:58:03.000000000","message":"that is not how Project admin is defiend today within nova.\nproject admin is intended for endusers that have some elevaged permissions like that ablity to boot to a specific host.\n\nfrom the discussion we had at the ptg we also suggested avoidign this term entirly going forward and usign a new project manager term instead.\n\nthat project manager persona would not have the admin role at all but the new manager role you note below.\n\nso i think we shoudl nto contiue to specify the project admin as part of the comunity goal and instead shoudl replace it with the new proejct manager persona.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"721871cd4adc8abab4494ccf7438ce90dbfdb509","unresolved":true,"context_lines":[{"line_number":181,"context_line":""},{"line_number":182,"context_line":"- Project Admin"},{"line_number":183,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":184,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":185,"context_line":"   - Not intended for end users"},{"line_number":186,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":187,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"320822f0_efef8911","line":184,"range":{"start_line":184,"start_character":5,"end_line":184,"end_character":76},"in_reply_to":"04dbd703_b1a5c932","updated":"2021-11-04 17:42:10.000000000","message":"I understand the frustration caused by the ambiguity of using the term \"admin\" for a decade and how it\u0027s caused a lot of confusion. I think what we have here is being more specific about what we think a project-admin is and what they can do.\n\nI agree that re-using project-admin, even if it does require resetting our expectations and thoroughly documenting them, is less work than omitting it altogether in favor of something else. To me, that seems like an easier path forward than introducing another alias and then trying to educate users about that.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c8f666d0888c5ed17fcda4d1bad3cacb12fcba5","unresolved":true,"context_lines":[{"line_number":181,"context_line":""},{"line_number":182,"context_line":"- Project Admin"},{"line_number":183,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":184,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":185,"context_line":"   - Not intended for end users"},{"line_number":186,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":187,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":7,"id":"04dbd703_b1a5c932","line":184,"range":{"start_line":184,"start_character":5,"end_line":184,"end_character":76},"in_reply_to":"b275b561_f34517d9","updated":"2021-11-04 16:27:30.000000000","message":"Where we landed was that removing admin terminology, while perhaps appropriate, would be a ton of work. The conversation ended with a goal of creating a \"manager\" role to house the \"slightly elevated permissions\" person that we previously called \"project admin\" and reserve admin for actual operator-y things.\n\nI think the benefit there is that currently \"admin\" means \"operator-level privilege\" and a user able to do very scary things. The previous approach of redefining \"project admin\" as \"actually some end-user person\" is more of a change and harder to communicate properly to people used to having admin mean \"god\". Thus the manager role being that new thing and continuing to use \"admin\" for operator-level power (even if restricted to one project) maps today and tomorrow much more closely.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a79757efaba54172d640ea3e904630c5da242bd4","unresolved":true,"context_lines":[{"line_number":212,"context_line":"Stretch goal(s)"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":216,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":217,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":218,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"}],"source_content_type":"text/x-rst","patch_set":7,"id":"bc040c66_929137de","line":215,"range":{"start_line":215,"start_character":3,"end_line":215,"end_character":56},"updated":"2021-11-04 14:58:03.000000000","message":"i think we also talked about ccreatin a new standard service role that indiviutal opentack service would have for cross service interaction that are system_admin or the legacy gloabl admin today.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2c8f666d0888c5ed17fcda4d1bad3cacb12fcba5","unresolved":true,"context_lines":[{"line_number":212,"context_line":"Stretch goal(s)"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":216,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":217,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":218,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"}],"source_content_type":"text/x-rst","patch_set":7,"id":"bdcf7b5d_db1e94fb","line":215,"range":{"start_line":215,"start_character":3,"end_line":215,"end_character":56},"in_reply_to":"bc040c66_929137de","updated":"2021-11-04 16:27:30.000000000","message":"I don\u0027t remember discussing this (at length) but it may very well be a useful thing. I think more discussion would be needed before we put it in stretch goals, but maybe we could chuck it into future?","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"721871cd4adc8abab4494ccf7438ce90dbfdb509","unresolved":true,"context_lines":[{"line_number":212,"context_line":"Stretch goal(s)"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":216,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":217,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":218,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a71bfd97_f0074376","line":215,"range":{"start_line":215,"start_character":3,"end_line":215,"end_character":56},"in_reply_to":"bdcf7b5d_db1e94fb","updated":"2021-11-04 17:42:10.000000000","message":"I think we had a bunch of good ideas fall out of the PTG discussions, and I\u0027m still working to get them on paper in a way that doesn\u0027t scare people away or cause us to lose focus on what\u0027s important for Yoga.\n\nI can put that here, I\u0027m just not sure if it\u0027s the most appropriate place for it. I\u0027m open to suggestions here.","commit_id":"0ff5b42b8eb5c64cdc416c384e70488919ecc048"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"38ff27d8b635910931b6bed91cd9ab83b3cc457f","unresolved":true,"context_lines":[{"line_number":264,"context_line":""},{"line_number":265,"context_line":"At this point, any remaining policies that are not either project-scoped or"},{"line_number":266,"context_line":"system-scoped should have a valid use case for interacting with both scopes."},{"line_number":267,"context_line":""},{"line_number":268,"context_line":"Enhance python-openstackclient"},{"line_number":269,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":270,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"701c8c62_9cf1c845","line":267,"updated":"2021-11-04 18:36:50.000000000","message":"Need to figure out a good example here and I\u0027ll update. One came up in the call yesterday...","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6989bb355fe18fca2f664b057c9cd5487812199d","unresolved":true,"context_lines":[{"line_number":368,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":369,"context_line":""},{"line_number":370,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":371,"context_line":"their end users. This persona would use the ``manager`` role and it\u0027s place in"},{"line_number":372,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":373,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":374,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"b87e268b_e3c5eca3","line":371,"range":{"start_line":371,"start_character":67,"end_line":371,"end_character":68},"updated":"2021-11-04 19:36:37.000000000","message":"its*","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f27d45be9502bc9bac5b563190ca3de1ebc7fcad","unresolved":false,"context_lines":[{"line_number":368,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":369,"context_line":""},{"line_number":370,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":371,"context_line":"their end users. This persona would use the ``manager`` role and it\u0027s place in"},{"line_number":372,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":373,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":374,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"eb3f603e_156f1b0c","line":371,"range":{"start_line":371,"start_character":67,"end_line":371,"end_character":68},"in_reply_to":"b87e268b_e3c5eca3","updated":"2021-11-05 20:34:48.000000000","message":"Done","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"38ff27d8b635910931b6bed91cd9ab83b3cc457f","unresolved":true,"context_lines":[{"line_number":382,"context_line":""},{"line_number":383,"context_line":"Future goals"},{"line_number":384,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"Existing policy defaults suffer from three major faults:"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"#. The admin-ness problem: use of policy rules like \u0027is_admin\u0027 or hard-coded"}],"source_content_type":"text/x-rst","patch_set":8,"id":"9c7476f3_135db485","line":385,"updated":"2021-11-04 18:36:50.000000000","message":"This section needs to get filled out. There are a bunch of good things that came up over the last few weeks, some of them were things we\u0027ve tried in the past, but we\u0027re in a better place to do them now.\n\nI\u0027d like to capture them somewhere, I\u0027m just not sure if this is the right place for it?","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f27d45be9502bc9bac5b563190ca3de1ebc7fcad","unresolved":false,"context_lines":[{"line_number":382,"context_line":""},{"line_number":383,"context_line":"Future goals"},{"line_number":384,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"Existing policy defaults suffer from three major faults:"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"#. The admin-ness problem: use of policy rules like \u0027is_admin\u0027 or hard-coded"}],"source_content_type":"text/x-rst","patch_set":8,"id":"a7976651_a4047091","line":385,"in_reply_to":"9c7476f3_135db485","updated":"2021-11-05 20:34:48.000000000","message":"Removing this for now - I can propose a follow up with these details.","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8c526ddfce03ab9d5733f701afbb708608643924","unresolved":true,"context_lines":[{"line_number":385,"context_line":""},{"line_number":386,"context_line":"Existing policy defaults suffer from three major faults:"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"#. The admin-ness problem: use of policy rules like \u0027is_admin\u0027 or hard-coded"},{"line_number":389,"context_line":"   is-admin checks results in the admin-anywhere-admin-everywhere problem and"},{"line_number":390,"context_line":"   drastically inhibits true multi-tenancy since by default customers cannot"},{"line_number":391,"context_line":"   have admin rights on their own projects or domains."},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"#. Insecure custom roles: many policy rules simply use \"\" as the rule, which"},{"line_number":394,"context_line":"   means there is no rule: anyone can perform that action. This means creation"}],"source_content_type":"text/x-rst","patch_set":8,"id":"63993316_d26bc3e4","line":391,"range":{"start_line":388,"start_character":0,"end_line":391,"end_character":54},"updated":"2021-11-05 20:33:30.000000000","message":"This is summarized on line 29","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f27d45be9502bc9bac5b563190ca3de1ebc7fcad","unresolved":false,"context_lines":[{"line_number":385,"context_line":""},{"line_number":386,"context_line":"Existing policy defaults suffer from three major faults:"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"#. The admin-ness problem: use of policy rules like \u0027is_admin\u0027 or hard-coded"},{"line_number":389,"context_line":"   is-admin checks results in the admin-anywhere-admin-everywhere problem and"},{"line_number":390,"context_line":"   drastically inhibits true multi-tenancy since by default customers cannot"},{"line_number":391,"context_line":"   have admin rights on their own projects or domains."},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"#. Insecure custom roles: many policy rules simply use \"\" as the rule, which"},{"line_number":394,"context_line":"   means there is no rule: anyone can perform that action. This means creation"}],"source_content_type":"text/x-rst","patch_set":8,"id":"047d9f44_637600bf","line":391,"range":{"start_line":388,"start_character":0,"end_line":391,"end_character":54},"in_reply_to":"63993316_d26bc3e4","updated":"2021-11-05 20:34:48.000000000","message":"Done","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8c526ddfce03ab9d5733f701afbb708608643924","unresolved":true,"context_lines":[{"line_number":389,"context_line":"   is-admin checks results in the admin-anywhere-admin-everywhere problem and"},{"line_number":390,"context_line":"   drastically inhibits true multi-tenancy since by default customers cannot"},{"line_number":391,"context_line":"   have admin rights on their own projects or domains."},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"#. Insecure custom roles: many policy rules simply use \"\" as the rule, which"},{"line_number":394,"context_line":"   means there is no rule: anyone can perform that action. This means creation"},{"line_number":395,"context_line":"   of a custom role (say, \"nova-autoscaler\" requires editing every policy file"},{"line_number":396,"context_line":"   across every service to block users with such a rule from performing actions"},{"line_number":397,"context_line":"   unrelated to their role"},{"line_number":398,"context_line":""},{"line_number":399,"context_line":"#. Related to #2, no support for read-only roles: keystone now has a \"reader\""},{"line_number":400,"context_line":"   role that comes out of the box when keystone is bootstrapped, but it"}],"source_content_type":"text/x-rst","patch_set":8,"id":"10f0eedf_199c0ccb","line":397,"range":{"start_line":392,"start_character":0,"end_line":397,"end_character":26},"updated":"2021-11-05 20:33:30.000000000","message":"Pulled this bit up to the problem summary","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f27d45be9502bc9bac5b563190ca3de1ebc7fcad","unresolved":false,"context_lines":[{"line_number":389,"context_line":"   is-admin checks results in the admin-anywhere-admin-everywhere problem and"},{"line_number":390,"context_line":"   drastically inhibits true multi-tenancy since by default customers cannot"},{"line_number":391,"context_line":"   have admin rights on their own projects or domains."},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"#. Insecure custom roles: many policy rules simply use \"\" as the rule, which"},{"line_number":394,"context_line":"   means there is no rule: anyone can perform that action. This means creation"},{"line_number":395,"context_line":"   of a custom role (say, \"nova-autoscaler\" requires editing every policy file"},{"line_number":396,"context_line":"   across every service to block users with such a rule from performing actions"},{"line_number":397,"context_line":"   unrelated to their role"},{"line_number":398,"context_line":""},{"line_number":399,"context_line":"#. Related to #2, no support for read-only roles: keystone now has a \"reader\""},{"line_number":400,"context_line":"   role that comes out of the box when keystone is bootstrapped, but it"}],"source_content_type":"text/x-rst","patch_set":8,"id":"6d161930_06f2b034","line":397,"range":{"start_line":392,"start_character":0,"end_line":397,"end_character":26},"in_reply_to":"10f0eedf_199c0ccb","updated":"2021-11-05 20:34:48.000000000","message":"Done","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8c526ddfce03ab9d5733f701afbb708608643924","unresolved":true,"context_lines":[{"line_number":396,"context_line":"   across every service to block users with such a rule from performing actions"},{"line_number":397,"context_line":"   unrelated to their role"},{"line_number":398,"context_line":""},{"line_number":399,"context_line":"#. Related to #2, no support for read-only roles: keystone now has a \"reader\""},{"line_number":400,"context_line":"   role that comes out of the box when keystone is bootstrapped, but it"},{"line_number":401,"context_line":"   currently has very little value because of the use of empty rules in service"},{"line_number":402,"context_line":"   policies: users with the \"reader\" role can still perform write actions on"},{"line_number":403,"context_line":"   services if the policy rule for such an action is empty."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"To solve the above issues, Keystone comes with member, admin and reader roles."},{"line_number":406,"context_line":"OpenStack Services should use `these default roles"}],"source_content_type":"text/x-rst","patch_set":8,"id":"eb356877_f5a40c34","line":403,"range":{"start_line":399,"start_character":0,"end_line":403,"end_character":59},"updated":"2021-11-05 20:33:30.000000000","message":"Pulled this up to the problem statement above","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f27d45be9502bc9bac5b563190ca3de1ebc7fcad","unresolved":false,"context_lines":[{"line_number":396,"context_line":"   across every service to block users with such a rule from performing actions"},{"line_number":397,"context_line":"   unrelated to their role"},{"line_number":398,"context_line":""},{"line_number":399,"context_line":"#. Related to #2, no support for read-only roles: keystone now has a \"reader\""},{"line_number":400,"context_line":"   role that comes out of the box when keystone is bootstrapped, but it"},{"line_number":401,"context_line":"   currently has very little value because of the use of empty rules in service"},{"line_number":402,"context_line":"   policies: users with the \"reader\" role can still perform write actions on"},{"line_number":403,"context_line":"   services if the policy rule for such an action is empty."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"To solve the above issues, Keystone comes with member, admin and reader roles."},{"line_number":406,"context_line":"OpenStack Services should use `these default roles"}],"source_content_type":"text/x-rst","patch_set":8,"id":"0c122503_d3fe1e51","line":403,"range":{"start_line":399,"start_character":0,"end_line":403,"end_character":59},"in_reply_to":"eb356877_f5a40c34","updated":"2021-11-05 20:34:48.000000000","message":"Done","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8c526ddfce03ab9d5733f701afbb708608643924","unresolved":true,"context_lines":[{"line_number":402,"context_line":"   policies: users with the \"reader\" role can still perform write actions on"},{"line_number":403,"context_line":"   services if the policy rule for such an action is empty."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"To solve the above issues, Keystone comes with member, admin and reader roles."},{"line_number":406,"context_line":"OpenStack Services should use `these default roles"},{"line_number":407,"context_line":"\u003chttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html\u003e`_"},{"line_number":408,"context_line":""},{"line_number":409,"context_line":"Keystone also implemented a new"},{"line_number":410,"context_line":"`scope \u003chttps://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes\u003e`_"},{"line_number":411,"context_line":"specifically designed to protect system-level APIs."},{"line_number":412,"context_line":""},{"line_number":413,"context_line":"Keystone, Nova and many other projects have migrated their default"},{"line_number":414,"context_line":"policies to:"}],"source_content_type":"text/x-rst","patch_set":8,"id":"a8548a57_690052b8","line":411,"range":{"start_line":405,"start_character":0,"end_line":411,"end_character":51},"updated":"2021-11-05 20:33:30.000000000","message":"These are described in the section after the problem summary","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f27d45be9502bc9bac5b563190ca3de1ebc7fcad","unresolved":false,"context_lines":[{"line_number":402,"context_line":"   policies: users with the \"reader\" role can still perform write actions on"},{"line_number":403,"context_line":"   services if the policy rule for such an action is empty."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"To solve the above issues, Keystone comes with member, admin and reader roles."},{"line_number":406,"context_line":"OpenStack Services should use `these default roles"},{"line_number":407,"context_line":"\u003chttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html\u003e`_"},{"line_number":408,"context_line":""},{"line_number":409,"context_line":"Keystone also implemented a new"},{"line_number":410,"context_line":"`scope \u003chttps://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes\u003e`_"},{"line_number":411,"context_line":"specifically designed to protect system-level APIs."},{"line_number":412,"context_line":""},{"line_number":413,"context_line":"Keystone, Nova and many other projects have migrated their default"},{"line_number":414,"context_line":"policies to:"}],"source_content_type":"text/x-rst","patch_set":8,"id":"09b96948_b89e3411","line":411,"range":{"start_line":405,"start_character":0,"end_line":411,"end_character":51},"in_reply_to":"a8548a57_690052b8","updated":"2021-11-05 20:34:48.000000000","message":"Done","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8c526ddfce03ab9d5733f701afbb708608643924","unresolved":true,"context_lines":[{"line_number":410,"context_line":"`scope \u003chttps://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes\u003e`_"},{"line_number":411,"context_line":"specifically designed to protect system-level APIs."},{"line_number":412,"context_line":""},{"line_number":413,"context_line":"Keystone, Nova and many other projects have migrated their default"},{"line_number":414,"context_line":"policies to:"},{"line_number":415,"context_line":""},{"line_number":416,"context_line":"#. Use oslo.policy\u0027s scope_types attribute, which allows the policy engine"},{"line_number":417,"context_line":"   to understand \"system scope\" and distinguish between an admin role"},{"line_number":418,"context_line":"   assignment on a project versus an admin role assignment on the entire"},{"line_number":419,"context_line":"   system."},{"line_number":420,"context_line":""},{"line_number":421,"context_line":"#. Ensure all rules use one of the default roles (admin, member, and reader),"},{"line_number":422,"context_line":"   which both ensure support for a read-only role and prevent custom roles"},{"line_number":423,"context_line":"   from accidental over-permissiveness."},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Completed pre-work related to this goal:"},{"line_number":426,"context_line":""},{"line_number":427,"context_line":"* From Rocky to Train cycle, Keystone implemented and migrated their policies"},{"line_number":428,"context_line":"  to new `defaults"},{"line_number":429,"context_line":"  \u003chttps://review.opendev.org/q/topic:%22implement-default-roles%22+(status:open%20OR%20status:merged)\u003e`_"},{"line_number":430,"context_line":"  and `scope_type \u003chttps://review.opendev.org/q/topic:%22add-scope-types%22+(status:open%20OR%20status:merged)\u003e`_"},{"line_number":431,"context_line":""},{"line_number":432,"context_line":"* In the ussuri cycle, Nova migrated their policies to `new RBAC"},{"line_number":433,"context_line":"  \u003chttps://review.opendev.org/q/topic:%22bp%252Fpolicy-defaults-refresh-deprecated-apis%22+(status:open%20OR%20status:merged)\u003e`_"},{"line_number":434,"context_line":""},{"line_number":435,"context_line":"* In the ussuri cycle, we created the `policy popup team \u003chttps://governance.openstack.org/tc/reference/popup-teams.html#secure-default-policies\u003e`_ to trigger this work for more projects."},{"line_number":436,"context_line":""},{"line_number":437,"context_line":"* In the victoria cycle, we completed the oslo policy framework to `migrate"},{"line_number":438,"context_line":"  default policy format from JSON to YAML"},{"line_number":439,"context_line":"  `oslo specs \u003chttps://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html\u003e`_"},{"line_number":440,"context_line":""},{"line_number":441,"context_line":"* In the wallaby cycle, we completed the community-wide goal of migrating the"},{"line_number":442,"context_line":"  policy format from JSON to YAML for `all the OpenStack services"},{"line_number":443,"context_line":"  \u003chttp://lists.openstack.org/pipermail/openstack-discuss/2021-June/023327.html\u003e`_"},{"line_number":444,"context_line":""},{"line_number":445,"context_line":"* In the wallaby and xena cycle, many projects completed or started the new RBAC"},{"line_number":446,"context_line":"  work."},{"line_number":447,"context_line":""},{"line_number":448,"context_line":"Refer to the policy pop-up team wiki page for the details:"},{"line_number":449,"context_line":" https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team"},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"Champion"},{"line_number":452,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"be2d0b7d_e4f6e05a","line":449,"range":{"start_line":413,"start_character":0,"end_line":449,"end_character":82},"updated":"2021-11-05 20:33:30.000000000","message":"This is described in the section after the problem summary","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f27d45be9502bc9bac5b563190ca3de1ebc7fcad","unresolved":false,"context_lines":[{"line_number":410,"context_line":"`scope \u003chttps://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes\u003e`_"},{"line_number":411,"context_line":"specifically designed to protect system-level APIs."},{"line_number":412,"context_line":""},{"line_number":413,"context_line":"Keystone, Nova and many other projects have migrated their default"},{"line_number":414,"context_line":"policies to:"},{"line_number":415,"context_line":""},{"line_number":416,"context_line":"#. Use oslo.policy\u0027s scope_types attribute, which allows the policy engine"},{"line_number":417,"context_line":"   to understand \"system scope\" and distinguish between an admin role"},{"line_number":418,"context_line":"   assignment on a project versus an admin role assignment on the entire"},{"line_number":419,"context_line":"   system."},{"line_number":420,"context_line":""},{"line_number":421,"context_line":"#. Ensure all rules use one of the default roles (admin, member, and reader),"},{"line_number":422,"context_line":"   which both ensure support for a read-only role and prevent custom roles"},{"line_number":423,"context_line":"   from accidental over-permissiveness."},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Completed pre-work related to this goal:"},{"line_number":426,"context_line":""},{"line_number":427,"context_line":"* From Rocky to Train cycle, Keystone implemented and migrated their policies"},{"line_number":428,"context_line":"  to new `defaults"},{"line_number":429,"context_line":"  \u003chttps://review.opendev.org/q/topic:%22implement-default-roles%22+(status:open%20OR%20status:merged)\u003e`_"},{"line_number":430,"context_line":"  and `scope_type \u003chttps://review.opendev.org/q/topic:%22add-scope-types%22+(status:open%20OR%20status:merged)\u003e`_"},{"line_number":431,"context_line":""},{"line_number":432,"context_line":"* In the ussuri cycle, Nova migrated their policies to `new RBAC"},{"line_number":433,"context_line":"  \u003chttps://review.opendev.org/q/topic:%22bp%252Fpolicy-defaults-refresh-deprecated-apis%22+(status:open%20OR%20status:merged)\u003e`_"},{"line_number":434,"context_line":""},{"line_number":435,"context_line":"* In the ussuri cycle, we created the `policy popup team \u003chttps://governance.openstack.org/tc/reference/popup-teams.html#secure-default-policies\u003e`_ to trigger this work for more projects."},{"line_number":436,"context_line":""},{"line_number":437,"context_line":"* In the victoria cycle, we completed the oslo policy framework to `migrate"},{"line_number":438,"context_line":"  default policy format from JSON to YAML"},{"line_number":439,"context_line":"  `oslo specs \u003chttps://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html\u003e`_"},{"line_number":440,"context_line":""},{"line_number":441,"context_line":"* In the wallaby cycle, we completed the community-wide goal of migrating the"},{"line_number":442,"context_line":"  policy format from JSON to YAML for `all the OpenStack services"},{"line_number":443,"context_line":"  \u003chttp://lists.openstack.org/pipermail/openstack-discuss/2021-June/023327.html\u003e`_"},{"line_number":444,"context_line":""},{"line_number":445,"context_line":"* In the wallaby and xena cycle, many projects completed or started the new RBAC"},{"line_number":446,"context_line":"  work."},{"line_number":447,"context_line":""},{"line_number":448,"context_line":"Refer to the policy pop-up team wiki page for the details:"},{"line_number":449,"context_line":" https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team"},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"Champion"},{"line_number":452,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"31cd7c31_9d4713f0","line":449,"range":{"start_line":413,"start_character":0,"end_line":449,"end_character":82},"in_reply_to":"be2d0b7d_e4f6e05a","updated":"2021-11-05 20:34:48.000000000","message":"Done","commit_id":"cf166b2c626d705b3a2728a763d2b2d6ab93f663"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":193,"context_line":""},{"line_number":194,"context_line":".. code-block:: python"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":197,"context_line":"       name\u003d\u0027os_compute_api:servers:create:forced_host\u0027,"},{"line_number":198,"context_line":"       check_str\u003d\u0027role:admin and project_id:%(project_id)s\u0027,"},{"line_number":199,"context_line":"       scope_types\u003d[\u0027system\u0027, \u0027project\u0027]"},{"line_number":200,"context_line":"   )"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Since instances are project-owned resources we want to keep the functionality"},{"line_number":203,"context_line":"isolated to project-scoped tokens. The policy should be updated accordingly:"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":".. code-block:: python"},{"line_number":206,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"e32286b3_56312416","line":203,"range":{"start_line":196,"start_character":0,"end_line":203,"end_character":32},"updated":"2021-11-10 22:04:04.000000000","message":"given we did nto intend to allow system admin to create instacne on behalf of projets i think this was just a bug not the intent\n\nthe intent of this was to allow project admins which was defined previously as a privileged end user (not an operator) to create an instance on a specific host.\n\ncreating a instnace on behalf of another prject would not have been a policy change it would have required a new api micorverion and a spec to specifly add that as a new feature which was never done or part of the of the policy work.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":193,"context_line":""},{"line_number":194,"context_line":".. code-block:: python"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":197,"context_line":"       name\u003d\u0027os_compute_api:servers:create:forced_host\u0027,"},{"line_number":198,"context_line":"       check_str\u003d\u0027role:admin and project_id:%(project_id)s\u0027,"},{"line_number":199,"context_line":"       scope_types\u003d[\u0027system\u0027, \u0027project\u0027]"},{"line_number":200,"context_line":"   )"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Since instances are project-owned resources we want to keep the functionality"},{"line_number":203,"context_line":"isolated to project-scoped tokens. The policy should be updated accordingly:"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":".. code-block:: python"},{"line_number":206,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"177d02a6_f89099aa","line":203,"range":{"start_line":196,"start_character":0,"end_line":203,"end_character":32},"in_reply_to":"121c11d4_b2df037a","updated":"2021-11-11 17:34:36.000000000","message":"It\u0027s not clear to me if you want me to update the wording or example here.\n\nI think the example does a good job describing what we want to correct moving forward.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7fbd762be5b49c5704808eaa4a35c3f7fd90524b","unresolved":true,"context_lines":[{"line_number":193,"context_line":""},{"line_number":194,"context_line":".. code-block:: python"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":197,"context_line":"       name\u003d\u0027os_compute_api:servers:create:forced_host\u0027,"},{"line_number":198,"context_line":"       check_str\u003d\u0027role:admin and project_id:%(project_id)s\u0027,"},{"line_number":199,"context_line":"       scope_types\u003d[\u0027system\u0027, \u0027project\u0027]"},{"line_number":200,"context_line":"   )"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Since instances are project-owned resources we want to keep the functionality"},{"line_number":203,"context_line":"isolated to project-scoped tokens. The policy should be updated accordingly:"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":".. code-block:: python"},{"line_number":206,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"542b9506_6b793bc3","line":203,"range":{"start_line":196,"start_character":0,"end_line":203,"end_character":32},"in_reply_to":"177d02a6_f89099aa","updated":"2021-11-11 18:40:45.000000000","message":"ah no change needed, it is good and additional information is covered @L213 which is great.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc934b42a995d200bebc6ba54d5603fa18dae475","unresolved":true,"context_lines":[{"line_number":193,"context_line":""},{"line_number":194,"context_line":".. code-block:: python"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":197,"context_line":"       name\u003d\u0027os_compute_api:servers:create:forced_host\u0027,"},{"line_number":198,"context_line":"       check_str\u003d\u0027role:admin and project_id:%(project_id)s\u0027,"},{"line_number":199,"context_line":"       scope_types\u003d[\u0027system\u0027, \u0027project\u0027]"},{"line_number":200,"context_line":"   )"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Since instances are project-owned resources we want to keep the functionality"},{"line_number":203,"context_line":"isolated to project-scoped tokens. The policy should be updated accordingly:"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":".. code-block:: python"},{"line_number":206,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"121c11d4_b2df037a","line":203,"range":{"start_line":196,"start_character":0,"end_line":203,"end_character":32},"in_reply_to":"e32286b3_56312416","updated":"2021-11-10 23:31:20.000000000","message":"yeah, with new design we will ask project admin to get host info and boot server on. This was one of the open things we kept and with system and project scoped.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":204,"context_line":""},{"line_number":205,"context_line":".. code-block:: python"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":208,"context_line":"       name\u003d\u0027os_compute_api:servers:create:forced_host\u0027,"},{"line_number":209,"context_line":"       check_str\u003d\u0027role:admin and project_id:%(project_id)s\u0027,"},{"line_number":210,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":211,"context_line":"   )"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"This will only allow operators with a project-scoped token containing the"},{"line_number":214,"context_line":"``admin`` role to perform targeted. If or when nova sanitizes hypervisor"}],"source_content_type":"text/x-rst","patch_set":10,"id":"7cb7b6e8_95df870c","line":211,"range":{"start_line":207,"start_character":0,"end_line":211,"end_character":4},"updated":"2021-11-10 22:04:04.000000000","message":"yes this is what it should be but as i said above that is because the inculcation of system above was a bug.\n\nwe dont support creating instance on behalf of another project as an admin today with the old policy and that fucntionaliy cannot be intoduced with a policy change so even if the inclustion of system enabled that to work it would not be a supproted use of the nova api it would be a bug.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":204,"context_line":""},{"line_number":205,"context_line":".. code-block:: python"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":208,"context_line":"       name\u003d\u0027os_compute_api:servers:create:forced_host\u0027,"},{"line_number":209,"context_line":"       check_str\u003d\u0027role:admin and project_id:%(project_id)s\u0027,"},{"line_number":210,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":211,"context_line":"   )"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"This will only allow operators with a project-scoped token containing the"},{"line_number":214,"context_line":"``admin`` role to perform targeted. If or when nova sanitizes hypervisor"}],"source_content_type":"text/x-rst","patch_set":10,"id":"84ec8dbd_11efc3a2","line":211,"range":{"start_line":207,"start_character":0,"end_line":211,"end_character":4},"in_reply_to":"7cb7b6e8_95df870c","updated":"2021-11-11 17:34:36.000000000","message":"I think I agree with you here if I understand you correctly. The snippet is only to show what we should works towards with a concrete example.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":223,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":224,"context_line":"   )"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"This would push the functionality even closer to end users, making the API more"},{"line_number":227,"context_line":"self-serviceable."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"Isolate system-specific API policies"},{"line_number":230,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":10,"id":"641ea9b1_9f2f0372","line":227,"range":{"start_line":226,"start_character":0,"end_line":227,"end_character":17},"updated":"2021-11-10 22:04:04.000000000","message":"this was the orgininal intent of the policy change it was to allow end user that were granted extra privlages as a project admin to boot vms to speicic hosts.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":223,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":224,"context_line":"   )"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"This would push the functionality even closer to end users, making the API more"},{"line_number":227,"context_line":"self-serviceable."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"Isolate system-specific API policies"},{"line_number":230,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":10,"id":"f821c50f_ada86d8c","line":227,"range":{"start_line":226,"start_character":0,"end_line":227,"end_character":17},"in_reply_to":"641ea9b1_9f2f0372","updated":"2021-11-11 17:34:36.000000000","message":"Correct. I want to call out in the goal that the new space for that functionality is going to be at the manager layer, not the admin layer or reasons we discussed during the PTG.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":273,"context_line":"Crafting check strings for APIs that interact with multiple scopes"},{"line_number":274,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"At this point, any remaining policies that are not either project-scoped or"},{"line_number":277,"context_line":"system-scoped should have a valid use case for interacting with both scopes."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"Enhance python-openstackclient"},{"line_number":280,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":10,"id":"a8bb9593_6f1a46b8","line":277,"range":{"start_line":276,"start_character":0,"end_line":277,"end_character":76},"updated":"2021-11-10 22:04:04.000000000","message":"an example fo this is the flavor api.\n\nflavor list is an operation that normal user should be able to do\n\ninfact i would argue it shoudl not require any scope to be present just the reader role.\n\nflavor creation, deletion and update are system operations\n\nfor GET /flavor coudl be modeled eithe as having no scope type requirement of as \nscope_types\u003d[\u0027system\u0027, \u0027project\u0027]\n\nthis document seams to mostly ignore domains but in princialy a domain scoped token should also work here.\n\npersonally i think scope_types\u003d[] would be more correct in the flavor case as we jsut require that you have the reader role.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"aac35e312644ef7aef5a1f402e9bb5061a002ff4","unresolved":true,"context_lines":[{"line_number":273,"context_line":"Crafting check strings for APIs that interact with multiple scopes"},{"line_number":274,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"At this point, any remaining policies that are not either project-scoped or"},{"line_number":277,"context_line":"system-scoped should have a valid use case for interacting with both scopes."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"Enhance python-openstackclient"},{"line_number":280,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e9d39436_52f2b18f","line":277,"range":{"start_line":276,"start_character":0,"end_line":277,"end_character":76},"in_reply_to":"55eaa412_fff2cd89","updated":"2021-11-11 13:59:07.000000000","message":"oh you are right i was thinking of the extra specs\nhttps://github.com/openstack/nova/blob/master/nova/policies/flavor_extra_specs.py#L24-L37\n\nthey are in the same situation where really its both scopes or no scope that are requried.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc934b42a995d200bebc6ba54d5603fa18dae475","unresolved":true,"context_lines":[{"line_number":273,"context_line":"Crafting check strings for APIs that interact with multiple scopes"},{"line_number":274,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"At this point, any remaining policies that are not either project-scoped or"},{"line_number":277,"context_line":"system-scoped should have a valid use case for interacting with both scopes."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"Enhance python-openstackclient"},{"line_number":280,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":10,"id":"55eaa412_fff2cd89","line":277,"range":{"start_line":276,"start_character":0,"end_line":277,"end_character":76},"in_reply_to":"a8bb9593_6f1a46b8","updated":"2021-11-10 23:31:20.000000000","message":"I do not think we have policy for GET flavor which means it is accessable for everyone. But if we want to add policy for that for valid reason then yes it can be both reader.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7fbd762be5b49c5704808eaa4a35c3f7fd90524b","unresolved":true,"context_lines":[{"line_number":273,"context_line":"Crafting check strings for APIs that interact with multiple scopes"},{"line_number":274,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"At this point, any remaining policies that are not either project-scoped or"},{"line_number":277,"context_line":"system-scoped should have a valid use case for interacting with both scopes."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"Enhance python-openstackclient"},{"line_number":280,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":10,"id":"5989d7c9_e887647b","line":277,"range":{"start_line":276,"start_character":0,"end_line":277,"end_character":76},"in_reply_to":"adcd66cc_ea183dee","updated":"2021-11-11 18:40:45.000000000","message":"sure, I think keeping all scope and check_str as @ can work here to protect anyone with unscoped token","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":273,"context_line":"Crafting check strings for APIs that interact with multiple scopes"},{"line_number":274,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"At this point, any remaining policies that are not either project-scoped or"},{"line_number":277,"context_line":"system-scoped should have a valid use case for interacting with both scopes."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"Enhance python-openstackclient"},{"line_number":280,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":10,"id":"adcd66cc_ea183dee","line":277,"range":{"start_line":276,"start_character":0,"end_line":277,"end_character":76},"in_reply_to":"e9d39436_52f2b18f","updated":"2021-11-11 17:34:36.000000000","message":"Yeah, flavors seems like a good example, but it sounds like we need to actually introduce a new policy for that?\n\nIIUC, today operators can\u0027t modify who is allowed to see flavors because there isn\u0027t a flavor for it, right?\n\nShould you be allowed to view flavors of a deployment with an unscoped token? My initial reaction is that you shouldn\u0027t be able to and that you should either have a system, domain, or project token to see that information. I\u0027m inclined to say:\n\n  scope_types\u003d[\u0027system\u0027, \u0027domain\u0027, \u0027project\u0027]","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":279,"context_line":"Enhance python-openstackclient"},{"line_number":280,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":281,"context_line":""},{"line_number":282,"context_line":"Since we\u0027re now drawing a firm line between administrative actions performed on"},{"line_number":283,"context_line":"project and system resources, we could help operators by enhancing"},{"line_number":284,"context_line":"python-openstackclient to resolve the project a resource is in and get a token"},{"line_number":285,"context_line":"scoped to that project before doing the operation. The following are the"},{"line_number":286,"context_line":"highest priority workflows to target for the Yoga release, assuming the"},{"line_number":287,"context_line":"operation is invoked with a system-scoped token:"},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"#. Reboot an instance"},{"line_number":290,"context_line":"#. Live migrate an instance"},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"How operators opt into the new functionality"},{"line_number":293,"context_line":"--------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"852d4d26_994cd8e4","line":290,"range":{"start_line":282,"start_character":1,"end_line":290,"end_character":27},"updated":"2021-11-10 22:04:04.000000000","message":"i dont realy think doing this client side is suficent.\n\nsince there is no programable way to detach the configure policy or the use of system  scops via the api it would be an api breakage if there was no way to simple generat a project socpt token automatical form keystone using your admin user.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":279,"context_line":"Enhance python-openstackclient"},{"line_number":280,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":281,"context_line":""},{"line_number":282,"context_line":"Since we\u0027re now drawing a firm line between administrative actions performed on"},{"line_number":283,"context_line":"project and system resources, we could help operators by enhancing"},{"line_number":284,"context_line":"python-openstackclient to resolve the project a resource is in and get a token"},{"line_number":285,"context_line":"scoped to that project before doing the operation. The following are the"},{"line_number":286,"context_line":"highest priority workflows to target for the Yoga release, assuming the"},{"line_number":287,"context_line":"operation is invoked with a system-scoped token:"},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"#. Reboot an instance"},{"line_number":290,"context_line":"#. Live migrate an instance"},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"How operators opt into the new functionality"},{"line_number":293,"context_line":"--------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"d68fa8ab_84367ccb","line":290,"range":{"start_line":282,"start_character":1,"end_line":290,"end_character":27},"in_reply_to":"852d4d26_994cd8e4","updated":"2021-11-11 17:34:36.000000000","message":"So I understand correctly, you\u0027re proposing that operators should:\n\n 1. Find the project for the instance they want to force reset state on\n 2. Trade their system-scope token for a project-scoped token in keystone\n 3. Call nova to reset state with the project token\n\nThe operator still needs to get a token scoped to the project they want to work within, so they still need to change behavior, right?","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":299,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":300,"context_line":"  enforce_scope\u003dTrue"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"For increased usability, operators could bootstrap their team with inherited"},{"line_number":303,"context_line":"role assignments on each domain, making it easier for operators to get"},{"line_number":304,"context_line":"project-scoped tokens for each project in the deployment::"},{"line_number":305,"context_line":""},{"line_number":306,"context_line":"  $ openstack role add --os-cloud system-admin --user 2c0865 --domain foo --inherited reader"},{"line_number":307,"context_line":"  $ openstack role add  --os-cloud system-admin --group b3dbc2 --domain foo --inherited admin"},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":310,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"1ecc5ed3_35a800ac","line":307,"range":{"start_line":302,"start_character":0,"end_line":307,"end_character":93},"updated":"2021-11-10 22:04:04.000000000","message":"for this not to be a serious usablity regression in think the root domain of all domains would have to be exposed in keystone.\n\nwhile its likely fair to say that operators that find this too combersome will simply not enable this feature i dont see a way for us to enable this by default until we modify keystone.\nas a result i find it hard to move forward with this goal with our an approved keystone spec.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":299,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":300,"context_line":"  enforce_scope\u003dTrue"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"For increased usability, operators could bootstrap their team with inherited"},{"line_number":303,"context_line":"role assignments on each domain, making it easier for operators to get"},{"line_number":304,"context_line":"project-scoped tokens for each project in the deployment::"},{"line_number":305,"context_line":""},{"line_number":306,"context_line":"  $ openstack role add --os-cloud system-admin --user 2c0865 --domain foo --inherited reader"},{"line_number":307,"context_line":"  $ openstack role add  --os-cloud system-admin --group b3dbc2 --domain foo --inherited admin"},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"This configuration will enable the following personas, described as follows:"},{"line_number":310,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"90ef0558_e22fdad7","line":307,"range":{"start_line":302,"start_character":0,"end_line":307,"end_character":93},"in_reply_to":"1ecc5ed3_35a800ac","updated":"2021-11-11 17:34:36.000000000","message":"Well, right now the usability is that operators can do anything anywhere with their big hammer. That usability pattern is ultimately a security concern, and it\u0027s a contributing factor in why we\u0027re doing this work.\n\nI fully expect there to be some usability differences since we\u0027re trying to fix a security concern that keeps OpenStack out of security-focused organizations.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":324,"context_line":""},{"line_number":325,"context_line":"- System Member"},{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e024d991_f07521a1","line":327,"range":{"start_line":327,"start_character":5,"end_line":327,"end_character":46},"updated":"2021-11-10 22:04:04.000000000","message":"this feels odd to me as really i had alwasy tought of System Member as the role a openstack service user like nova or neutron should have in the absance of a stanard service role.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"aac35e312644ef7aef5a1f402e9bb5061a002ff4","unresolved":true,"context_lines":[{"line_number":324,"context_line":""},{"line_number":325,"context_line":"- System Member"},{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"7962293e_73e621d0","line":327,"range":{"start_line":327,"start_character":5,"end_line":327,"end_character":46},"in_reply_to":"372c3589_5e7a406c","updated":"2021-11-11 13:59:07.000000000","message":"yep one exampel of this would be neutron port binding.\n\nright now we require admin for that but really that shoudl be used only by nova/ironic/zun so the service role woudl be better then admin\n\nwe could make admin imply service if we wanted for backward compatiblity but another exampel of an admin only api that reallly is service onloy is novas external events api.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":324,"context_line":""},{"line_number":325,"context_line":"- System Member"},{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"4edf9620_5579eb45","line":327,"range":{"start_line":327,"start_character":5,"end_line":327,"end_character":46},"in_reply_to":"7962293e_73e621d0","updated":"2021-11-11 17:34:36.000000000","message":"Yep - agreed. I think we could document that as a future improvement and write up a keystone specific for that work.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"294dfbcf4f3c8aaee5be2db23977f89f13aeffe0","unresolved":true,"context_lines":[{"line_number":324,"context_line":""},{"line_number":325,"context_line":"- System Member"},{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"372c3589_5e7a406c","line":327,"range":{"start_line":327,"start_character":5,"end_line":327,"end_character":46},"in_reply_to":"e024d991_f07521a1","updated":"2021-11-10 23:02:00.000000000","message":"Given we\u0027ve designed and applied the member role to project in a hierarchy for humans, it feels like we should be consistent here, too.\n\nBut yeah, to your point about service-to-service interaction, maybe formalizing a \u0027service\u0027 role and having keystone create on by default would be a good thing to do. The advantage is that it could potentially be outside the current role hierarchy, and we could integrate it into only the APIs each service needs.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"- System Reader"},{"line_number":333,"context_line":"   - Denoted by someone with the ``reader`` role on the ``system``"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1ef4fe83_8d912599","line":330,"range":{"start_line":329,"start_character":0,"end_line":330,"end_character":36},"updated":"2021-11-10 22:04:04.000000000","message":"i can partly see why you would want to move in this direction if system member were not able to mange all placment resouces. for exampel allowing system member to create/manage\nresource providers, traits, resource classes, aggreantes or invtorices i think would be ok\n\nplacment allcoation however are proejct resouces so a system member shoudl not be able to interact with them.\n\n\nwith regards to hyperviors and nova host-aggreates \nthis looks like an attempt to do less thing with system + admin  where system-scoped is again granting extra permission which is the same probelm we had with system-scoped and project resouces.\n\nshould a system member be able to modify flavour definitions?\n\nthey are a system level resouce that need to be visabel to everyone but i dont think it would be correct for a  lab technician to be able to modify them that is somethin only the cloud operator should be able to do.\n\ni belive the rational for why a system member would be able to mange services(e.g. disable a nova comptue service) and or manage aggreates is for data center mantaince so that they could prevent new vms from landing on a host that is going to be worked on.\n\nbut ot do that effectivly they woudl need to be able to live migrate isntance or cold migrate them which would require project admin or project member roles on the specific project that own the resocues.\nthat is not somethin they can grant themselfe with only system_member permission so i dont think the usecase hold up.\n\nis there a differen motivating usecase that is more compleing for system member?","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"- System Reader"},{"line_number":333,"context_line":"   - Denoted by someone with the ``reader`` role on the ``system``"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e462f09a_ba6edead","line":330,"range":{"start_line":329,"start_character":0,"end_line":330,"end_character":36},"in_reply_to":"1ef4fe83_8d912599","updated":"2021-11-11 17:34:36.000000000","message":"Resources in placement are not exposed to project users, but they do affect them. If I modify an allocation in placement, does it affect a single project or multiple projects?","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":342,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":343,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":344,"context_line":"     the deployment"},{"line_number":345,"context_line":"   - Not intended for end users"},{"line_number":346,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"a59dfda1_87e66941","line":345,"range":{"start_line":345,"start_character":4,"end_line":345,"end_character":31},"updated":"2021-11-10 22:04:04.000000000","message":"this is perhaps one of the larges chages of direction since last cycle as this previosuly was indented for end users.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":343,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":344,"context_line":"     the deployment"},{"line_number":345,"context_line":"   - Not intended for end users"},{"line_number":346,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"62119b58_98778404","line":346,"range":{"start_line":346,"start_character":3,"end_line":346,"end_character":37},"updated":"2021-11-10 22:04:04.000000000","message":"this is not an api action today.\n\nthere is no such things a a force reboot\n\nif you are refering to hard-reboot that is a normal project member operation and should not\nrequire admin privileges.\n\nlive migration and the related force complete/abort  or reset state are really the only candiates i can think of in nova that  make sicne given the new defintion.\n\n\nan operator creating a server on for a project is also not a good usecase for proejct admin as they are actully just using the capablity granted by project member so they would be over reaching if they uses a project admin token to do that.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"aac35e312644ef7aef5a1f402e9bb5061a002ff4","unresolved":true,"context_lines":[{"line_number":343,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":344,"context_line":"     the deployment"},{"line_number":345,"context_line":"   - Not intended for end users"},{"line_number":346,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"89fad2dd_e6cc3cb9","line":346,"range":{"start_line":346,"start_character":3,"end_line":346,"end_character":37},"in_reply_to":"10bb7ed2_64c4d44b","updated":"2021-11-11 13:59:07.000000000","message":"defered delete is refering to the abllity to soft delete an instance which can then be fully deleted after a time our then resotred by the restore instance action.\n\nyou can force delete the soft delete instance before the time out with the force-delete action but that is no the same a force reboot. force delete is also allow by normla project memebers.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc934b42a995d200bebc6ba54d5603fa18dae475","unresolved":true,"context_lines":[{"line_number":343,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":344,"context_line":"     the deployment"},{"line_number":345,"context_line":"   - Not intended for end users"},{"line_number":346,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"10bb7ed2_64c4d44b","line":346,"range":{"start_line":346,"start_character":3,"end_line":346,"end_character":37},"in_reply_to":"22033f3e_9ff8ed50","updated":"2021-11-10 23:31:20.000000000","message":"yeah, reset state is good example.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c018a87c963f2fe6ad8413139520376620143c19","unresolved":true,"context_lines":[{"line_number":343,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":344,"context_line":"     the deployment"},{"line_number":345,"context_line":"   - Not intended for end users"},{"line_number":346,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"22033f3e_9ff8ed50","line":346,"range":{"start_line":346,"start_character":3,"end_line":346,"end_character":37},"in_reply_to":"62119b58_98778404","updated":"2021-11-10 22:55:30.000000000","message":"Ok - maybe I misinterpreted [0]. Maybe reset state is a better example [1].\n\n[0] https://github.com/openstack/nova/blob/master/nova/policies/deferred_delete.py#L50\n[1] https://github.com/openstack/nova/blob/master/nova/policies/admin_actions.py#L26","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":false,"context_lines":[{"line_number":343,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":344,"context_line":"     the deployment"},{"line_number":345,"context_line":"   - Not intended for end users"},{"line_number":346,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"}],"source_content_type":"text/x-rst","patch_set":10,"id":"41f8b60f_142423b4","line":346,"range":{"start_line":346,"start_character":3,"end_line":346,"end_character":37},"in_reply_to":"89fad2dd_e6cc3cb9","updated":"2021-11-11 17:34:36.000000000","message":"Done","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":350,"context_line":"   - *Create physical provider networks*"},{"line_number":351,"context_line":""},{"line_number":352,"context_line":"- Project Member"},{"line_number":353,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":10,"id":"c81ed1fe_9e64a7e6","line":350,"range":{"start_line":350,"start_character":7,"end_line":350,"end_character":40},"updated":"2021-11-10 22:04:04.000000000","message":"a provider network is a very specifc thing\n\nit does not simply refer to a netwrok of network type vlan or flat which contain an assocaitaion with a physical network. it refer to a netwrok that this create with phyical network mappping and in the case of vlan, vxlan other overlays the segmentaiton type specied in the request body.\n\nthey are created by operators to map networks that typiclay but not alwasy shared to there unterlying infrastruce to provide connectivy that require knolsage of the underlying datacenter to configure correctly.\n\nthat means the the neutron network create endpoint would have to condtionally require the project admin or project memeber persona depending on the content of the request body.\n\ni.e. as a project member i shoudl be able to create a vlan network where the vlan asigment is manage by neutron but to create a netrok with  vlan 42 on physent \"wan\" so that i can route a specif ip block to vms via that network i woudl need a a token scoped to the project with the admin role.\n\nneutorn has other complication too since it has  its own rbac api https://docs.openstack.org/neutron/pike/admin/config-rbac.html for sharing project scoped reouce between project that have nothign to do with the current secure rbac polocy goal.\n\narguably a normaly project member should not be able to creat a neutron rbac rule to share a resouce with another project as the project member token they woudl make that call with is not valid on that target project. the user may or may not have project member on both project but since a project socped token is only valid on one project it shoudl not be autiries to share the resourse.\n\na project admin toekn also is inusffence since its again scoped to only one project you may have the admin role on porject a but you may not have no role on the target proejct.\n\nwith the new definition of system scope token having no special privileges on project scoped resources a system_admin token would not be apporicated.\n\nthe only way the policy framwork could model this woudl be vai a domain member or domain admin token assuming bot project shared a domian.\n\nso i dont think any of the personas in this current goal doc can correctly model the permission needed for\nneutron rbac api. since it was created it has been expanded to cover shareign of many other resouce between projects so this is a probelm that will get worse over time. https://docs.openstack.org/neutron/latest/admin/config-rbac.html","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1af0650a9d2db0aa8f84c259aa2975f6fefc7d97","unresolved":true,"context_lines":[{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":350,"context_line":"   - *Create physical provider networks*"},{"line_number":351,"context_line":""},{"line_number":352,"context_line":"- Project Member"},{"line_number":353,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":10,"id":"9029970e_f3a9c9a5","line":350,"range":{"start_line":350,"start_character":7,"end_line":350,"end_character":40},"in_reply_to":"5e76a66b_78d126ea","updated":"2021-11-11 17:34:36.000000000","message":"Ok, going back to the physical provider network example. This sounds exactly like images in glance, where they have to be associated to some project even though they are used across multiple projects.\n\nI\u0027d still stay that because they require a project on the resource, we should keep this operation isolated to project-admins. So, if you want to create a physical provider network and make it public, you need to do that within a specific project. Maybe something like:\n\n  $ openstack project create physical_networks\n  $ export OS_PROJECT_NAME\u003dphysical_networks\n  $ openstack network create external_net\n\n\nI\u0027m struggling to understand why the RBAC API in neutron couldn\u0027t be exposed to project-admins?","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"aac35e312644ef7aef5a1f402e9bb5061a002ff4","unresolved":true,"context_lines":[{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":350,"context_line":"   - *Create physical provider networks*"},{"line_number":351,"context_line":""},{"line_number":352,"context_line":"- Project Member"},{"line_number":353,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":10,"id":"5e76a66b_78d126ea","line":350,"range":{"start_line":350,"start_character":7,"end_line":350,"end_character":40},"in_reply_to":"6808786e_9e47e1a5","updated":"2021-11-11 13:59:07.000000000","message":"well external networks are normally owned by the admin project because then have to be owned by some project but they are kind of system resocues in a way since they host the subnet used for floating ips.\n\nthe first point i was trying to make is that the  POST /network endpoint will need to have multiple policies for the same url\n\n\nnetwork that are created with phyical_network set or the segmentation_id would need to be project_admin and request that do not contain does need to be project_member.\n\nbut in both cases the url will be the same its only the body that will be different.\nshared (a globally shared network) and external network likely shoudl require project admin to create too.\n\n\nthe second point i was trying to make is that there seam to be a gap with how to model neutorn rbac api.\n\nthe have an actull rbac rest api that allows resouces owned by one porject to be shared with other projects.\n\n\ncurrently i dont think project admin would have sufficent right to use that rbac api since the project admin token only grants the admin role on one of the two project involed. The token is either valid for the \nproject that owns the resouce to be shared or the proejct that it is being shared with but not both.\n\nwithout use a domain amin token to do the shareding i dont see how any of the personas in this current spec could be sued for that api endpoint.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"294dfbcf4f3c8aaee5be2db23977f89f13aeffe0","unresolved":true,"context_lines":[{"line_number":347,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":348,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":349,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":350,"context_line":"   - *Create physical provider networks*"},{"line_number":351,"context_line":""},{"line_number":352,"context_line":"- Project Member"},{"line_number":353,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":10,"id":"6808786e_9e47e1a5","line":350,"range":{"start_line":350,"start_character":7,"end_line":350,"end_character":40},"in_reply_to":"c81ed1fe_9e64a7e6","updated":"2021-11-10 23:02:00.000000000","message":"If I understand correctly, if physical networks require knowledge of how the lab is setup, then I think that\u0027s even more of a reason to put that operation into the project-admin bucket. Unless there are networks in neutron that can\u0027t be owned by a project?","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d6ad7c627f7fbde5dc9d4df94b4286c528d61e8f","unresolved":true,"context_lines":[{"line_number":369,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":370,"context_line":"the authorization associated to administrative tokens."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"Stretch goal(s)"},{"line_number":373,"context_line":"---------------"},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":376,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":377,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":378,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"},{"line_number":379,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":382,"context_line":"their end users. This persona would use the ``manager`` role and its place in"},{"line_number":383,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":384,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"- Project Manager"},{"line_number":387,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":388,"context_line":"   - Intended to be used by end users"},{"line_number":389,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":390,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":391,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":392,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":393,"context_line":""},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Champion"}],"source_content_type":"text/x-rst","patch_set":10,"id":"90bdf54e_63a34ee2","line":392,"range":{"start_line":372,"start_character":0,"end_line":392,"end_character":53},"updated":"2021-11-10 19:58:43.000000000","message":"I\u0027m going to be a jerk here, and I\u0027m sorry.\n\nBut a \"stretch\" goal on an effort which we\u0027ve not made anywhere near the level of progress many of us in the community have desired, plus where projects are *already* at varying levels including *done* on the core original goal, creates a situation which is exactly what we do not want, which is cross-project inconsistency.\n\nIf we\u0027re going to do this, it either needs to be a mandatory \"this is expected\" item, or it needs to be removed from the cycle goal and made an explicit goal for the next cycle. There is no real in-between where this is a \"maybe if we have time and capacity and all that\" maybe goal.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33c1ba83fa63e885090f32a7e2a32ec6e4ba283f","unresolved":true,"context_lines":[{"line_number":369,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":370,"context_line":"the authorization associated to administrative tokens."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"Stretch goal(s)"},{"line_number":373,"context_line":"---------------"},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":376,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":377,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":378,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"},{"line_number":379,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":382,"context_line":"their end users. This persona would use the ``manager`` role and its place in"},{"line_number":383,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":384,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"- Project Manager"},{"line_number":387,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":388,"context_line":"   - Intended to be used by end users"},{"line_number":389,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":390,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":391,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":392,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":393,"context_line":""},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Champion"}],"source_content_type":"text/x-rst","patch_set":10,"id":"f65c4d36_4edf1cc6","line":392,"range":{"start_line":372,"start_character":0,"end_line":392,"end_character":53},"in_reply_to":"47f6ed13_e4efa227","updated":"2021-11-10 23:13:25.000000000","message":"From Yoga cycle onwards, we are going to start writing the Techncial Guidlines in project-team-guides (Item#1 in https://etherpad.opendev.org/p/tc-yoga-tracker), I think RBAC is good candidate for that along with unified limit. These stretch goal things can be evolved in as guides and then once they are all good then we can start adding as goal or so.\n\nOne more thing to note is that, as we are going to decouple the goals from release cycle, we can keep RBAC as one of the active goal for many milestone(cycle) and Yoga as first milestone to get things in as agreed in RBAC goals. And adding these strech goals things as next milestone/cycle.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a92052bc18f8643c8f86304381448ffc06c3db0f","unresolved":true,"context_lines":[{"line_number":369,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":370,"context_line":"the authorization associated to administrative tokens."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"Stretch goal(s)"},{"line_number":373,"context_line":"---------------"},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":376,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":377,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":378,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"},{"line_number":379,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":382,"context_line":"their end users. This persona would use the ``manager`` role and its place in"},{"line_number":383,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":384,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"- Project Manager"},{"line_number":387,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":388,"context_line":"   - Intended to be used by end users"},{"line_number":389,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":390,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":391,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":392,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":393,"context_line":""},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Champion"}],"source_content_type":"text/x-rst","patch_set":10,"id":"4853a4a5_5caf0b95","line":392,"range":{"start_line":372,"start_character":0,"end_line":392,"end_character":53},"in_reply_to":"90bdf54e_63a34ee2","updated":"2021-11-10 21:13:08.000000000","message":"That\u0027s fair.\n\nThe main reason why we wanted to include this is because we want to write down the overall direction we\u0027re headed. Especially when we\u0027re talking about things that takes cycles, if not years to complete.\n\nI\u0027d stated in previous iterations of this goal that I wasn\u0027t sure if that future direction should live in this goal. But, we don\u0027t really have a good parking lot for those ideas to live. Do you have an alternative in mind for capturing that context without bloating the goal?\n\nA potential solution would be to create multiple community goals. Each would be written to target exactly what needs to happen in each release and  create a dependency between them (e.g., this goal needs to get done before we tackle anything in the Z release.)\n\nThat would work today, but as soon as something slips or a deadline is missed, we will need to update the goals (maybe that\u0027s the right answer...)\n\nI get the reason for having clear and explicit goals, but I also want to preserve the holistic vision we\u0027ve worked on, and where we\u0027re going.\n\nI\u0027m open to suggestions here.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"800f54d24d021b67b1ee4c12622a3d7650910ba4","unresolved":true,"context_lines":[{"line_number":369,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":370,"context_line":"the authorization associated to administrative tokens."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"Stretch goal(s)"},{"line_number":373,"context_line":"---------------"},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":376,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":377,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":378,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"},{"line_number":379,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":382,"context_line":"their end users. This persona would use the ``manager`` role and its place in"},{"line_number":383,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":384,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"- Project Manager"},{"line_number":387,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":388,"context_line":"   - Intended to be used by end users"},{"line_number":389,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":390,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":391,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":392,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":393,"context_line":""},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Champion"}],"source_content_type":"text/x-rst","patch_set":10,"id":"47f6ed13_e4efa227","line":392,"range":{"start_line":372,"start_character":0,"end_line":392,"end_character":53},"in_reply_to":"90bdf54e_63a34ee2","updated":"2021-11-10 22:04:04.000000000","message":"honestly im not sure we should proceed with this as a goal at all without the strach goal as part of the main goal.\n\ni dont think we really are ready to proceed with the cross project goal until we fiture out the corss service interaction among other things or have the project scoped higher privelage then user role.\n\n\ni need to re read the current verion of hte draft goal as ill admin i have not kept track of all the discussion but form what we discussed at the ptg and my previous skim over this doc i am not convcied we shoudl move forward with this until we actully get more alingment.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7fbd762be5b49c5704808eaa4a35c3f7fd90524b","unresolved":true,"context_lines":[{"line_number":369,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":370,"context_line":"the authorization associated to administrative tokens."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"Stretch goal(s)"},{"line_number":373,"context_line":"---------------"},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":376,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":377,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":378,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"},{"line_number":379,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":382,"context_line":"their end users. This persona would use the ``manager`` role and its place in"},{"line_number":383,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":384,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"- Project Manager"},{"line_number":387,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":388,"context_line":"   - Intended to be used by end users"},{"line_number":389,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":390,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":391,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":392,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":393,"context_line":""},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Champion"}],"source_content_type":"text/x-rst","patch_set":10,"id":"009a9b52_8676ab79","line":392,"range":{"start_line":372,"start_character":0,"end_line":392,"end_character":53},"in_reply_to":"b159bb22_7ba369f6","updated":"2021-11-11 18:40:45.000000000","message":"yeah, it is merged now (https://review.opendev.org/c/openstack/governance/+/816387) and we can see how things are divided into different miletsone.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"aac35e312644ef7aef5a1f402e9bb5061a002ff4","unresolved":true,"context_lines":[{"line_number":369,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":370,"context_line":"the authorization associated to administrative tokens."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"Stretch goal(s)"},{"line_number":373,"context_line":"---------------"},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"#. Create a new role in the hierarchy called ``manager``"},{"line_number":376,"context_line":"#. Update any applicable policies targeted for project-admin to project-manager"},{"line_number":377,"context_line":"   (set default volume type for project, force reboot instance)"},{"line_number":378,"context_line":"#. Implement domain support into each service (the ``--all-projects`` flag"},{"line_number":379,"context_line":"   returns all resources, like instances, in a domain)"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"The stretch goals would enable another useful persona for operators to give to"},{"line_number":382,"context_line":"their end users. This persona would use the ``manager`` role and its place in"},{"line_number":383,"context_line":"the hierarchy would sit in-between the ``admin`` role and the ``member`` role."},{"line_number":384,"context_line":"Applying it to project scope would result in the following behaviors:"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"- Project Manager"},{"line_number":387,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":388,"context_line":"   - Intended to be used by end users"},{"line_number":389,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":390,"context_line":"   - *Forcibly rebooting an instance*"},{"line_number":391,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":392,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":393,"context_line":""},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Champion"}],"source_content_type":"text/x-rst","patch_set":10,"id":"b159bb22_7ba369f6","line":392,"range":{"start_line":372,"start_character":0,"end_line":392,"end_character":53},"in_reply_to":"f65c4d36_4edf1cc6","updated":"2021-11-11 13:59:07.000000000","message":"decouple the goals from release cycle i think would help yes.","commit_id":"a05ba95c7e57fd34f4420b0049cb8e449ec33745"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"2188eb6a9db65abf2cf9fdd25a8807449f45351a","unresolved":true,"context_lines":[{"line_number":28,"context_line":"This led to the following problems:"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"#. By default, users were either average end-users or operators, which is far"},{"line_number":31,"context_line":"   too `restrictive \u003chttps://launchpad.net/bugs/968696\u003e`_ for read-world clouds"},{"line_number":32,"context_line":"#. The design violated the principle of least privilege"},{"line_number":33,"context_line":"#. Inconsistent authorization behavior across services, resulting in some"},{"line_number":34,"context_line":"   default policies being completely open to any user"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bef2bea3_b9c584bd","line":31,"range":{"start_line":31,"start_character":62,"end_line":31,"end_character":72},"updated":"2021-11-11 17:33:51.000000000","message":"Think you mean \u0027real-world\u0027 here?","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1774896cc5312beb3b809f96e8ebba8a15dcfcda","unresolved":false,"context_lines":[{"line_number":28,"context_line":"This led to the following problems:"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"#. By default, users were either average end-users or operators, which is far"},{"line_number":31,"context_line":"   too `restrictive \u003chttps://launchpad.net/bugs/968696\u003e`_ for read-world clouds"},{"line_number":32,"context_line":"#. The design violated the principle of least privilege"},{"line_number":33,"context_line":"#. Inconsistent authorization behavior across services, resulting in some"},{"line_number":34,"context_line":"   default policies being completely open to any user"}],"source_content_type":"text/x-rst","patch_set":11,"id":"480d4220_22a23754","line":31,"range":{"start_line":31,"start_character":62,"end_line":31,"end_character":72},"in_reply_to":"bef2bea3_b9c584bd","updated":"2021-11-11 17:45:39.000000000","message":"Yes. I\u0027ve clearly been working on too much read-only policy.","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"2188eb6a9db65abf2cf9fdd25a8807449f45351a","unresolved":true,"context_lines":[{"line_number":125,"context_line":"to operate on project-owned resources with a system-scoped token was to allow"},{"line_number":126,"context_line":"for backwards compatibility."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"While we certainly want to make things as easy as possible operators to use,"},{"line_number":129,"context_line":"we\u0027re not sure the additional overhead required to teach each OpenStack service"},{"line_number":130,"context_line":"about system-scope in this way would be beneficial. This is especially true"},{"line_number":131,"context_line":"when we considered the fact that a single user account, or bearer token,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4090fe17_9eeb056f","line":128,"range":{"start_line":128,"start_character":47,"end_line":128,"end_character":68},"updated":"2021-11-11 17:33:51.000000000","message":"as easy as possible for operators","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1774896cc5312beb3b809f96e8ebba8a15dcfcda","unresolved":false,"context_lines":[{"line_number":125,"context_line":"to operate on project-owned resources with a system-scoped token was to allow"},{"line_number":126,"context_line":"for backwards compatibility."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"While we certainly want to make things as easy as possible operators to use,"},{"line_number":129,"context_line":"we\u0027re not sure the additional overhead required to teach each OpenStack service"},{"line_number":130,"context_line":"about system-scope in this way would be beneficial. This is especially true"},{"line_number":131,"context_line":"when we considered the fact that a single user account, or bearer token,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4458a5f6_546b5d56","line":128,"range":{"start_line":128,"start_character":47,"end_line":128,"end_character":68},"in_reply_to":"4090fe17_9eeb056f","updated":"2021-11-11 17:45:39.000000000","message":"Done","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc934b42a995d200bebc6ba54d5603fa18dae475","unresolved":true,"context_lines":[{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":243,"context_line":"       name\u003d\u0027os_compute_api:os-hypervisors:list\u0027,"},{"line_number":244,"context_line":"       check_str\u003d\u0027role:reader\u0027,"},{"line_number":245,"context_line":"       scope_types\u003d[\u0027system\u0027]"},{"line_number":246,"context_line":"   )"},{"line_number":247,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"4ea2d9eb_c8095439","line":244,"range":{"start_line":244,"start_character":18,"end_line":244,"end_character":29},"updated":"2021-11-10 23:31:20.000000000","message":"role:admin  as we discussed in today call so that we keep it same as it is today and late in future when we will enable scope by default or so then we can introduce the system_reader things.","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1774896cc5312beb3b809f96e8ebba8a15dcfcda","unresolved":false,"context_lines":[{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":243,"context_line":"       name\u003d\u0027os_compute_api:os-hypervisors:list\u0027,"},{"line_number":244,"context_line":"       check_str\u003d\u0027role:reader\u0027,"},{"line_number":245,"context_line":"       scope_types\u003d[\u0027system\u0027]"},{"line_number":246,"context_line":"   )"},{"line_number":247,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"f993057a_57d6d1d4","line":244,"range":{"start_line":244,"start_character":18,"end_line":244,"end_character":29},"in_reply_to":"4ea2d9eb_c8095439","updated":"2021-11-11 17:45:39.000000000","message":"Done","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc934b42a995d200bebc6ba54d5603fa18dae475","unresolved":true,"context_lines":[{"line_number":251,"context_line":""},{"line_number":252,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":253,"context_line":"        name\u003d\u0027volume_extension:volume_manage\u0027,"},{"line_number":254,"context_line":"        check_str\u003d\u0027role:admin\u0027,"},{"line_number":255,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":256,"context_line":"    )"},{"line_number":257,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ee0a4059_e884da7a","line":254,"range":{"start_line":254,"start_character":18,"end_line":254,"end_character":31},"updated":"2021-11-10 23:31:20.000000000","message":"and important thing to note here is we do not have scope embedded in check_str now and this way enfore_scope\u003dFalse will keep working for operators. may be good to mention that as a separate line or so.","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1774896cc5312beb3b809f96e8ebba8a15dcfcda","unresolved":false,"context_lines":[{"line_number":251,"context_line":""},{"line_number":252,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":253,"context_line":"        name\u003d\u0027volume_extension:volume_manage\u0027,"},{"line_number":254,"context_line":"        check_str\u003d\u0027role:admin\u0027,"},{"line_number":255,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":256,"context_line":"    )"},{"line_number":257,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"1d496855_5fcf13c4","line":254,"range":{"start_line":254,"start_character":18,"end_line":254,"end_character":31},"in_reply_to":"ee0a4059_e884da7a","updated":"2021-11-11 17:45:39.000000000","message":"Done","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc934b42a995d200bebc6ba54d5603fa18dae475","unresolved":true,"context_lines":[{"line_number":322,"context_line":"   - *Move pre-existing volumes in and out of projects*"},{"line_number":323,"context_line":"   - *Create or delete HSM transport keys*"},{"line_number":324,"context_line":""},{"line_number":325,"context_line":"- System Member"},{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"- System Reader"},{"line_number":333,"context_line":"   - Denoted by someone with the ``reader`` role on the ``system``"},{"line_number":334,"context_line":"   - Intended for operators or auditors for system-specific resources"},{"line_number":335,"context_line":"   - Not intended for end users"},{"line_number":336,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":337,"context_line":"   - *View volume types*"},{"line_number":338,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"- Project Admin"},{"line_number":341,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":342,"context_line":"   - Intended for operators who need elevated privilege on project resources"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2c4da39a_78a7ff83","line":339,"range":{"start_line":325,"start_character":0,"end_line":339,"end_character":0},"updated":"2021-11-10 23:31:20.000000000","message":"as discussed in today call, we are going to keep system admin for all of these system level operation even GET as first step (until we switch the new RBAC by default). May be this doing system member/reader can be as next step in \u0027Future goal(s)\u0027 ?","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1774896cc5312beb3b809f96e8ebba8a15dcfcda","unresolved":false,"context_lines":[{"line_number":322,"context_line":"   - *Move pre-existing volumes in and out of projects*"},{"line_number":323,"context_line":"   - *Create or delete HSM transport keys*"},{"line_number":324,"context_line":""},{"line_number":325,"context_line":"- System Member"},{"line_number":326,"context_line":"   - Denoted by someone with the ``member`` role on the ``system``"},{"line_number":327,"context_line":"   - Intended for operators or lab technicians"},{"line_number":328,"context_line":"   - Not intended for end users"},{"line_number":329,"context_line":"   - *Manage hypervisors and aggregates*"},{"line_number":330,"context_line":"   - *Manage resources in placement*"},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"- System Reader"},{"line_number":333,"context_line":"   - Denoted by someone with the ``reader`` role on the ``system``"},{"line_number":334,"context_line":"   - Intended for operators or auditors for system-specific resources"},{"line_number":335,"context_line":"   - Not intended for end users"},{"line_number":336,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":337,"context_line":"   - *View volume types*"},{"line_number":338,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"- Project Admin"},{"line_number":341,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":342,"context_line":"   - Intended for operators who need elevated privilege on project resources"}],"source_content_type":"text/x-rst","patch_set":11,"id":"082280e1_64823d5a","line":339,"range":{"start_line":325,"start_character":0,"end_line":339,"end_character":0},"in_reply_to":"2c4da39a_78a7ff83","updated":"2021-11-11 17:45:39.000000000","message":"Done","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc934b42a995d200bebc6ba54d5603fa18dae475","unresolved":true,"context_lines":[{"line_number":418,"context_line":"#. Revert any system-scope policies applied to project-specific APIs or"},{"line_number":419,"context_line":"   resources"},{"line_number":420,"context_line":"#. Apply system-scope policies for purely system-specific APIs"},{"line_number":421,"context_line":"#. Write check strings for APIs that operate with system and project scope"},{"line_number":422,"context_line":"#. Enhance python-openstackclient to find projects for resources using a"},{"line_number":423,"context_line":"   system-scoped token (resolve to domain-scoped token, resolve to"},{"line_number":424,"context_line":"   project-scoped token)"}],"source_content_type":"text/x-rst","patch_set":11,"id":"761b2fd1_d2cb1847","line":421,"range":{"start_line":421,"start_character":2,"end_line":421,"end_character":74},"updated":"2021-11-10 23:31:20.000000000","message":"you mean \"check string that operate with enfore_scope\u003dfalse\" right? which means remove the scope-bits from check_str like \u0027system:all\u0027 etc.","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1774896cc5312beb3b809f96e8ebba8a15dcfcda","unresolved":true,"context_lines":[{"line_number":418,"context_line":"#. Revert any system-scope policies applied to project-specific APIs or"},{"line_number":419,"context_line":"   resources"},{"line_number":420,"context_line":"#. Apply system-scope policies for purely system-specific APIs"},{"line_number":421,"context_line":"#. Write check strings for APIs that operate with system and project scope"},{"line_number":422,"context_line":"#. Enhance python-openstackclient to find projects for resources using a"},{"line_number":423,"context_line":"   system-scoped token (resolve to domain-scoped token, resolve to"},{"line_number":424,"context_line":"   project-scoped token)"}],"source_content_type":"text/x-rst","patch_set":11,"id":"76a46445_01a6f1e0","line":421,"range":{"start_line":421,"start_character":2,"end_line":421,"end_character":74},"in_reply_to":"761b2fd1_d2cb1847","updated":"2021-11-11 17:45:39.000000000","message":"I think so? Did we decide if we were going to break policies that operate with different scoped into multiple rules?","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7fbd762be5b49c5704808eaa4a35c3f7fd90524b","unresolved":true,"context_lines":[{"line_number":418,"context_line":"#. Revert any system-scope policies applied to project-specific APIs or"},{"line_number":419,"context_line":"   resources"},{"line_number":420,"context_line":"#. Apply system-scope policies for purely system-specific APIs"},{"line_number":421,"context_line":"#. Write check strings for APIs that operate with system and project scope"},{"line_number":422,"context_line":"#. Enhance python-openstackclient to find projects for resources using a"},{"line_number":423,"context_line":"   system-scoped token (resolve to domain-scoped token, resolve to"},{"line_number":424,"context_line":"   project-scoped token)"}],"source_content_type":"text/x-rst","patch_set":11,"id":"70835613_9702f969","line":421,"range":{"start_line":421,"start_character":2,"end_line":421,"end_character":74},"in_reply_to":"76a46445_01a6f1e0","updated":"2021-11-11 18:40:45.000000000","message":"We agreed to keep system admin to keep GET system level APIs not system reader so that if enforce_scope is false then project reader/member would not be able to list system level info (GET hypervisors or so). Only admin (system admin if scope is enabled and project admin if scope is disable) can get system level info which is not change from what it is currently. And later in future when we ake enforce_scope\u003dtrue or hardcoded-true then we can introduce the system reader here. It will be like:\n\ncheck_str: role:admin\nscope_type: [system]","commit_id":"ff02c2562d1c18a6970491f651b00de69f96dd07"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"f9cd6a6f1fd79d508a390b9a7a57ec26824b3b0c","unresolved":true,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"It wasn\u0027t until we started applying this idea to various services that we"},{"line_number":101,"context_line":"realized it was going to cause significant issues with service-to-service"},{"line_number":102,"context_line":"communication and require significant refactoring in each service. This is due"},{"line_number":103,"context_line":"the fact that OpenStack services have been developed with the assumption that"},{"line_number":104,"context_line":"project IDs will always be present, and it\u0027s rare to interact with a resource"},{"line_number":105,"context_line":"without a project ID associated to the request."},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"46c6b256_308e4022","line":103,"range":{"start_line":102,"start_character":75,"end_line":103,"end_character":3},"updated":"2021-11-15 06:01:53.000000000","message":"nit: due to the?","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"bdef9d989edb4ca54a03b5effd308f4ebbf9c242","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"It wasn\u0027t until we started applying this idea to various services that we"},{"line_number":101,"context_line":"realized it was going to cause significant issues with service-to-service"},{"line_number":102,"context_line":"communication and require significant refactoring in each service. This is due"},{"line_number":103,"context_line":"the fact that OpenStack services have been developed with the assumption that"},{"line_number":104,"context_line":"project IDs will always be present, and it\u0027s rare to interact with a resource"},{"line_number":105,"context_line":"without a project ID associated to the request."},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"cb6bfab8_e2aef9ef","line":103,"range":{"start_line":102,"start_character":75,"end_line":103,"end_character":3},"in_reply_to":"46c6b256_308e4022","updated":"2021-11-15 18:46:03.000000000","message":"Done","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3de9e48f6511cef0830305750cda4db9deed1a04","unresolved":true,"context_lines":[{"line_number":313,"context_line":"#. Reboot an instance"},{"line_number":314,"context_line":"#. Live migrate an instance"},{"line_number":315,"context_line":""},{"line_number":316,"context_line":"Applicable projects"},{"line_number":317,"context_line":"^^^^^^^^^^^^^^^^^^^"},{"line_number":318,"context_line":""},{"line_number":319,"context_line":"Keystone has full support for system-admin, system-member, system-reader,"}],"source_content_type":"text/x-rst","patch_set":13,"id":"1fe7cf8d_ee0dc83e","line":316,"updated":"2021-11-11 18:17:22.000000000","message":"This section is new and was one of the bigger outcomes in the last meeting with the TC.\n\nWe need to smooth this part out - but the following section lays out the basic steps.","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"f9cd6a6f1fd79d508a390b9a7a57ec26824b3b0c","unresolved":true,"context_lines":[{"line_number":330,"context_line":"project-reader personas. This will require operators to audit their users and"},{"line_number":331,"context_line":"do a migration for at least one service. This will be a one-time operation that"},{"line_number":332,"context_line":"they should do when they configure Nova to use the new defaults. In subsequent"},{"line_number":333,"context_line":"releases (Z-release), other projects can follow the pattern set by Nova and"},{"line_number":334,"context_line":"Keystone in Yoga."},{"line_number":335,"context_line":""},{"line_number":336,"context_line":"How operators opt into the new functionality"}],"source_content_type":"text/x-rst","patch_set":13,"id":"a714143b_1c0db6e7","line":333,"range":{"start_line":333,"start_character":22,"end_line":333,"end_character":36},"updated":"2021-11-15 06:01:53.000000000","message":"Glance needs to find how compatible openstackclient is with recently added new features.","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d7d3c196f2abad15659d274896417a2f2b03f6cd","unresolved":true,"context_lines":[{"line_number":341,"context_line":""},{"line_number":342,"context_line":"  [oslo_policy]"},{"line_number":343,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":344,"context_line":"  enforce_scope\u003dTrue"},{"line_number":345,"context_line":""},{"line_number":346,"context_line":"For increased usability, operators could bootstrap their team with inherited"},{"line_number":347,"context_line":"role assignments on each domain, making it easier for operators to get"}],"source_content_type":"text/x-rst","patch_set":13,"id":"8f37edc1_869dc014","line":344,"updated":"2021-11-12 17:48:47.000000000","message":"I think we\u0027re not expecting \"each service\" to be configured for new defaults and scope in Yoga, right? We\u0027re expecting those to be the case for keystone, and in nova in Z. *After* Z, those are expected to be set for the other projects.","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"bdef9d989edb4ca54a03b5effd308f4ebbf9c242","unresolved":true,"context_lines":[{"line_number":341,"context_line":""},{"line_number":342,"context_line":"  [oslo_policy]"},{"line_number":343,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":344,"context_line":"  enforce_scope\u003dTrue"},{"line_number":345,"context_line":""},{"line_number":346,"context_line":"For increased usability, operators could bootstrap their team with inherited"},{"line_number":347,"context_line":"role assignments on each domain, making it easier for operators to get"}],"source_content_type":"text/x-rst","patch_set":13,"id":"e96d1a21_8c49de99","line":344,"in_reply_to":"8575e2fd_732621cd","updated":"2021-11-15 18:46:03.000000000","message":"My understanding was:\n* Enabling the new defaults and scope by default in\n** Keystone in Yoga\n** Nova in Z\n** Other projects in after Z\n\nBut Nova or other projects can start implementing the new defaults, scope in their policy in Yoga itself but keep them disable by default and mention it as experimental in release notes.","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"f9cd6a6f1fd79d508a390b9a7a57ec26824b3b0c","unresolved":true,"context_lines":[{"line_number":341,"context_line":""},{"line_number":342,"context_line":"  [oslo_policy]"},{"line_number":343,"context_line":"  enforce_new_defaults\u003dTrue"},{"line_number":344,"context_line":"  enforce_scope\u003dTrue"},{"line_number":345,"context_line":""},{"line_number":346,"context_line":"For increased usability, operators could bootstrap their team with inherited"},{"line_number":347,"context_line":"role assignments on each domain, making it easier for operators to get"}],"source_content_type":"text/x-rst","patch_set":13,"id":"8575e2fd_732621cd","line":344,"in_reply_to":"8f37edc1_869dc014","updated":"2021-11-15 06:01:53.000000000","message":"++","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d7d3c196f2abad15659d274896417a2f2b03f6cd","unresolved":true,"context_lines":[{"line_number":398,"context_line":"and project-admin personas. This is by design and starts to slowly break down"},{"line_number":399,"context_line":"the authorization associated to administrative tokens."},{"line_number":400,"context_line":""},{"line_number":401,"context_line":"Future goal(s)"},{"line_number":402,"context_line":"--------------"},{"line_number":403,"context_line":""},{"line_number":404,"context_line":"#. Create a new role in the hierarchy called ``manager``"}],"source_content_type":"text/x-rst","patch_set":13,"id":"03bd7e9a_f5388b9c","line":401,"updated":"2021-11-12 17:48:47.000000000","message":"I know it was challenged in the last round, but I think that it\u0027s important to keep the \"where we\u0027re going\" part in here as you have it. This is a long road, it\u0027s complicated, and I think knowing/remembering where the end is will help.","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"f9cd6a6f1fd79d508a390b9a7a57ec26824b3b0c","unresolved":true,"context_lines":[{"line_number":442,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":443,"context_line":"   - *View volume types*"},{"line_number":444,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":445,"context_line":""},{"line_number":446,"context_line":""},{"line_number":447,"context_line":"Champion"},{"line_number":448,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":13,"id":"c21e18d0_19466682","line":445,"updated":"2021-11-15 06:01:53.000000000","message":"Question:\nSo manager role will be tied with project scope only, right?\nOr in future there will be system-manager as well?","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"073ddda19c8ceeb484fea5c0d339f75127eb952c","unresolved":true,"context_lines":[{"line_number":442,"context_line":"   - *View hypervisor and aggregate information*"},{"line_number":443,"context_line":"   - *View volume types*"},{"line_number":444,"context_line":"   - *View all domains and identity providers within the deployment*"},{"line_number":445,"context_line":""},{"line_number":446,"context_line":""},{"line_number":447,"context_line":"Champion"},{"line_number":448,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":13,"id":"a9840bfb_a9de4ede","line":445,"in_reply_to":"c21e18d0_19466682","updated":"2021-11-18 15:09:47.000000000","message":"In theory - it could be applicable to any scope.\n\nRight now, the clear examples we see for manager is within the project-scope, but that\u0027s not to say there aren\u0027t good use-cases for it within system-scope.\n\nI think keeping the implementation flexible so that we can apply it to any scope is a good idea and leaves doors open to other options in the future.","commit_id":"aac18e43772edf7f50a189b9f0d6d9c3f4cbaa30"}]}