)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"b3b57b9a417e4fb95bc415c803d08d3d386ae847","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9123941f_62cf85b1","updated":"2021-12-02 19:16:19.000000000","message":"Some comments inline.","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"570f03c1_b1dbca4d","updated":"2021-12-02 19:08:52.000000000","message":"few wording clarifications we came across during today\u0027s call. -https://etherpad.opendev.org/p/policy-popup-yoga-ptg ","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"397fd99ecfe1f3e09cbf1f5bff5165bc52bc70c9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"515bd441_5c486e21","updated":"2021-12-03 08:15:10.000000000","message":"Otherwise fine and wonderful.","commit_id":"cd80928a7e5996308a5fa37793f36c674f851e17"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0310c0d60cd03d60877725edf8adb05cfa33d326","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ddbdc932_c9e7953a","updated":"2021-12-02 23:55:56.000000000","message":"current wording improvement lgtm, thanks lance for updates.\n\nIf more things to be clear for phase-2/3, we can iterate over those especially when we will do the phase-1 (Yoga) things and I am sure we wilk have use-case/need-clarity also. It is difficult to make everything final at one shot.","commit_id":"cd80928a7e5996308a5fa37793f36c674f851e17"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"081556d0630ed29ea6c0a29dd49f0f304d9a4700","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"8d743596_5c57c76e","updated":"2021-12-07 16:57:11.000000000","message":"thanks!","commit_id":"076ffed03c1f635dba3486ff879a2e5e2f368a82"}],"goals/selected/consistent-and-secure-rbac.rst":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":166,"context_line":"Phase 1"},{"line_number":167,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"Implement support for system-admin, project-admin, project-manager,"},{"line_number":170,"context_line":"project-member, and project-reader personas."},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"The project-member and project-reader changes are relatively trivial. The"}],"source_content_type":"text/x-rst","patch_set":2,"id":"72fade67_37d3a9fb","line":169,"range":{"start_line":169,"start_character":51,"end_line":169,"end_character":67},"updated":"2021-12-02 19:08:52.000000000","message":"As discussed in today call, let\u0027s move it to phase-2 which is what we have in schedule (L589) but it seems moving from here also in phase2 will be more clear.","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":166,"context_line":"Phase 1"},{"line_number":167,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"Implement support for system-admin, project-admin, project-manager,"},{"line_number":170,"context_line":"project-member, and project-reader personas."},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"The project-member and project-reader changes are relatively trivial. The"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6a39a2cb_80ab6492","line":169,"range":{"start_line":169,"start_character":51,"end_line":169,"end_character":67},"in_reply_to":"72fade67_37d3a9fb","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":171,"context_line":""},{"line_number":172,"context_line":"The project-member and project-reader changes are relatively trivial. The"},{"line_number":173,"context_line":"majority of the work in this phase is focused on breaking administrative"},{"line_number":174,"context_line":"functionality into the project-admin and system-admin personas. Any APIs we can"},{"line_number":175,"context_line":"expose to privileged end-users safely should be updated to use the"},{"line_number":176,"context_line":"project-manager personas."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Re-evaluate project-specific API policies"},{"line_number":179,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7d0aa638_8fe57c28","line":176,"range":{"start_line":174,"start_character":64,"end_line":176,"end_character":25},"updated":"2021-12-02 19:08:52.000000000","message":"ditto","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":171,"context_line":""},{"line_number":172,"context_line":"The project-member and project-reader changes are relatively trivial. The"},{"line_number":173,"context_line":"majority of the work in this phase is focused on breaking administrative"},{"line_number":174,"context_line":"functionality into the project-admin and system-admin personas. Any APIs we can"},{"line_number":175,"context_line":"expose to privileged end-users safely should be updated to use the"},{"line_number":176,"context_line":"project-manager personas."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Re-evaluate project-specific API policies"},{"line_number":179,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b5d81b6d_584247ac","line":176,"range":{"start_line":174,"start_character":64,"end_line":176,"end_character":25},"in_reply_to":"7d0aa638_8fe57c28","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":373,"context_line":""},{"line_number":374,"context_line":"The direction for `Phase 1`_ is to use solution #4, where a project-admin can"},{"line_number":375,"context_line":"continue listing resources across the deployment, while we target domain"},{"line_number":376,"context_line":"support for `Phase 2`_ or `Phase 3`_."},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"How operators opt into the new functionality"},{"line_number":379,"context_line":"--------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c556bc82_8c35cf3a","line":376,"range":{"start_line":376,"start_character":12,"end_line":376,"end_character":35},"updated":"2021-12-02 19:08:52.000000000","message":"as discussed we can mention it `Phase 2`_","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":373,"context_line":""},{"line_number":374,"context_line":"The direction for `Phase 1`_ is to use solution #4, where a project-admin can"},{"line_number":375,"context_line":"continue listing resources across the deployment, while we target domain"},{"line_number":376,"context_line":"support for `Phase 2`_ or `Phase 3`_."},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"How operators opt into the new functionality"},{"line_number":379,"context_line":"--------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"65b87633_8264603f","line":376,"range":{"start_line":376,"start_character":12,"end_line":376,"end_character":35},"in_reply_to":"c556bc82_8c35cf3a","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"b3b57b9a417e4fb95bc415c803d08d3d386ae847","unresolved":true,"context_lines":[{"line_number":405,"context_line":"- Project Admin"},{"line_number":406,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":407,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":408,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":409,"context_line":"     the deployment"},{"line_number":410,"context_line":"   - Not intended for end users"},{"line_number":411,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":412,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9d6df11f_3d7ca2bd","line":409,"range":{"start_line":408,"start_character":5,"end_line":409,"end_character":19},"updated":"2021-12-02 19:16:19.000000000","message":"I think this would be more clear if you added \"in a limited way, for example, setting visibility to \u0027public\u0027 on an image\".","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":true,"context_lines":[{"line_number":405,"context_line":"- Project Admin"},{"line_number":406,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":407,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":408,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":409,"context_line":"     the deployment"},{"line_number":410,"context_line":"   - Not intended for end users"},{"line_number":411,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":412,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e13e572b_a0862cef","line":409,"range":{"start_line":408,"start_character":5,"end_line":409,"end_character":19},"in_reply_to":"9d6df11f_3d7ca2bd","updated":"2021-12-02 19:38:26.000000000","message":"Line 414 includes the example for public images.","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"29ca711753e47c3f0ce58d23425923932a7d793e","unresolved":false,"context_lines":[{"line_number":405,"context_line":"- Project Admin"},{"line_number":406,"context_line":"   - Denoted by someone with the ``admin`` role on a project"},{"line_number":407,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":408,"context_line":"   - Can perform operations on project resources that affect other projects in"},{"line_number":409,"context_line":"     the deployment"},{"line_number":410,"context_line":"   - Not intended for end users"},{"line_number":411,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":412,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":2,"id":"edda25de_0e307253","line":409,"range":{"start_line":408,"start_character":5,"end_line":409,"end_character":19},"in_reply_to":"e13e572b_a0862cef","updated":"2021-12-02 19:46:53.000000000","message":"OK, missed that.  I just don\u0027t like this sentence because it runs counter to the idea that a project-admin is restricted to operating within a project (but I don\u0027t have a good suggestion for how to make it more clear).","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a14c410edd5062b0d91bcfb75fcb493ba3a9a7f6","unresolved":true,"context_lines":[{"line_number":410,"context_line":"   - Not intended for end users"},{"line_number":411,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":412,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":413,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":414,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":415,"context_line":"   - *Create physical provider networks*"},{"line_number":416,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3ccf47c0_dbf4696e","line":413,"range":{"start_line":413,"start_character":0,"end_line":413,"end_character":52},"updated":"2021-12-02 15:29:45.000000000","message":"I think this suits the role of a Project manager (and already exists in that list L#422) so better to remove from here?","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":410,"context_line":"   - Not intended for end users"},{"line_number":411,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":412,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":413,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":414,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":415,"context_line":"   - *Create physical provider networks*"},{"line_number":416,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"bebb8d17_78380f4c","line":413,"range":{"start_line":413,"start_character":0,"end_line":413,"end_character":52},"in_reply_to":"3ccf47c0_dbf4696e","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":413,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":414,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":415,"context_line":"   - *Create physical provider networks*"},{"line_number":416,"context_line":""},{"line_number":417,"context_line":"- Project Manager"},{"line_number":418,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":419,"context_line":"   - Intended to be used by end users"},{"line_number":420,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":421,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":422,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":423,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"- Project Member"},{"line_number":426,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d48d8b83_b4a3439d","line":423,"range":{"start_line":416,"start_character":0,"end_line":423,"end_character":53},"updated":"2021-12-02 19:08:52.000000000","message":"ditto. moving this documentation also too phase-2 definition.","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":413,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":414,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":415,"context_line":"   - *Create physical provider networks*"},{"line_number":416,"context_line":""},{"line_number":417,"context_line":"- Project Manager"},{"line_number":418,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":419,"context_line":"   - Intended to be used by end users"},{"line_number":420,"context_line":"   - Slightly more privileged than regular project-members"},{"line_number":421,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":422,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":423,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"- Project Member"},{"line_number":426,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e55068d7_1eabf972","line":423,"range":{"start_line":416,"start_character":0,"end_line":423,"end_character":53},"in_reply_to":"d48d8b83_b4a3439d","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":460,"context_line":"service. For example, neutron needs to inform nova about network changes, but"},{"line_number":461,"context_line":"it shouldn\u0027t need the ability to create new users and groups in keystone, which"},{"line_number":462,"context_line":"it currently has."},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"Phase 3"},{"line_number":465,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":466,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"bf529831_f7813a64","line":463,"range":{"start_line":463,"start_character":0,"end_line":463,"end_character":0},"updated":"2021-12-02 19:08:52.000000000","message":"as discussed, let\u0027s add two more things here which is what we have in schedule section. \n\n1. services start adding project manager in their policy\n2. domain admin listing all projects resoruces","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":460,"context_line":"service. For example, neutron needs to inform nova about network changes, but"},{"line_number":461,"context_line":"it shouldn\u0027t need the ability to create new users and groups in keystone, which"},{"line_number":462,"context_line":"it currently has."},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"Phase 3"},{"line_number":465,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":466,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"d87a9535_0b1b1ecd","line":463,"range":{"start_line":463,"start_character":0,"end_line":463,"end_character":0},"in_reply_to":"bf529831_f7813a64","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":586,"context_line":"Z-Release Timeline"},{"line_number":587,"context_line":"^^^^^^^^^^^^^^^^^^"},{"line_number":588,"context_line":""},{"line_number":589,"context_line":"#. Keystone implements `Phase 2`_ and the ``manager`` role"},{"line_number":590,"context_line":""},{"line_number":591,"context_line":"   Keystone starts implementing support for ``manager`` across project, domain,"},{"line_number":592,"context_line":"   and system scopes. Keystone has supported system-admin, system-member, and"},{"line_number":593,"context_line":"   system-reader since Train, which completes the `Phase 3`_ goals"},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":596,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1d01a946_6f999dab","line":593,"range":{"start_line":589,"start_character":0,"end_line":593,"end_character":66},"updated":"2021-12-02 19:08:52.000000000","message":"one more comment from today call: This was confused with if it is to implement manager role keystone or adding it in keystone policy default. let\u0027s make it clear that its keystone policies will start adding manager in their defaults","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":586,"context_line":"Z-Release Timeline"},{"line_number":587,"context_line":"^^^^^^^^^^^^^^^^^^"},{"line_number":588,"context_line":""},{"line_number":589,"context_line":"#. Keystone implements `Phase 2`_ and the ``manager`` role"},{"line_number":590,"context_line":""},{"line_number":591,"context_line":"   Keystone starts implementing support for ``manager`` across project, domain,"},{"line_number":592,"context_line":"   and system scopes. Keystone has supported system-admin, system-member, and"},{"line_number":593,"context_line":"   system-reader since Train, which completes the `Phase 3`_ goals"},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"#. All services must implement `Phase 1`_"},{"line_number":596,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9acd7550_5138b654","line":593,"range":{"start_line":589,"start_character":0,"end_line":593,"end_character":66},"in_reply_to":"1d01a946_6f999dab","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":599,"context_line":""},{"line_number":600,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":601,"context_line":"allows operators to opt into using system-admin, project-admin,"},{"line_number":602,"context_line":"project-manager, project-member, and project-reader across their entire"},{"line_number":603,"context_line":"deployment."},{"line_number":604,"context_line":""},{"line_number":605,"context_line":"To summarize, operators will need to update every service configuration file"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f676652e_7e9eaaed","line":602,"range":{"start_line":602,"start_character":0,"end_line":602,"end_character":16},"updated":"2021-12-02 19:08:52.000000000","message":"ditto","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":599,"context_line":""},{"line_number":600,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":601,"context_line":"allows operators to opt into using system-admin, project-admin,"},{"line_number":602,"context_line":"project-manager, project-member, and project-reader across their entire"},{"line_number":603,"context_line":"deployment."},{"line_number":604,"context_line":""},{"line_number":605,"context_line":"To summarize, operators will need to update every service configuration file"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6d23bc53_16300d62","line":602,"range":{"start_line":602,"start_character":0,"end_line":602,"end_character":16},"in_reply_to":"f676652e_7e9eaaed","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"b3b57b9a417e4fb95bc415c803d08d3d386ae847","unresolved":true,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"641f9b89_d9aa9797","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"updated":"2021-12-02 19:16:19.000000000","message":"I think this should be \"Phase 3\" (i.e., system-reader)?","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ac5a9e944137266279060b02dcba9d10166296e","unresolved":true,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"cdbd92f1_decfd32d","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"in_reply_to":"2670510a_1d1eefd8","updated":"2021-12-02 20:09:58.000000000","message":"portbinding is currently system admin so unless that is change to project admin haveing a project admin token in nova nueton section wont help.\n\neven then nova will not be a member of the proejct the prot belong to so unless we allow project admin tokens to access allproject we need the service role to enable cross project operations.\n\nthat is the gap i think we will have that will prevent enforceing scope until we have the service role unless we allow project admin to basicaly be gloabl admin with regards to cross project operations.","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0310c0d60cd03d60877725edf8adb05cfa33d326","unresolved":true,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b1d3188a_c2a1db62","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"in_reply_to":"423d2852_9637d6d2","updated":"2021-12-02 23:55:56.000000000","message":"yeah so for port going/currently to be system admin needs to be change to below with a further improvement when we have service role.\n\n#TODO: until service role is implemented, we allow this API to project admin\n# also and later we will change that to system-admin or project:service\ncheck_str\u003d\u0027role:admin\u0027\nscope_type\u003d[\u0027system\u0027, \u0027project\u0027]\n\nThis is same kind of things we are keeping for all project resource access to project admin for now and later to domain admin or so in phase2.","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"5eb02d8d6418bf38df6c55f0cfd1179c929f7f3b","unresolved":true,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f0503b30_f865db44","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"in_reply_to":"641f9b89_d9aa9797","updated":"2021-12-02 19:19:17.000000000","message":"I think phase2 is right. we want service roles to add before system reader in AA and system reader which is phase3 in BB @L649","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d29c42eb9fe57d1575bd9c4682a1644a16eb0b00","unresolved":true,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2670510a_1d1eefd8","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"in_reply_to":"a3b6d454_b309516b","updated":"2021-12-02 19:41:47.000000000","message":"Why do we need that? I would expect that anything that works now will continue to work with service users that have project admin permissions.\n\nMaybe you\u0027re saying there could be some things that we make system:admin as part of the Z stuff, which are accessed by service users? If so, then I think those APIs have to be scopes\u003dproject,user and require either system:admin or project:service right?","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"9b892fa3a8d2e9a9f89a33eaf7955816d978b44d","unresolved":true,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"423d2852_9637d6d2","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"in_reply_to":"cdbd92f1_decfd32d","updated":"2021-12-02 20:13:25.000000000","message":"by the way im assuming we will not have domain admin and keystone wont have exposed the root doamin yet at this point.\n\nif keystone has exposed the root doamin of all domain and we use a domain admin token in nova config then we woudl nto need the service roles but project admin would not in general work since the nova config user would not be in the project the port belongs too.","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"91968a36_ea312b3f","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"in_reply_to":"f0503b30_f865db44","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a5ece25680a65a0654b9b41e52875a11c48c2e49","unresolved":true,"context_lines":[{"line_number":630,"context_line":""},{"line_number":631,"context_line":"#. Any service that implemented `Phase 1`_ in Yoga and enabled"},{"line_number":632,"context_line":"   ``enforce_scope`` in Z can removed deprecated policies used to implement"},{"line_number":633,"context_line":"   `Phase 1`_ and can start implementing `Phase 2`_"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a3b6d454_b309516b","line":633,"range":{"start_line":633,"start_character":42,"end_line":633,"end_character":49},"in_reply_to":"f0503b30_f865db44","updated":"2021-12-02 19:39:12.000000000","message":"we need the service role before we can enable the new scope enforcement in any project outseide of keystone.\n\nso that really need to be completed before z","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4ea39deeeb5dcdfb6cb4c77cc4860295ebc4caf4","unresolved":true,"context_lines":[{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"},{"line_number":637,"context_line":"system-level administrative APIs, project-admin for project-level"},{"line_number":638,"context_line":"administrative APIs, project-manager for elevated privileges safe for end users"},{"line_number":639,"context_line":"on a project, project-member for common end-user interactions, and"},{"line_number":640,"context_line":"project-reader for a read-only variant of project-member."},{"line_number":641,"context_line":""},{"line_number":642,"context_line":"BB-Release Timeline"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a715a4d8_4ba38368","line":639,"range":{"start_line":638,"start_character":21,"end_line":639,"end_character":13},"updated":"2021-12-02 19:08:52.000000000","message":"ditto","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4ed8ee3f4df3827c6dc3f411dcb1d0a76d416661","unresolved":false,"context_lines":[{"line_number":635,"context_line":"Operators consuming the AA release will have the personas delivered in `Phase"},{"line_number":636,"context_line":"1`_ available and enabled by default. This includes system-admin for all"},{"line_number":637,"context_line":"system-level administrative APIs, project-admin for project-level"},{"line_number":638,"context_line":"administrative APIs, project-manager for elevated privileges safe for end users"},{"line_number":639,"context_line":"on a project, project-member for common end-user interactions, and"},{"line_number":640,"context_line":"project-reader for a read-only variant of project-member."},{"line_number":641,"context_line":""},{"line_number":642,"context_line":"BB-Release Timeline"}],"source_content_type":"text/x-rst","patch_set":2,"id":"58f2be3b_7affd462","line":639,"range":{"start_line":638,"start_character":21,"end_line":639,"end_character":13},"in_reply_to":"a715a4d8_4ba38368","updated":"2021-12-02 19:38:26.000000000","message":"Done","commit_id":"1259c96cfdcd0e75931172e9fa9dbddff8a156ed"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"397fd99ecfe1f3e09cbf1f5bff5165bc52bc70c9","unresolved":true,"context_lines":[{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"},{"line_number":151,"context_line":"idea that it should be used on project-specific resources. Other services have"},{"line_number":152,"context_line":"yet to adopt the system-scope feature."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Currently, none of the policy work we\u0027ve done since Queens is widely usable by"},{"line_number":155,"context_line":"default since it\u0027s not applied consistently across services. The idea of this"}],"source_content_type":"text/x-rst","patch_set":3,"id":"6e95c970_793e4418","line":152,"updated":"2021-12-03 08:15:10.000000000","message":"my original comment on this is not addressed","commit_id":"cd80928a7e5996308a5fa37793f36c674f851e17"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fdec3f4643ab7b840d818eccdba5d0615362cb86","unresolved":false,"context_lines":[{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We have a set of OpenStack services that have adopted system-scope with the"},{"line_number":151,"context_line":"idea that it should be used on project-specific resources. Other services have"},{"line_number":152,"context_line":"yet to adopt the system-scope feature."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Currently, none of the policy work we\u0027ve done since Queens is widely usable by"},{"line_number":155,"context_line":"default since it\u0027s not applied consistently across services. The idea of this"}],"source_content_type":"text/x-rst","patch_set":3,"id":"98e34e68_134f1ecf","line":152,"in_reply_to":"6e95c970_793e4418","updated":"2021-12-06 16:18:55.000000000","message":"Done","commit_id":"cd80928a7e5996308a5fa37793f36c674f851e17"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"397fd99ecfe1f3e09cbf1f5bff5165bc52bc70c9","unresolved":true,"context_lines":[{"line_number":571,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":572,"context_line":"   in future releases."},{"line_number":573,"context_line":""},{"line_number":574,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":575,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":576,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":577,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":3,"id":"540f4b3f_8dfeb897","line":574,"updated":"2021-12-03 08:15:10.000000000","message":"my original comment on this is not addressed","commit_id":"cd80928a7e5996308a5fa37793f36c674f851e17"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fdec3f4643ab7b840d818eccdba5d0615362cb86","unresolved":false,"context_lines":[{"line_number":571,"context_line":"   establish the expectation that mixing and matching scopes won\u0027t be supported"},{"line_number":572,"context_line":"   in future releases."},{"line_number":573,"context_line":""},{"line_number":574,"context_line":"At this point, operators must run keystone with ``enforce_scope\u003dTrue`` since"},{"line_number":575,"context_line":"the deprecated policies will be gone. They can also choose to run any service"},{"line_number":576,"context_line":"that\u0027s completed `Phase 1`_. This will require the operator to configure the"},{"line_number":577,"context_line":"service to use ``enforce_scope\u003dTrue`` and ``enforce_new_defaults\u003dTrue`` if they"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3beb5f09_16756b8b","line":574,"in_reply_to":"540f4b3f_8dfeb897","updated":"2021-12-06 16:18:55.000000000","message":"Done","commit_id":"cd80928a7e5996308a5fa37793f36c674f851e17"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"fee3f9f971f9277eeba4b25d66a372a07b6651b6","unresolved":true,"context_lines":[{"line_number":17,"context_line":"operate on different layers of the infrastructure. For example, OpenStack has"},{"line_number":18,"context_line":"APIs that manage compute hosts, services, endpoints, domains, physical"},{"line_number":19,"context_line":"networks, and storage pools. All of these resources require knowledge about the"},{"line_number":20,"context_line":"underlying hardware or deployment architecture and usage within a given"},{"line_number":21,"context_line":"organization. These APIs are clearly targeted at different users from APIs that"},{"line_number":22,"context_line":"expose resources, like instance, block storage devices, or virtual networks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"6dfc6a34_94ba87a7","line":20,"range":{"start_line":20,"start_character":20,"end_line":20,"end_character":23},"updated":"2021-12-06 18:55:49.000000000","message":"nit: feels wrong to have \"or\" in here, better use a comma","commit_id":"4d7898cf81c07e79db92f22ad4274e7c8414d6d2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a51600f7c7faae81618299bcce28d6e0d617ab04","unresolved":false,"context_lines":[{"line_number":17,"context_line":"operate on different layers of the infrastructure. For example, OpenStack has"},{"line_number":18,"context_line":"APIs that manage compute hosts, services, endpoints, domains, physical"},{"line_number":19,"context_line":"networks, and storage pools. All of these resources require knowledge about the"},{"line_number":20,"context_line":"underlying hardware or deployment architecture and usage within a given"},{"line_number":21,"context_line":"organization. These APIs are clearly targeted at different users from APIs that"},{"line_number":22,"context_line":"expose resources, like instance, block storage devices, or virtual networks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"a730714b_92d7aef0","line":20,"range":{"start_line":20,"start_character":20,"end_line":20,"end_character":23},"in_reply_to":"6dfc6a34_94ba87a7","updated":"2021-12-07 14:19:34.000000000","message":"Done","commit_id":"4d7898cf81c07e79db92f22ad4274e7c8414d6d2"}]}