)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":17,"context_line":"   any other project role like foo will not be allowed to do anything"},{"line_number":18,"context_line":"   in the project."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"2. Postpone the scope implementation for later Some standalone services"},{"line_number":21,"context_line":"   like Ironic can still have the scope implementation as long as it does"},{"line_number":22,"context_line":"   not break any cross-service communication. Nova, Neutron, Keystone and"},{"line_number":23,"context_line":"   any other projects who have already implemented the scope in their policy"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"0564ff2d_e6ba3cb1","line":20,"range":{"start_line":20,"start_character":46,"end_line":20,"end_character":47},"updated":"2022-06-27 14:18:00.000000000","message":"Missing a period here I think.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1470e7d773c81a738e646125232c3b0cb5585409","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   any other project role like foo will not be allowed to do anything"},{"line_number":18,"context_line":"   in the project."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"2. Postpone the scope implementation for later Some standalone services"},{"line_number":21,"context_line":"   like Ironic can still have the scope implementation as long as it does"},{"line_number":22,"context_line":"   not break any cross-service communication. Nova, Neutron, Keystone and"},{"line_number":23,"context_line":"   any other projects who have already implemented the scope in their policy"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"42e0da58_b2231b2e","line":20,"range":{"start_line":20,"start_character":46,"end_line":20,"end_character":47},"in_reply_to":"0564ff2d_e6ba3cb1","updated":"2022-06-27 23:18:57.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"4a5be53b_ca69023a","updated":"2022-06-27 14:18:00.000000000","message":"Man, that\u0027s a lot of change. Thanks for doing this gmann!","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"4f719bb979a34e4ff0e8083b877bf125dfe01d80","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f76dadc9_440f9091","updated":"2022-06-28 13:01:03.000000000","message":"some minor nits.","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":5,"id":"812aaf91_7cad28ba","updated":"2022-06-29 17:39:05.000000000","message":"Most of this is great. Getting project reader working is all I really care about. But I have two reservations...\n\nMy main reservation is around Ironic. I am very confused on what the plan is with ironic from the current description, but it sounds like its going to break my users.  If we keep global admin the same, my users will want to use that to list ironic nodes. Frequently we tweak policy so a role like baremetal_observer, in a project token, is able to list all baremetal nodes. Sure that is a system operation, but the user doesn\u0027t care about that, i.e. that detail should be hidden from them when using the CLI. Maybe if the scope check is optional, my case \"just works\", I don\u0027t know.\n\nSecondly, the project-manager looks like a distraction. I don\u0027t think the current list is useful for any of my customers. Once operators get the reader role, we can better discuss common policy tweaks that users want. I have a few ideas there, but I don\u0027t want to distract from project-reader being critical. IMHO, creating provider networks certainly should not be in an \"project admin\" role. But frankly, I don\u0027t really care, as I am free to not use that role.\n\nA third thing, is a Nit. You don\u0027t have a solution for the cloud auditor role here. But that is fine, who knows what that really means (I have ideas, but it isn\u0027t having project-reader in all projects in a domain, it needs to list all users and projects too, etc).\n\nShould we rename this to consistent-project-reader? \"secure-rbac\" always seemed a bit unclear in scope.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fb6e0f907776d4b953ff9bab0813e3018a11350","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"347d1161_faf72cad","updated":"2022-06-29 17:51:51.000000000","message":"Thanks for reviewing, John! Really good to have your eyes on this...","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":5,"id":"bff974af_a5219a85","in_reply_to":"812aaf91_7cad28ba","updated":"2022-06-29 18:35:57.000000000","message":"Thanks a lot for your review.\n\nFor first point for Ironic, replied inline and will ping ironic people to dissucss the use case.\n\nproject_manager is to solve the issue of mixed admin global and project level admin, I agree that proejct reader is very first things we should complete and that is the plan. project manager is phase 3 thing means when we complete the proejct reader things.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"279c4f8ec3266959a7efb62906766a3cb976ab13","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"7d1cf2f4_38f4ae06","updated":"2022-06-29 20:55:53.000000000","message":"I added few clear example to highlight that project-member, project-reader, and project-manager accessible policy will be accessible for \u0027admin\u0027 (legacy global admin) role too.\n\nJohn question/concern ironic is not resolved yet so -W until then.","commit_id":"ca9c38cdfa9dba091ad903300fe49c0d822964a2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"943b6a3b15fdbfec2e61b02b2e909ff362fb840e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":6,"id":"36ac9bdd_54f6ddc7","updated":"2022-06-30 11:09:48.000000000","message":"Thank you for the extra context everyone. I think we all agree on the overall direction, and its a good one.\n\nI have a possible suggestion to tweak the wording on the Ironic plan, so others that read this will not have the same confusion/concerns I had. I don\u0027t mind not making that change, its more a nit at this point.","commit_id":"ca9c38cdfa9dba091ad903300fe49c0d822964a2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"abef905b_cde5bf2b","updated":"2022-07-01 13:50:54.000000000","message":"A few more comments for clarity, but I think the content here is good. Thanks Gmann!","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"eb531ec2084f39289eef16208ec588f6257095d9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"82914836_7387006c","updated":"2022-07-07 16:07:54.000000000","message":"Added some more info about one of my questions.","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8b5c3af4b88da170c44d5eba63c616bcc61ce5e1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"2148b94e_57db6a2c","updated":"2022-07-07 14:03:45.000000000","message":"I have a problem with the project-manager description; suggestion inline.","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"d436a521_927076f7","updated":"2022-07-08 16:20:14.000000000","message":"Looking good!  Caught a few more places where saying \u0027administrator\u0027 instead of \u0027management\u0027 could be confusing, but otherwise I think this is good.","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"267253a71999748a76e70900a29ca7397a92d03c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"2e67d7d9_bd8f799f","updated":"2022-07-08 17:36:13.000000000","message":"Typo noted inline; otherwise this looks good to me.","commit_id":"ef46aa20febcf8c2ac2a0d09d5b2155991aef886"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"957976e15ad8e5f1b7ec2bca83ca682e1c5379c4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"98f391b9_f549463f","updated":"2022-07-12 13:38:48.000000000","message":"Some grammar suggestions, but not worth a respin unless you change other things.","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"35617c11_89906724","updated":"2022-07-14 16:33:27.000000000","message":"Support this.  Just have wording/typo comments.  Thanks!","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":34107,"name":"Masaki Oyama","email":"ma-ooyama@kddi.com","username":"oyamamasaki"},"change_message_id":"8a66073cf00227c19e16f93cddd0c7cc159a14e4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"2f16b1e6_b750d353","updated":"2022-07-13 02:38:27.000000000","message":"Thank you for considering KDDI\u0027s opinions. Looks good to me.","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"58073f08d9988df549f12bef92e0e6c54248175d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"9847b412_309e63e9","updated":"2022-07-08 17:40:16.000000000","message":"Thanks for doing this major update, Ghanshyam.  LGTM!","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"c53bb6aeffbed065076098209d58132783a8cce7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"2ebcef21_435bc959","updated":"2022-07-21 08:44:18.000000000","message":"I just addressed Jay\u0027s and Dan\u0027s comments from last PS.","commit_id":"1909d4f7a0dc2920fc04ab5bfac112a671547cee"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d3f11729eaf2e254d2eaf9d4ed5b9bd16940b06c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"d4efd97c_304815ff","updated":"2022-07-21 15:11:20.000000000","message":"revisions LGTM.","commit_id":"1909d4f7a0dc2920fc04ab5bfac112a671547cee"}],"goals/selected/consistent-and-secure-rbac.rst":[{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ce414c38a15efb9fcf9a9abac77d24851a31d8bd","unresolved":true,"context_lines":[{"line_number":147,"context_line":""},{"line_number":148,"context_line":"In yoga cycle, we redefined this goal with the changes mentioned above so that"},{"line_number":149,"context_line":"allowing system administrators to access system level resources APIs only and"},{"line_number":150,"context_line":"allow project users to access project-level resoruces APIs. These changes have"},{"line_number":151,"context_line":"been done for nova and neutron."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"This was not the end of the RBAC design discussion. After knowing the operators"}],"source_content_type":"text/x-rst","patch_set":1,"id":"eb3e12a2_e600e35a","line":150,"range":{"start_line":150,"start_character":44,"end_line":150,"end_character":53},"updated":"2022-06-27 13:27:21.000000000","message":"nit: typo","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":147,"context_line":""},{"line_number":148,"context_line":"In yoga cycle, we redefined this goal with the changes mentioned above so that"},{"line_number":149,"context_line":"allowing system administrators to access system level resources APIs only and"},{"line_number":150,"context_line":"allow project users to access project-level resoruces APIs. These changes have"},{"line_number":151,"context_line":"been done for nova and neutron."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"This was not the end of the RBAC design discussion. After knowing the operators"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0e7dd955_2e2295c0","line":150,"range":{"start_line":150,"start_character":44,"end_line":150,"end_character":53},"in_reply_to":"eb3e12a2_e600e35a","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":165,"context_line":""},{"line_number":166,"context_line":"   Heat \u0027create stack\u0027 API uses the user credentials (admin) to create project"},{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"}],"source_content_type":"text/x-rst","patch_set":1,"id":"db95465b_d4a67808","line":168,"range":{"start_line":168,"start_character":54,"end_line":168,"end_character":60},"updated":"2022-06-27 14:18:00.000000000","message":"\"flavors\" to keep the tense consistent","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":165,"context_line":""},{"line_number":166,"context_line":"   Heat \u0027create stack\u0027 API uses the user credentials (admin) to create project"},{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a080a7a3_522ae735","line":168,"range":{"start_line":168,"start_character":54,"end_line":168,"end_character":60},"in_reply_to":"db95465b_d4a67808","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   Heat \u0027create stack\u0027 API uses the user credentials (admin) to create project"},{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"}],"source_content_type":"text/x-rst","patch_set":1,"id":"03a2676d_25b299a9","line":169,"range":{"start_line":169,"start_character":65,"end_line":169,"end_character":72},"updated":"2022-06-27 14:18:00.000000000","message":"\"networks\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   Heat \u0027create stack\u0027 API uses the user credentials (admin) to create project"},{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6bae68cc_45a904f2","line":169,"range":{"start_line":169,"start_character":20,"end_line":169,"end_character":26},"updated":"2022-06-27 14:18:00.000000000","message":"\"servers\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":166,"context_line":"   Heat \u0027create stack\u0027 API uses the user credentials (admin) to create project"},{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"}],"source_content_type":"text/x-rst","patch_set":1,"id":"050319d5_cfae5537","line":169,"range":{"start_line":169,"start_character":65,"end_line":169,"end_character":72},"in_reply_to":"03a2676d_25b299a9","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":166,"context_line":"   Heat \u0027create stack\u0027 API uses the user credentials (admin) to create project"},{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2254a2aa_d1341c98","line":169,"range":{"start_line":169,"start_character":20,"end_line":169,"end_character":26},"in_reply_to":"6bae68cc_45a904f2","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"},{"line_number":173,"context_line":"   project scoped APIs on the service side. We discussed the possible solutions"},{"line_number":174,"context_line":"   in `Zed PTG \u003chttps://etherpad.opendev.org/p/z-ptg-keystone#L44\u003e`_ ,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"26055db7_5c2b39c8","line":171,"range":{"start_line":171,"start_character":63,"end_line":171,"end_character":70},"updated":"2022-06-27 14:18:00.000000000","message":"need a space after this","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":168,"context_line":"   project users in keystone (system level resource), flavor in nova (system"},{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"},{"line_number":173,"context_line":"   project scoped APIs on the service side. We discussed the possible solutions"},{"line_number":174,"context_line":"   in `Zed PTG \u003chttps://etherpad.opendev.org/p/z-ptg-keystone#L44\u003e`_ ,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"34e127f3_903cecf6","line":171,"range":{"start_line":171,"start_character":63,"end_line":171,"end_character":70},"in_reply_to":"26055db7_5c2b39c8","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"},{"line_number":173,"context_line":"   project scoped APIs on the service side. We discussed the possible solutions"},{"line_number":174,"context_line":"   in `Zed PTG \u003chttps://etherpad.opendev.org/p/z-ptg-keystone#L44\u003e`_ ,"},{"line_number":175,"context_line":"   `openstack-discuss ML"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1c698d02_db976d72","line":172,"range":{"start_line":172,"start_character":11,"end_line":172,"end_character":17},"updated":"2022-06-27 14:18:00.000000000","message":"here too","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":169,"context_line":"   level resource), server in nova (project level resource), and network in neutron"},{"line_number":170,"context_line":"   (project level resource). If we enable the scope in services, then the user"},{"line_number":171,"context_line":"   calling heat \u0027create stack\u0027 APIs which are scoped to either project(existing"},{"line_number":172,"context_line":"   way) or system(if we change that) will not be able to call the system and"},{"line_number":173,"context_line":"   project scoped APIs on the service side. We discussed the possible solutions"},{"line_number":174,"context_line":"   in `Zed PTG \u003chttps://etherpad.opendev.org/p/z-ptg-keystone#L44\u003e`_ ,"},{"line_number":175,"context_line":"   `openstack-discuss ML"}],"source_content_type":"text/x-rst","patch_set":1,"id":"f3ffcb43_b4534d82","line":172,"range":{"start_line":172,"start_character":11,"end_line":172,"end_character":17},"in_reply_to":"1c698d02_db976d72","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":177,"context_line":"   and `in policy popup meetings \u003chttps://etherpad.opendev.org/p/rbac-zed-ptg#L99\u003e`_"},{"line_number":178,"context_line":"   but none of those are best suited and end up breaking the existing stack."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   Scope enable also break Tacker (NFV Orchestration service) deployment as it"},{"line_number":181,"context_line":"   uses heat \u0027create stack\u0027 to build OpenStack infrastructure."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"#. `Operator feedbacks \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback\u003e`_ on"}],"source_content_type":"text/x-rst","patch_set":1,"id":"83c07d6c_514f4281","line":180,"range":{"start_line":180,"start_character":3,"end_line":180,"end_character":26},"updated":"2022-06-27 14:18:00.000000000","message":"\"Enabling scope checking also breaks\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":177,"context_line":"   and `in policy popup meetings \u003chttps://etherpad.opendev.org/p/rbac-zed-ptg#L99\u003e`_"},{"line_number":178,"context_line":"   but none of those are best suited and end up breaking the existing stack."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   Scope enable also break Tacker (NFV Orchestration service) deployment as it"},{"line_number":181,"context_line":"   uses heat \u0027create stack\u0027 to build OpenStack infrastructure."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"#. `Operator feedbacks \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback\u003e`_ on"}],"source_content_type":"text/x-rst","patch_set":1,"id":"92cbc725_087f2f56","line":180,"range":{"start_line":180,"start_character":3,"end_line":180,"end_character":26},"in_reply_to":"83c07d6c_514f4281","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":191,"context_line":"   `scope` things are difficult to understand for most of the operators. It will"},{"line_number":192,"context_line":"   break their use case of \u0027accessing everything with a single token\u0027. \u0027Admin\u0027"},{"line_number":193,"context_line":"   is already a confusing concept for many of them and `admin` with `scope`"},{"line_number":194,"context_line":"   combination make it more confusing. The operator recommends postponing the `scope`"},{"line_number":195,"context_line":"   implementation to be able to land the project persona first."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"   `KDDI, japanese telco company \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback#L88\u003e`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"fb43c237_41d9f178","line":194,"range":{"start_line":194,"start_character":43,"end_line":194,"end_character":62},"updated":"2022-06-27 14:18:00.000000000","message":"\"operators recommended\".\n\nHowever, I think this would be more accurate:\n\n\"The operators agreed with postponing\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":191,"context_line":"   `scope` things are difficult to understand for most of the operators. It will"},{"line_number":192,"context_line":"   break their use case of \u0027accessing everything with a single token\u0027. \u0027Admin\u0027"},{"line_number":193,"context_line":"   is already a confusing concept for many of them and `admin` with `scope`"},{"line_number":194,"context_line":"   combination make it more confusing. The operator recommends postponing the `scope`"},{"line_number":195,"context_line":"   implementation to be able to land the project persona first."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"   `KDDI, japanese telco company \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback#L88\u003e`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"59271879_296a0dfc","line":194,"range":{"start_line":194,"start_character":43,"end_line":194,"end_character":62},"in_reply_to":"fb43c237_41d9f178","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Implement project persona first."},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."},{"line_number":213,"context_line":"  By default, any other project role like `foo` will not be allowed to do anything in"},{"line_number":214,"context_line":"  the project."}],"source_content_type":"text/x-rst","patch_set":1,"id":"52852966_649bbc84","line":211,"range":{"start_line":211,"start_character":2,"end_line":211,"end_character":33},"updated":"2022-06-27 14:18:00.000000000","message":"This is largely already done for a number of projects, so maybe we could change this to \"Deliver\"? Or maybe \"Finish delivering project personas\"?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Implement project persona first."},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."},{"line_number":213,"context_line":"  By default, any other project role like `foo` will not be allowed to do anything in"},{"line_number":214,"context_line":"  the project."}],"source_content_type":"text/x-rst","patch_set":1,"id":"df79b8cc_1490bf94","line":211,"range":{"start_line":211,"start_character":2,"end_line":211,"end_character":33},"in_reply_to":"52852966_649bbc84","updated":"2022-06-27 19:37:51.000000000","message":"+1, that is better.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ce414c38a15efb9fcf9a9abac77d24851a31d8bd","unresolved":true,"context_lines":[{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"},{"line_number":218,"context_line":"  long as it does not break any cross-service communication. Nova, Neutron, Keystone"},{"line_number":219,"context_line":"  and any other projects who have already implemented the `scope` in their policy"},{"line_number":220,"context_line":"  default need to drop that."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"So, where do we go from here?"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"c9d74188_4098af0d","line":220,"updated":"2022-06-27 13:27:21.000000000","message":"so do we need to remove \"scope_types\" from all the default policies?\nIsn\u0027t it enough to not enable \"enforce_scope\" config option?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":true,"context_lines":[{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"},{"line_number":218,"context_line":"  long as it does not break any cross-service communication. Nova, Neutron, Keystone"},{"line_number":219,"context_line":"  and any other projects who have already implemented the `scope` in their policy"},{"line_number":220,"context_line":"  default need to drop that."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"So, where do we go from here?"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"ca821673_5a3f1d8e","line":220,"in_reply_to":"252d43c4_92127450","updated":"2022-06-27 19:37:51.000000000","message":"we can disable enforce_scope per project also by default but keeping \u0027scope_type\u0027 in policy will be more confusing. We have this feature implementation in code but this cannot be used (due to various reasons/challenges we are postponing it).\n\nAnd another point is this will be a bad/unstable interface/configuration to the operator, for example, if by mistake enforce_scope is enabled then things will be broken for their users. It is better to avoid such configuration.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"},{"line_number":218,"context_line":"  long as it does not break any cross-service communication. Nova, Neutron, Keystone"},{"line_number":219,"context_line":"  and any other projects who have already implemented the `scope` in their policy"},{"line_number":220,"context_line":"  default need to drop that."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"So, where do we go from here?"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"2cfed87d_6c6b62ae","line":220,"in_reply_to":"83e533a3_1e64995b","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dc24c33a74e284357651e52d9e0d477287b7b98d","unresolved":true,"context_lines":[{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"},{"line_number":218,"context_line":"  long as it does not break any cross-service communication. Nova, Neutron, Keystone"},{"line_number":219,"context_line":"  and any other projects who have already implemented the `scope` in their policy"},{"line_number":220,"context_line":"  default need to drop that."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"So, where do we go from here?"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"83e533a3_1e64995b","line":220,"in_reply_to":"8adf1b03_d7cbeeb0","updated":"2022-06-28 18:40:17.000000000","message":"please hold, we discussed it in IRC today and thought of keeping the scope_type but make every policy to project scoped so that anyone using system scoped token (which does not have project_id) can be failed on scope check with 403- https://meetings.opendev.org/irclogs/%23openstack-tc/%23openstack-tc.2022-06-28.log.html#t2022-06-28T14:19:28","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"},{"line_number":218,"context_line":"  long as it does not break any cross-service communication. Nova, Neutron, Keystone"},{"line_number":219,"context_line":"  and any other projects who have already implemented the `scope` in their policy"},{"line_number":220,"context_line":"  default need to drop that."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"So, where do we go from here?"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"252d43c4_92127450","line":220,"in_reply_to":"c9d74188_4098af0d","updated":"2022-06-27 14:18:00.000000000","message":"Yes technically, but I think enforce_scope comes from oslo.policy, so we can\u0027t disable it per-project right?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"9c5fc6389f9020e0da965d83ffebc3057e634fc5","unresolved":true,"context_lines":[{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"},{"line_number":218,"context_line":"  long as it does not break any cross-service communication. Nova, Neutron, Keystone"},{"line_number":219,"context_line":"  and any other projects who have already implemented the `scope` in their policy"},{"line_number":220,"context_line":"  default need to drop that."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"So, where do we go from here?"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"8adf1b03_d7cbeeb0","line":220,"in_reply_to":"ca821673_5a3f1d8e","updated":"2022-06-28 09:14:00.000000000","message":"ok, I can remove it from the code. I just wanted to be sure that we will need to do that :)","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ce414c38a15efb9fcf9a9abac77d24851a31d8bd","unresolved":true,"context_lines":[{"line_number":237,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":238,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers invovle in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":1,"id":"90adf540_0bd48a1b","line":240,"range":{"start_line":240,"start_character":60,"end_line":240,"end_character":67},"updated":"2022-06-27 13:27:21.000000000","message":"nit: typo","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":237,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":238,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers invovle in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":1,"id":"f459312b_29e25a24","line":240,"range":{"start_line":240,"start_character":60,"end_line":240,"end_character":67},"in_reply_to":"90adf540_0bd48a1b","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":257,"context_line":"`project-member`:"},{"line_number":258,"context_line":"~~~~~~~~~~~~~~~~~"},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"`project-member` is denoted by someone with the ``member`` role on a project and"},{"line_number":261,"context_line":"operate within the own project. It is intended to be used by end users who"},{"line_number":262,"context_line":"consume resources within a project."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"`project-member` persona in the policy check string:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"be35d4ee_6237ae8e","line":261,"range":{"start_line":260,"start_character":77,"end_line":261,"end_character":30},"updated":"2022-06-27 14:18:00.000000000","message":"I think you can remove \"and operate within the own project.\" I don\u0027t think it adds anything or sounds right (nor do I think removing it creates any gap in the explanation).","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":257,"context_line":"`project-member`:"},{"line_number":258,"context_line":"~~~~~~~~~~~~~~~~~"},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"`project-member` is denoted by someone with the ``member`` role on a project and"},{"line_number":261,"context_line":"operate within the own project. It is intended to be used by end users who"},{"line_number":262,"context_line":"consume resources within a project."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"`project-member` persona in the policy check string:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8ece5c36_00dde601","line":261,"range":{"start_line":260,"start_character":77,"end_line":261,"end_character":30},"in_reply_to":"be35d4ee_6237ae8e","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":261,"context_line":"operate within the own project. It is intended to be used by end users who"},{"line_number":262,"context_line":"consume resources within a project."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"`project-member` persona in the policy check string:"},{"line_number":265,"context_line":""},{"line_number":266,"context_line":".. code-block:: python"},{"line_number":267,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"6c4b6fd2_9ddc4c17","line":264,"updated":"2022-06-27 14:18:00.000000000","message":"Might be best to put this after reader and also say \"inherits all the permissions of a reader\" ?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":261,"context_line":"operate within the own project. It is intended to be used by end users who"},{"line_number":262,"context_line":"consume resources within a project."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"`project-member` persona in the policy check string:"},{"line_number":265,"context_line":""},{"line_number":266,"context_line":".. code-block:: python"},{"line_number":267,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"a4eae0db_7beaec83","line":264,"in_reply_to":"6c4b6fd2_9ddc4c17","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":271,"context_line":"        description\u003d\"Default rule for Project level non admin APIs.\""},{"line_number":272,"context_line":"    )"},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"    Using it in policy rule:"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":277,"context_line":"        name\u003d\u0027os_compute_api:servers:create\u0027,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"074df81b_9fd5f611","line":274,"updated":"2022-06-27 14:18:00.000000000","message":"Should this be outside the code-block?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":271,"context_line":"        description\u003d\"Default rule for Project level non admin APIs.\""},{"line_number":272,"context_line":"    )"},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"    Using it in policy rule:"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":277,"context_line":"        name\u003d\u0027os_compute_api:servers:create\u0027,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b7a3a281_f2bc19e1","line":274,"in_reply_to":"074df81b_9fd5f611","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":285,"context_line":"        ],"},{"line_number":286,"context_line":"    )"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"    OR"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":291,"context_line":"        name\u003d\u0027os_compute_api:servers:create\u0027,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"645bd6d0_a00a8cd0","line":288,"updated":"2022-06-27 14:18:00.000000000","message":"ditto","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":285,"context_line":"        ],"},{"line_number":286,"context_line":"    )"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"    OR"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":291,"context_line":"        name\u003d\u0027os_compute_api:servers:create\u0027,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"60b1d83f_b0cfed2b","line":288,"in_reply_to":"645bd6d0_a00a8cd0","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":355,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."}],"source_content_type":"text/x-rst","patch_set":1,"id":"6c5d2b00_9f927ff8","line":358,"updated":"2022-06-27 14:18:00.000000000","message":"\"make\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":355,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."}],"source_content_type":"text/x-rst","patch_set":1,"id":"b5e668fb_f7b54cbd","line":358,"range":{"start_line":358,"start_character":0,"end_line":358,"end_character":4},"updated":"2022-06-27 14:18:00.000000000","message":"s/keep//","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":355,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."}],"source_content_type":"text/x-rst","patch_set":1,"id":"a1b66cc8_e083d59b","line":358,"range":{"start_line":358,"start_character":31,"end_line":358,"end_character":39},"updated":"2022-06-27 14:18:00.000000000","message":"s/working//","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":355,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."}],"source_content_type":"text/x-rst","patch_set":1,"id":"cf4607aa_fbb57981","line":358,"in_reply_to":"6c5d2b00_9f927ff8","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":355,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."}],"source_content_type":"text/x-rst","patch_set":1,"id":"25b6aef1_c2d3884d","line":358,"range":{"start_line":358,"start_character":31,"end_line":358,"end_character":39},"in_reply_to":"a1b66cc8_e083d59b","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":355,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3601c77a_b0a92622","line":358,"range":{"start_line":358,"start_character":0,"end_line":358,"end_character":4},"in_reply_to":"b5e668fb_f7b54cbd","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."},{"line_number":362,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"235098aa_5f3b7048","line":359,"range":{"start_line":359,"start_character":6,"end_line":359,"end_character":13},"updated":"2022-06-27 14:18:00.000000000","message":"\"behavior\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":356,"context_line":""},{"line_number":357,"context_line":"During the operator feedback, it is clear that we need to keep the legacy admin"},{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."},{"line_number":362,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"999d10af_9bd763b9","line":359,"range":{"start_line":359,"start_character":6,"end_line":359,"end_character":13},"in_reply_to":"235098aa_5f3b7048","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ce414c38a15efb9fcf9a9abac77d24851a31d8bd","unresolved":true,"context_lines":[{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."},{"line_number":362,"context_line":""},{"line_number":363,"context_line":".. code-block:: python"},{"line_number":364,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"610cc860_314bbedc","line":361,"updated":"2022-06-27 13:27:21.000000000","message":"should we keep \"project_admin\" role then or rename it to \"admin\" and keep it like that?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f15defde7b230722b4e11872c90dce1c727e8604","unresolved":false,"context_lines":[{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."},{"line_number":362,"context_line":""},{"line_number":363,"context_line":".. code-block:: python"},{"line_number":364,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"558f92e0_07b56048","line":361,"in_reply_to":"241f46d8_b97cf270","updated":"2022-07-06 16:29:00.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5d8a48d0c7c3dd86696b575b8297d42729447488","unresolved":true,"context_lines":[{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."},{"line_number":362,"context_line":""},{"line_number":363,"context_line":".. code-block:: python"},{"line_number":364,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"241f46d8_b97cf270","line":361,"in_reply_to":"4a8f68fc_3ac81fa9","updated":"2022-07-04 15:07:53.000000000","message":"ok, sounds good for me","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":true,"context_lines":[{"line_number":358,"context_line":"keep working as it is currently working. We will not do any change in legacy"},{"line_number":359,"context_line":"admin working and access information. In `Phase 2`_, we will introduce the"},{"line_number":360,"context_line":"`project manager` persona who will be able to do the more privileged operation"},{"line_number":361,"context_line":"within the project than `project member`. More details in `Phase 2`_ section."},{"line_number":362,"context_line":""},{"line_number":363,"context_line":".. code-block:: python"},{"line_number":364,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"4a8f68fc_3ac81fa9","line":361,"in_reply_to":"610cc860_314bbedc","updated":"2022-06-27 19:37:51.000000000","message":"we will rename \"project_admin\" and make it just admin (what we had in legacy policy before \u0027scope_type\u0027).\n\nAt the end it will looks like:\n\n- \u0027admin\u0027 this is nothing else legacy admin we have in our legacy policy\n- replace \u0027admin\u0027 in projects resources operation with \u0027project manager\u0027(which is explained in \u0027phase 2\u0027) but keep \u0027admin\u0027 role permission for system level operation as well as for project level resources.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":390,"context_line":"Listing project resources across the deployment"},{"line_number":391,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"As we are keeping the legcy `admin` same as it is currently, legacy admin (means"},{"line_number":394,"context_line":"anyone with the ``admin`` role on a project) continue to list all resources across"},{"line_number":395,"context_line":"the deployment (for applicable APIs only.) The following is an example of what a"},{"line_number":396,"context_line":"policy would look like using this approach:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2b0270a6_8549250f","line":393,"range":{"start_line":393,"start_character":75,"end_line":393,"end_character":80},"updated":"2022-06-27 14:18:00.000000000","message":"\"meaning\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":390,"context_line":"Listing project resources across the deployment"},{"line_number":391,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"As we are keeping the legcy `admin` same as it is currently, legacy admin (means"},{"line_number":394,"context_line":"anyone with the ``admin`` role on a project) continue to list all resources across"},{"line_number":395,"context_line":"the deployment (for applicable APIs only.) The following is an example of what a"},{"line_number":396,"context_line":"policy would look like using this approach:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b06e5b10_72c1cff0","line":393,"range":{"start_line":393,"start_character":75,"end_line":393,"end_character":80},"in_reply_to":"2b0270a6_8549250f","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":391,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"As we are keeping the legcy `admin` same as it is currently, legacy admin (means"},{"line_number":394,"context_line":"anyone with the ``admin`` role on a project) continue to list all resources across"},{"line_number":395,"context_line":"the deployment (for applicable APIs only.) The following is an example of what a"},{"line_number":396,"context_line":"policy would look like using this approach:"},{"line_number":397,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"ce55871a_5847186b","line":394,"range":{"start_line":394,"start_character":45,"end_line":394,"end_character":53},"updated":"2022-06-27 14:18:00.000000000","message":"\"will continue to be able to list...\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":391,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"As we are keeping the legcy `admin` same as it is currently, legacy admin (means"},{"line_number":394,"context_line":"anyone with the ``admin`` role on a project) continue to list all resources across"},{"line_number":395,"context_line":"the deployment (for applicable APIs only.) The following is an example of what a"},{"line_number":396,"context_line":"policy would look like using this approach:"},{"line_number":397,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"66861de2_6f5ff1ca","line":394,"range":{"start_line":394,"start_character":45,"end_line":394,"end_character":53},"in_reply_to":"ce55871a_5847186b","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":439,"context_line":"   - *Create, delete, or update an instance*"},{"line_number":440,"context_line":"   - *Create, delete, or update a volume*"},{"line_number":441,"context_line":"   - *Create, delete, or update a network*"},{"line_number":442,"context_line":"   - *Can get or list the instance from its own project*"},{"line_number":443,"context_line":"   - *Cannot create, delete, or delete the instance, volume, or network of"},{"line_number":444,"context_line":"     other project*"},{"line_number":445,"context_line":"   - *Cannot get or list instances, volumes, or networks of other project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"00538b9f_f286a71a","line":442,"range":{"start_line":442,"start_character":26,"end_line":442,"end_character":34},"updated":"2022-06-27 14:18:00.000000000","message":"instances","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":439,"context_line":"   - *Create, delete, or update an instance*"},{"line_number":440,"context_line":"   - *Create, delete, or update a volume*"},{"line_number":441,"context_line":"   - *Create, delete, or update a network*"},{"line_number":442,"context_line":"   - *Can get or list the instance from its own project*"},{"line_number":443,"context_line":"   - *Cannot create, delete, or delete the instance, volume, or network of"},{"line_number":444,"context_line":"     other project*"},{"line_number":445,"context_line":"   - *Cannot get or list instances, volumes, or networks of other project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1c65e332_b0ff6537","line":442,"range":{"start_line":442,"start_character":26,"end_line":442,"end_character":34},"in_reply_to":"00538b9f_f286a71a","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":455,"context_line":"   - *List and get networks*"},{"line_number":456,"context_line":"   - *Cannot get or list instances, volumes, or networks of other project*"},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"These new persona fix the existing issue where any user having any role within"},{"line_number":459,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":460,"context_line":"It also provide the ability for operator to assign the read-only role for cloud"},{"line_number":461,"context_line":"audit."}],"source_content_type":"text/x-rst","patch_set":1,"id":"38fde21a_fb29ccb7","line":458,"range":{"start_line":458,"start_character":10,"end_line":458,"end_character":17},"updated":"2022-06-27 14:18:00.000000000","message":"personas","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":455,"context_line":"   - *List and get networks*"},{"line_number":456,"context_line":"   - *Cannot get or list instances, volumes, or networks of other project*"},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"These new persona fix the existing issue where any user having any role within"},{"line_number":459,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":460,"context_line":"It also provide the ability for operator to assign the read-only role for cloud"},{"line_number":461,"context_line":"audit."}],"source_content_type":"text/x-rst","patch_set":1,"id":"eec97c18_b2b4e1f7","line":458,"range":{"start_line":458,"start_character":10,"end_line":458,"end_character":17},"in_reply_to":"38fde21a_fb29ccb7","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":457,"context_line":""},{"line_number":458,"context_line":"These new persona fix the existing issue where any user having any role within"},{"line_number":459,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":460,"context_line":"It also provide the ability for operator to assign the read-only role for cloud"},{"line_number":461,"context_line":"audit."},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"Phase 2"}],"source_content_type":"text/x-rst","patch_set":1,"id":"67b363dd_cd4e17a0","line":460,"range":{"start_line":460,"start_character":28,"end_line":460,"end_character":31},"updated":"2022-06-27 14:18:00.000000000","message":"\"for the\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":457,"context_line":""},{"line_number":458,"context_line":"These new persona fix the existing issue where any user having any role within"},{"line_number":459,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":460,"context_line":"It also provide the ability for operator to assign the read-only role for cloud"},{"line_number":461,"context_line":"audit."},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"Phase 2"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b4ba58db_70785e5b","line":460,"range":{"start_line":460,"start_character":8,"end_line":460,"end_character":15},"updated":"2022-06-27 14:18:00.000000000","message":"provides","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":457,"context_line":""},{"line_number":458,"context_line":"These new persona fix the existing issue where any user having any role within"},{"line_number":459,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":460,"context_line":"It also provide the ability for operator to assign the read-only role for cloud"},{"line_number":461,"context_line":"audit."},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"Phase 2"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9c57ea37_87365f5a","line":460,"range":{"start_line":460,"start_character":28,"end_line":460,"end_character":31},"in_reply_to":"67b363dd_cd4e17a0","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":457,"context_line":""},{"line_number":458,"context_line":"These new persona fix the existing issue where any user having any role within"},{"line_number":459,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":460,"context_line":"It also provide the ability for operator to assign the read-only role for cloud"},{"line_number":461,"context_line":"audit."},{"line_number":462,"context_line":""},{"line_number":463,"context_line":"Phase 2"}],"source_content_type":"text/x-rst","patch_set":1,"id":"731bb345_9c7dc211","line":460,"range":{"start_line":460,"start_character":8,"end_line":460,"end_character":15},"in_reply_to":"b4ba58db_70785e5b","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":484,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":485,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":486,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":487,"context_line":"project resource. It is not intended to be used by the end users. From existing"},{"line_number":488,"context_line":"policy point of view, we can say this a \u0027admin\u0027 at project level but we will not"},{"line_number":489,"context_line":"use the term \u0027admin\u0027 as it can be confused with the \u0027legacy admin (``admin``)\u0027."},{"line_number":490,"context_line":"It can do all the operation what ``admin`` role user can do on project level"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5dba8265_da2813f8","line":487,"range":{"start_line":487,"start_character":18,"end_line":487,"end_character":64},"updated":"2022-06-27 14:18:00.000000000","message":"You\u0027re saying this because it potentially gives people too much access to system information right? I think that it\u0027s probably the case where *some* operators would grant this ability to the administrator of a customer, depending on the relationship. If they can\u0027t create flavors, disable services, re-wire physical networks, etc then I suspect some will consider exposing the internal details not too bad.\n\nSo, that is to say, we might want to soften this language just a tad, if others agree.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":true,"context_lines":[{"line_number":484,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":485,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":486,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":487,"context_line":"project resource. It is not intended to be used by the end users. From existing"},{"line_number":488,"context_line":"policy point of view, we can say this a \u0027admin\u0027 at project level but we will not"},{"line_number":489,"context_line":"use the term \u0027admin\u0027 as it can be confused with the \u0027legacy admin (``admin``)\u0027."},{"line_number":490,"context_line":"It can do all the operation what ``admin`` role user can do on project level"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ea25d864_a6d355bf","line":487,"range":{"start_line":487,"start_character":18,"end_line":487,"end_character":64},"in_reply_to":"5dba8265_da2813f8","updated":"2022-06-27 19:37:51.000000000","message":"sure, I think with its name and calling it as \"used for project-level administrative APIs\" should be enough to convey that this has some extra privileged role the member so they know if they are assigning it to user or so.\n\nI will remove this line.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":484,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":485,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":486,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":487,"context_line":"project resource. It is not intended to be used by the end users. From existing"},{"line_number":488,"context_line":"policy point of view, we can say this a \u0027admin\u0027 at project level but we will not"},{"line_number":489,"context_line":"use the term \u0027admin\u0027 as it can be confused with the \u0027legacy admin (``admin``)\u0027."},{"line_number":490,"context_line":"It can do all the operation what ``admin`` role user can do on project level"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f8e8c1c_2daab721","line":487,"range":{"start_line":487,"start_character":18,"end_line":487,"end_character":64},"in_reply_to":"ea25d864_a6d355bf","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":487,"context_line":"project resource. It is not intended to be used by the end users. From existing"},{"line_number":488,"context_line":"policy point of view, we can say this a \u0027admin\u0027 at project level but we will not"},{"line_number":489,"context_line":"use the term \u0027admin\u0027 as it can be confused with the \u0027legacy admin (``admin``)\u0027."},{"line_number":490,"context_line":"It can do all the operation what ``admin`` role user can do on project level"},{"line_number":491,"context_line":"resources but within its own project. For example, it can delete only its own"},{"line_number":492,"context_line":"project instance, can list all the instances of its own project only."},{"line_number":493,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"325dde85_7ecffe94","line":490,"range":{"start_line":490,"start_character":18,"end_line":490,"end_character":33},"updated":"2022-06-27 14:18:00.000000000","message":"\"operations that the\"","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":false,"context_lines":[{"line_number":487,"context_line":"project resource. It is not intended to be used by the end users. From existing"},{"line_number":488,"context_line":"policy point of view, we can say this a \u0027admin\u0027 at project level but we will not"},{"line_number":489,"context_line":"use the term \u0027admin\u0027 as it can be confused with the \u0027legacy admin (``admin``)\u0027."},{"line_number":490,"context_line":"It can do all the operation what ``admin`` role user can do on project level"},{"line_number":491,"context_line":"resources but within its own project. For example, it can delete only its own"},{"line_number":492,"context_line":"project instance, can list all the instances of its own project only."},{"line_number":493,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"34809214_d54adbf0","line":490,"range":{"start_line":490,"start_character":18,"end_line":490,"end_character":33},"in_reply_to":"325dde85_7ecffe94","updated":"2022-06-27 19:37:51.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":552,"context_line":"   - Can perform more privileged than project-members on a project"},{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e0575e33_a8f16cb2","line":555,"updated":"2022-06-27 14:18:00.000000000","message":"This is probably best left to a real admin, but it\u0027s a judgment call.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":552,"context_line":"   - Can perform more privileged than project-members on a project"},{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9380266b_a4606761","line":555,"in_reply_to":"c61727b1_c7ef711d","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":true,"context_lines":[{"line_number":552,"context_line":"   - Can perform more privileged than project-members on a project"},{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c61727b1_c7ef711d","line":555,"in_reply_to":"e0575e33_a8f16cb2","updated":"2022-06-27 19:37:51.000000000","message":"yea, I think that make sense. I will remove it from here.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"432a514803ed0faef170fc066167ce8dfc1cd508","unresolved":true,"context_lines":[{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"adcf74d7_d5ce4d84","line":556,"updated":"2022-06-27 14:18:00.000000000","message":"Is \"create physical provider networks\" really something we want a project-only admin to be able to do? Doesn\u0027t that let them actually affect other projects pretty substantially?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3e31edfe4cc13b323576dc78c9fd2a9809c45871","unresolved":true,"context_lines":[{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"94ae80a6_f3a730f6","line":556,"in_reply_to":"698f6f31_5e5a458b","updated":"2022-06-30 13:40:12.000000000","message":"I don\u0027t want to drop it entirely, because I do think there are a number of people that want a smaller-scoped admin. That smaller-scoped admin might be a junior op, a dedicated support person for a big customer, or just a more limited scope for some automation. It won\u0027t apply to all cases, and certainly not for public clouds trying to delegate some responsibility to (ulimately untrusted) customers.\n\nI think it\u0027s far enough down the list of \"phase N\" that it won\u0027t distract from reader, and I think that we\u0027ve already worn out our welcome with moving the goal posts on this whole thing. I\u0027d rather tell people where we think we\u0027re going, but be honest about the likelihood of ever getting there. Maybe we need to hedge here with some more ... honesty?\n\nIf you think it\u0027d be better to move it out to an \"RBAC future\" doc, then I guess I\u0027m okay with that, I just would prefer not to drop it entirely.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"698f6f31_5e5a458b","line":556,"in_reply_to":"6d7308d0_1c60c3ef","updated":"2022-06-29 17:39:05.000000000","message":"I would prefer we drop project_manager, its a distraction from project_reader.\n\nFrom my operator perspective, I do not want project_manager being able to attack private VLANs on my infrastructure, in particular the internal api network, not typically a network in neutron, built it is trunked to all hypervisors, etc, etc.\n\nI don\u0027t have any customers that want this specific combination of permissions, even if we drop the provider networks thing. We need to tackle this in a dedicated forum session, once we have reader and member widely used, and operators compare notes on the structures they have created on top of the reader role.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"9c5fc6389f9020e0da965d83ffebc3057e634fc5","unresolved":true,"context_lines":[{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6d7308d0_1c60c3ef","line":556,"in_reply_to":"7104e6b2_72671ea0","updated":"2022-06-28 09:14:00.000000000","message":"this is basically something what was in kind of \"grey area\" for me as in legacy policies only admin was able to do that, then when we first try to implement secure RBAC, we gave this permission only to the system_admin who was able to create it on behalf of some project and we though that it\u0027s good approach because this is something what requires knowledge about physical cluster configuration.\nBut later SYSTEM_ADMIN role has changed in the way that it shouldn\u0027t be able to create anything what belongs to the project. Because of that we granted that to the PROJECT_ADMIN.\n\nBut honestly, in current approach with \"ADMIN\" and \"PROJECT_MANAGER\" I think that this shoud be possible only for ADMIN user.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f15defde7b230722b4e11872c90dce1c727e8604","unresolved":true,"context_lines":[{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c02326fa_9d999e84","line":556,"in_reply_to":"94ae80a6_f3a730f6","updated":"2022-07-06 16:29:00.000000000","message":"ok, let me move \u0027- *Create physical provider networks*\u0027 under \u0027Admin\u0027","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":true,"context_lines":[{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7104e6b2_72671ea0","line":556,"in_reply_to":"adcf74d7_d5ce4d84","updated":"2022-06-27 19:37:51.000000000","message":"not sure about that, Slawek can answer but in current policy it is project admin only. \n\nhttps://github.com/openstack/neutron/blob/f60f24d5d8c9386a7a70af887d44ad14d15acef4/neutron/conf/policies/network.py#L138","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"70ad2742b9fdf8f049c992d85e1d9844a84825a7","unresolved":false,"context_lines":[{"line_number":553,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":554,"context_line":"   - *Forcibly deleting an application stack*"},{"line_number":555,"context_line":"   - *Making an image public to the entire deployment*"},{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"}],"source_content_type":"text/x-rst","patch_set":1,"id":"296c15e8_86699687","line":556,"in_reply_to":"c02326fa_9d999e84","updated":"2022-07-06 16:29:25.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ce414c38a15efb9fcf9a9abac77d24851a31d8bd","unresolved":true,"context_lines":[{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":560,"context_line":""},{"line_number":561,"context_line":"Tracking"},{"line_number":562,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"78bcf4f7_d78db030","line":559,"updated":"2022-06-27 13:27:21.000000000","message":"so this is basically renamed current \"project_admin\" role, is that correct?","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"9c5fc6389f9020e0da965d83ffebc3057e634fc5","unresolved":true,"context_lines":[{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":560,"context_line":""},{"line_number":561,"context_line":"Tracking"},{"line_number":562,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"fc18aa5a_c4f5e600","line":559,"in_reply_to":"65002bf9_bb89094a","updated":"2022-06-28 09:14:00.000000000","message":"ok, got it.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dbfcd81e1b99c588990386dcdcc5fbc4ba0ffcf1","unresolved":true,"context_lines":[{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":560,"context_line":""},{"line_number":561,"context_line":"Tracking"},{"line_number":562,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"65002bf9_bb89094a","line":559,"in_reply_to":"78bcf4f7_d78db030","updated":"2022-06-27 19:37:51.000000000","message":"yes. we thought of keeping it same name \u0027project_admin\u0027 but that will create confusion between \u0027admin\u0027 and one more admin named \u0027project_admin\u0027. that is why renaming to \u0027project_manager\u0027.","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"70ad2742b9fdf8f049c992d85e1d9844a84825a7","unresolved":false,"context_lines":[{"line_number":556,"context_line":"   - *Create physical provider networks*"},{"line_number":557,"context_line":"   - *Locking and unlocking an instance*"},{"line_number":558,"context_line":"   - *Setting the default volume type for a project*"},{"line_number":559,"context_line":"   - *Setting the default secret store for a project*"},{"line_number":560,"context_line":""},{"line_number":561,"context_line":"Tracking"},{"line_number":562,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"fb290d5b_7ee2f6a0","line":559,"in_reply_to":"fc18aa5a_c4f5e600","updated":"2022-07-06 16:29:25.000000000","message":"Done","commit_id":"7f4fe0d519c684794a092afc263b4cf38ae40f91"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"4f719bb979a34e4ff0e8083b877bf125dfe01d80","unresolved":true,"context_lines":[{"line_number":237,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":238,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers involve in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa67df4_1d4c9397","line":240,"range":{"start_line":240,"start_character":33,"end_line":240,"end_character":43},"updated":"2022-06-28 13:01:03.000000000","message":"nit: typo","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"4f719bb979a34e4ff0e8083b877bf125dfe01d80","unresolved":true,"context_lines":[{"line_number":237,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":238,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers involve in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a7a058a4_77ce79bc","line":240,"range":{"start_line":240,"start_character":0,"end_line":240,"end_character":14},"updated":"2022-06-28 13:01:03.000000000","message":"nit: typo","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dc24c33a74e284357651e52d9e0d477287b7b98d","unresolved":false,"context_lines":[{"line_number":237,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":238,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers involve in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bf7b0c69_50c7c476","line":240,"range":{"start_line":240,"start_character":33,"end_line":240,"end_character":43},"in_reply_to":"3fa67df4_1d4c9397","updated":"2022-06-28 18:40:17.000000000","message":"Done","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dc24c33a74e284357651e52d9e0d477287b7b98d","unresolved":false,"context_lines":[{"line_number":237,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":238,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers involve in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f48de12c_7eda6b41","line":240,"range":{"start_line":240,"start_character":0,"end_line":240,"end_character":14},"in_reply_to":"a7a058a4_77ce79bc","updated":"2022-06-28 18:40:17.000000000","message":"Done","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"4f719bb979a34e4ff0e8083b877bf125dfe01d80","unresolved":true,"context_lines":[{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers involve in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"},{"line_number":244,"context_line":"project."},{"line_number":245,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9bd92080_426e5732","line":242,"range":{"start_line":242,"start_character":37,"end_line":242,"end_character":47},"updated":"2022-06-28 13:01:03.000000000","message":"nit: typo","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dc24c33a74e284357651e52d9e0d477287b7b98d","unresolved":false,"context_lines":[{"line_number":239,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":240,"context_line":"implementating it, there is high possiblity that developers involve in this work"},{"line_number":241,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":242,"context_line":"OpenStack RBAC. Let\u0027s accept all the challanges we have with `scope` concept and"},{"line_number":243,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"},{"line_number":244,"context_line":"project."},{"line_number":245,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"741e09a1_09e0093a","line":242,"range":{"start_line":242,"start_character":37,"end_line":242,"end_character":47},"in_reply_to":"9bd92080_426e5732","updated":"2022-06-28 18:40:17.000000000","message":"Done","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"4f719bb979a34e4ff0e8083b877bf125dfe01d80","unresolved":true,"context_lines":[{"line_number":398,"context_line":"Listing project resources across the deployment"},{"line_number":399,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":400,"context_line":""},{"line_number":401,"context_line":"As we are keeping the legcy `admin` same as it is currently, legacy admin (meaning"},{"line_number":402,"context_line":"anyone with the ``admin`` role on a project) will continue to be able to list all"},{"line_number":403,"context_line":"the resources across the deployment (for applicable APIs only.) The following is an"},{"line_number":404,"context_line":"example of what a policy would look like using this approach:"}],"source_content_type":"text/x-rst","patch_set":2,"id":"abbfd441_8942a174","line":401,"range":{"start_line":401,"start_character":22,"end_line":401,"end_character":27},"updated":"2022-06-28 13:01:03.000000000","message":"nit: typo","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":398,"context_line":"Listing project resources across the deployment"},{"line_number":399,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":400,"context_line":""},{"line_number":401,"context_line":"As we are keeping the legcy `admin` same as it is currently, legacy admin (meaning"},{"line_number":402,"context_line":"anyone with the ``admin`` role on a project) will continue to be able to list all"},{"line_number":403,"context_line":"the resources across the deployment (for applicable APIs only.) The following is an"},{"line_number":404,"context_line":"example of what a policy would look like using this approach:"}],"source_content_type":"text/x-rst","patch_set":2,"id":"befcac71_5d979a1b","line":401,"range":{"start_line":401,"start_character":22,"end_line":401,"end_character":27},"in_reply_to":"abbfd441_8942a174","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"59419139b5cdbcdd5d5a30b8e941c6b1bebb2ad4"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":235,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":236,"context_line":"       name\u003d\u0027os_compute_api:os-hypervisors:list\u0027,"},{"line_number":237,"context_line":"       check_str\u003d\u0027role:admin\u0027,"},{"line_number":238,"context_line":"       scope_types\u003d[\u0027system\u0027]"},{"line_number":239,"context_line":"   )"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"Managed volumes:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"26ea6ddc_fb230b70","side":"PARENT","line":238,"updated":"2022-06-29 17:39:05.000000000","message":"does that imply scope_types\u003d[\u0027project\u0027] ?","commit_id":"a7bb68f83b3e6499f2056e95dc7f025531753cbb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":235,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":236,"context_line":"       name\u003d\u0027os_compute_api:os-hypervisors:list\u0027,"},{"line_number":237,"context_line":"       check_str\u003d\u0027role:admin\u0027,"},{"line_number":238,"context_line":"       scope_types\u003d[\u0027system\u0027]"},{"line_number":239,"context_line":"   )"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"Managed volumes:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"695ac86e_ca3c0fe9","side":"PARENT","line":238,"in_reply_to":"26ea6ddc_fb230b70","updated":"2022-06-29 18:35:57.000000000","message":"yes. thanks for catching","commit_id":"a7bb68f83b3e6499f2056e95dc7f025531753cbb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8afb18d514db8c572ac3ce9e7c735937cb4cc0e3","unresolved":false,"context_lines":[{"line_number":235,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":236,"context_line":"       name\u003d\u0027os_compute_api:os-hypervisors:list\u0027,"},{"line_number":237,"context_line":"       check_str\u003d\u0027role:admin\u0027,"},{"line_number":238,"context_line":"       scope_types\u003d[\u0027system\u0027]"},{"line_number":239,"context_line":"   )"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"Managed volumes:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"fa193feb_6e2ecbeb","side":"PARENT","line":238,"in_reply_to":"695ac86e_ca3c0fe9","updated":"2022-06-30 22:25:02.000000000","message":"Done","commit_id":"a7bb68f83b3e6499f2056e95dc7f025531753cbb"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Finish delivering project personas"},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."},{"line_number":213,"context_line":"  By default, any other project role like `foo` will not be allowed to do anything in"},{"line_number":214,"context_line":"  the project."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"* Postpone the `scope` implementation for later"},{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"}],"source_content_type":"text/x-rst","patch_set":5,"id":"82598562_df303af6","line":214,"range":{"start_line":211,"start_character":0,"end_line":214,"end_character":14},"updated":"2022-06-29 17:39:05.000000000","message":"FWIW, feedback has always been the project reader role being key. Focus on just this one change seems like a very good idea.\n\nIt has the downside that this pretty much fixes all the problems my customers have been having, so they might not be much appetite for anything more than this. Either way just a good place to be starting from.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Finish delivering project personas"},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."},{"line_number":213,"context_line":"  By default, any other project role like `foo` will not be allowed to do anything in"},{"line_number":214,"context_line":"  the project."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"* Postpone the `scope` implementation for later"},{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9db48967_f47daa09","line":214,"range":{"start_line":211,"start_character":0,"end_line":214,"end_character":14},"in_reply_to":"3af57f81_ddcdaf25","updated":"2022-06-29 18:35:57.000000000","message":"agree on this. We got stuck to complete this thinking to solve many other RBAC problems which was not good idea.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fb6e0f907776d4b953ff9bab0813e3018a11350","unresolved":true,"context_lines":[{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Finish delivering project personas"},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."},{"line_number":213,"context_line":"  By default, any other project role like `foo` will not be allowed to do anything in"},{"line_number":214,"context_line":"  the project."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"* Postpone the `scope` implementation for later"},{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3af57f81_ddcdaf25","line":214,"range":{"start_line":211,"start_character":0,"end_line":214,"end_character":14},"in_reply_to":"82598562_df303af6","updated":"2022-06-29 17:51:51.000000000","message":"Yeah, I think that\u0027s a likely outcome: that project reader is 90% of the work and we lose momentum for the remainder. However, I\u0027d much rather have only 90% than 0%.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"943b6a3b15fdbfec2e61b02b2e909ff362fb840e","unresolved":false,"context_lines":[{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Finish delivering project personas"},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."},{"line_number":213,"context_line":"  By default, any other project role like `foo` will not be allowed to do anything in"},{"line_number":214,"context_line":"  the project."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"* Postpone the `scope` implementation for later"},{"line_number":217,"context_line":"  Some standalone services like Ironic can still have the `scope` implementation as"}],"source_content_type":"text/x-rst","patch_set":5,"id":"de9bf88f_e32f869f","line":214,"range":{"start_line":211,"start_character":0,"end_line":214,"end_character":14},"in_reply_to":"9db48967_f47daa09","updated":"2022-06-30 11:09:48.000000000","message":"+1, sounds like we are aligned there.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":221,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make"},{"line_number":222,"context_line":"  sure if system scoped token (which does not have project_id) is used to perform"},{"line_number":223,"context_line":"  operation in service like nova, neutron will fail early with 403 instead of failing it"},{"line_number":224,"context_line":"  in the lower layer than policy enforcement."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"So, where do we go from here?"},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a7bb73f9_b8fbd18b","line":224,"updated":"2022-06-29 17:39:05.000000000","message":"I think its unclear to me what \"postpone the scope implementation\" means now.\n\nMost of my customers have ironic and nova, which admins of nova able to list ironic nodes. I guess its unclear what I tell them what to prepare for here.\n\nI assume I can turn off scope checking in ironic, and its just like it always used to be?","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"943b6a3b15fdbfec2e61b02b2e909ff362fb840e","unresolved":false,"context_lines":[{"line_number":221,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make"},{"line_number":222,"context_line":"  sure if system scoped token (which does not have project_id) is used to perform"},{"line_number":223,"context_line":"  operation in service like nova, neutron will fail early with 403 instead of failing it"},{"line_number":224,"context_line":"  in the lower layer than policy enforcement."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"So, where do we go from here?"},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"937fed81_fc824a08","line":224,"in_reply_to":"4e2cf9f6_1d703157","updated":"2022-06-30 11:09:48.000000000","message":"Thank you all for the context.\n\nI totally agree with not loosing the good stuff Ironic has working for their users. \n\nProbably we don\u0027t have any text that needs changing here.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2da66c5fee9a95acb7510ce0aa5540f7c80a39b8","unresolved":true,"context_lines":[{"line_number":221,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make"},{"line_number":222,"context_line":"  sure if system scoped token (which does not have project_id) is used to perform"},{"line_number":223,"context_line":"  operation in service like nova, neutron will fail early with 403 instead of failing it"},{"line_number":224,"context_line":"  in the lower layer than policy enforcement."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"So, where do we go from here?"},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"4e2cf9f6_1d703157","line":224,"in_reply_to":"7b37425e_ecb06250","updated":"2022-06-29 23:53:46.000000000","message":"\u003e Reply to Gmann:\n\u003e \n\u003e \u003e This is issue. here Ironic I mean only when it is used as \u0027standalone\u0027 (should have mentioned it explicitly). If ironic is used in deployement with any other OpenStack service (like your case) then this would not work and we will end up with same issue we faced when we implemented in nova and rest other service did not (means scope will be usable only when all OpenStack services implement it) so that operator does not need to switch the token from system to project for admin kind of things.\n\u003e \u003e \n\u003e \n\u003e Unfortunately I\u0027m not sure what is trying to be stated here. The issue, I think, is that we\u0027re mixing existence and ability for an operator to do soemthing with assumption of software doing all of the same interactions, and I think that is something that we might need to be careful of in terms of over-conflating usage.\n\u003e \n\u003e Unfortunately, that is also easy to do, since even the word standalone can mean \"ironic on it\u0027s own, no other openstack services\" or \"ironic with some other openstack services\" or \"ironic, being used directly by a human or software for the specific needs, but the overall general usage being that of openstack as a whole.\" We see a blend of it all, as a project.\n\n\nOK, The use case here i mean Ironic without any other OpenStack services and with that scope is all fine as the operator can start using scoped token for their entire deployment.\n\nNow all other use cases Ironic with openstack services (John use case) make operator like difficult to 1. get knowlwdge of system scope token(whihc they mentioned in ops meetup berlin that they do not understad it) 2. if they understand then keep swithcing the system token when talk to ironic and project token admin when talk to nova or so.\n\nFrom nova perspective also (which has implemented the scope things as first service right after Keystone), it all works ok except heat/NFV users so we decided not to break even single use case. That is why I think Ironic needs to consider both cases.\n\n\u003e \n\u003e \u003e \u003eI assume I can turn off scope checking in ironic, and its just like it always used to be?\n\u003e \n\u003e From my point of view, yes. *however* I think I\u0027m going to add project scoped admin in as an explicit filtered view of use at some point when I have time.\n\nI do not think we can disable as per the current implementtion. Replying below with the reason why.\n\n\u003e \n\u003e \n\u003e \u003e \n\u003e \u003e With the current implementation of new rules and when old deprecation rule goes away, it will not work. To make old admin keep working for them they need to do two things:\n\u003e \u003e \n\u003e \u003e 1. Decpouple the scope from rule check_str:\n\u003e \u003e \n\u003e \u003e Ironic still has the scope coupling in check_str[1] and disable enforce_scope is kind of no-op there. They can fix that the way nova fixed in yoga cycle (https://review.opendev.org/q/topic:bp%252Fpolicy-defaults-refresh-2)\n\u003e \u003e  \n\u003e \u003e [1] https://github.com/openstack/ironic/blob/8aaf2e08c074e786767a24adbbe3afec5ff622c3/ironic/common/policy.py#L46\n\u003e \u003e \n\u003e \n\u003e I don\u0027t think we will go down this path since scope gives us a solid delineation of view and access *and* we\u0027ve already gotten very positive feedback for users who leverage the delineation we built.\n\nHere, If you remove the deprecated rules and disable scope then you cannot use project token to create baremetal node. it will fail with 403 (because of \u0027system:all\u0027 in check_str of rule). That was the reason we change the direction in Yoga and done the change in nova and neutorn because scope disable means was nothing. If you are keeping deprecated rule and saying project token will work that work because of passing policy enforcement via deprected rule but via scope disdable. And if we want to keep deprecated rule foreever for that reason then the scope enable/disable hardly matter because both new and old token continue work so it is not secure RBAC instead we provided two way to do the things.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e8464ee4a45959cd3223a27a4908da2845c6d02c","unresolved":true,"context_lines":[{"line_number":221,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make"},{"line_number":222,"context_line":"  sure if system scoped token (which does not have project_id) is used to perform"},{"line_number":223,"context_line":"  operation in service like nova, neutron will fail early with 403 instead of failing it"},{"line_number":224,"context_line":"  in the lower layer than policy enforcement."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"So, where do we go from here?"},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"7b37425e_ecb06250","line":224,"in_reply_to":"82b70841_f0789c5f","updated":"2022-06-29 22:50:29.000000000","message":"Reply to John:\n\nSo... I think Dan\u0027s last sentence kind of puts it succinctly. I think the overall takeaway for ironic from this rbac pivot is that Ironic basically did what was needful upfront and it was easy for us to do this since the overall asset relationship is entirely inverted and we had a relatively clean slate to work through. Turns out the rest of OpenStack was a bit more complex. Now, since the community is discussing pivoting, I think your customers can certinly turn of scope enforcement. I also think we likely need to add project scoped admin operations in terms of allowing someone to create a physical node in ironic.\n\nReply to Dan:\n\nWould it be possible for you to connect this operator to some ironic contributors, or well, myself? It does seem like maybe they are doing something that we didn\u0027t expect in terms of pattern of use, and I think it may be \"if they are going to have scope enforcement turned on, then they do have some operations they need to explicitly get system scoped tokens.\", which might be the driver behind them feeling the need to change the policies.\n\nAlternatively they could be trying to use the old baremetal_admin role name, but that is deprecated too. Anyway, understanding what they are doing will be helpful feedback for us.\n\n\nReply to Gmann:\n\n\u003e This is issue. here Ironic I mean only when it is used as \u0027standalone\u0027 (should have mentioned it explicitly). If ironic is used in deployement with any other OpenStack service (like your case) then this would not work and we will end up with same issue we faced when we implemented in nova and rest other service did not (means scope will be usable only when all OpenStack services implement it) so that operator does not need to switch the token from system to project for admin kind of things.\n\u003e \n\nUnfortunately I\u0027m not sure what is trying to be stated here. The issue, I think, is that we\u0027re mixing existence and ability for an operator to do soemthing with assumption of software doing all of the same interactions, and I think that is something that we might need to be careful of in terms of over-conflating usage.\n\nUnfortunately, that is also easy to do, since even the word standalone can mean \"ironic on it\u0027s own, no other openstack services\" or \"ironic with some other openstack services\" or \"ironic, being used directly by a human or software for the specific needs, but the overall general usage being that of openstack as a whole.\" We see a blend of it all, as a project.\n\n\n\n\u003e \u003eI assume I can turn off scope checking in ironic, and its just like it always used to be?\n\nFrom my point of view, yes. *however* I think I\u0027m going to add project scoped admin in as an explicit filtered view of use at some point when I have time.\n\n\n\u003e \n\u003e With the current implementation of new rules and when old deprecation rule goes away, it will not work. To make old admin keep working for them they need to do two things:\n\u003e \n\u003e 1. Decpouple the scope from rule check_str:\n\u003e \n\u003e Ironic still has the scope coupling in check_str[1] and disable enforce_scope is kind of no-op there. They can fix that the way nova fixed in yoga cycle (https://review.opendev.org/q/topic:bp%252Fpolicy-defaults-refresh-2)\n\u003e  \n\u003e [1] https://github.com/openstack/ironic/blob/8aaf2e08c074e786767a24adbbe3afec5ff622c3/ironic/common/policy.py#L46\n\u003e \n\nI don\u0027t think we will go down this path since scope gives us a solid delineation of view and access *and* we\u0027ve already gotten very positive feedback for users who leverage the delineation we built.\n\n\u003e 2. Remove the Project-admin concept:\n\u003e \n\u003e For project level admin operation, admin as been converted to Project_admin (role: admin and project_id)[2]. We need to either revert that to role:admin or add role:admin access also along with project_admin \n\u003e \n\nMore so, we would need to explicitly add one thing. The ability to create/delete physical resources, but explicitly scoped to the project. We intentionally limited that outright because the hardware is ultimately owned/controlled as part of the system in the scoped model. In part because an administrator using a system scoped token surely has access to troubleshoot, where as a project scoped admin may... or may not have any access to do troubleshooting as they may have authority through delegation.\n\nI\u0027ve already floated the idea. No objections have been received, just human time/energy as the limiting factor in writing the new entries and related tests.\n\n\u003e  [2]https://github.com/openstack/ironic/blob/8aaf2e08c074e786767a24adbbe3afec5ff622c3/ironic/common/policy.py#L65\n\u003e  \n\u003e 3rd thing to note here is we need to keep enforce_scope always as configurable which we thought of making it hardcoded (means scope check cannot be disabled).\n\u003e \n\u003e You brought good point about mixed deployement along with ironic as standalone deployement. We should bring Ironic team here for disscussion and if we can remove the scope things from there too?\n\nI think it is unlikely for us as Ironic to do anything to hinder operators usage or flexibility... which makes me wonder sort of the same overall question, do \"we need to keep enforce scope always as configurable\"?\n\nHonestly, as the entire rbac debate continues to go around and around, I\u0027m starting to suspect the actual removal of our deprecated policies is unlikely to ever happen.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fb6e0f907776d4b953ff9bab0813e3018a11350","unresolved":true,"context_lines":[{"line_number":221,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make"},{"line_number":222,"context_line":"  sure if system scoped token (which does not have project_id) is used to perform"},{"line_number":223,"context_line":"  operation in service like nova, neutron will fail early with 403 instead of failing it"},{"line_number":224,"context_line":"  in the lower layer than policy enforcement."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"So, where do we go from here?"},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"d1edbcaf_dbc2cc49","line":224,"in_reply_to":"a7bb73f9_b8fbd18b","updated":"2022-06-29 17:51:51.000000000","message":"I think that\u0027s the subtext here, and what we discussed in person. I\u0027m not very familiar with what Ironic has done here, and I know Ironic is somewhat of a unique case in general. Talking to one other large operator, they said \"ironic\u0027s system scope stuff is great, except we have to override everything in practice to get it to work\", which might be similar to yours?\n\nI would think that it\u0027s likely that if you\u0027ve got a big deployment with ironic and nova, and the same set of admins, that disabling system scope in ironic is necessary. Alternately, maybe the ironic admins need to do something slightly different, like get a system-scoped token before hitting ironic?\n\nEither way, I think you\u0027re getting the idea that we\u0027re trying to salvage some of the work that has been done to get the 90% case that almost everyone cares most about.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":221,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make"},{"line_number":222,"context_line":"  sure if system scoped token (which does not have project_id) is used to perform"},{"line_number":223,"context_line":"  operation in service like nova, neutron will fail early with 403 instead of failing it"},{"line_number":224,"context_line":"  in the lower layer than policy enforcement."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"So, where do we go from here?"},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"82b70841_f0789c5f","line":224,"in_reply_to":"d1edbcaf_dbc2cc49","updated":"2022-06-29 18:35:57.000000000","message":"This is issue. here Ironic I mean only when it is used as \u0027standalone\u0027 (should have mentioned it explicitly). If ironic is used in deployement with any other OpenStack service (like your case) then this would not work and we will end up with same issue we faced when we implemented in nova and rest other service did not (means scope will be usable only when all OpenStack services implement it) so that operator does not need to switch the token from system to project for admin kind of things.\n\n\u003eI assume I can turn off scope checking in ironic, and its just like it always used to be?\n\nWith the current implementation of new rules and when old deprecation rule goes away, it will not work. To make old admin keep working for them they need to do two things:\n\n1. Decpouple the scope from rule check_str:\n\nIronic still has the scope coupling in check_str[1] and disable enforce_scope is kind of no-op there. They can fix that the way nova fixed in yoga cycle (https://review.opendev.org/q/topic:bp%252Fpolicy-defaults-refresh-2)\n \n[1] https://github.com/openstack/ironic/blob/8aaf2e08c074e786767a24adbbe3afec5ff622c3/ironic/common/policy.py#L46\n\n2. Remove the Project-admin concept:\n\nFor project level admin operation, admin as been converted to Project_admin (role: admin and project_id)[2]. We need to either revert that to role:admin or add role:admin access also along with project_admin \n\n [2]https://github.com/openstack/ironic/blob/8aaf2e08c074e786767a24adbbe3afec5ff622c3/ironic/common/policy.py#L65\n \n3rd thing to note here is we need to keep enforce_scope always as configurable which we thought of making it hardcoded (means scope check cannot be disabled).\n\nYou brought good point about mixed deployement along with ironic as standalone deployement. We should bring Ironic team here for disscussion and if we can remove the scope things from there too?","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":257,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":258,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"* If your service is standalone like Ironic then you can still have the `scope`"},{"line_number":261,"context_line":"  implementation as long as it does not break any cross-service communication."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"* Project (non standalone services) who have already implemented the `scope` for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5fe7a056_3306f9f2","line":260,"updated":"2022-06-29 17:39:05.000000000","message":"I don\u0027t understand the implications of this statement (yet). I know ironic works well standalone, but that isn\u0027t how my customers use it.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fb6e0f907776d4b953ff9bab0813e3018a11350","unresolved":true,"context_lines":[{"line_number":257,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":258,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"* If your service is standalone like Ironic then you can still have the `scope`"},{"line_number":261,"context_line":"  implementation as long as it does not break any cross-service communication."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"* Project (non standalone services) who have already implemented the `scope` for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"910a8680_722ee673","line":260,"in_reply_to":"5fe7a056_3306f9f2","updated":"2022-06-29 17:51:51.000000000","message":"We probably need some better words here from someone that understands the nuts and bolts. However, I think the statement here is: \"If your ironic is suitably standalone, then you can probably keep system scope on\", but the \"as long as it does not break any cross-service communication\" is the important bit. I don\u0027t think that making ironic admins do something slightly different when administering ironic vs. nova is necessarily a problem (we were already heading down that path to begin with), but it also might mean that in practice people keep it turned off.\n\nI dunno, we need ironic-knowing people to chime in here.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e8464ee4a45959cd3223a27a4908da2845c6d02c","unresolved":true,"context_lines":[{"line_number":257,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":258,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"* If your service is standalone like Ironic then you can still have the `scope`"},{"line_number":261,"context_line":"  implementation as long as it does not break any cross-service communication."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"* Project (non standalone services) who have already implemented the `scope` for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b730c185_358749e4","line":260,"in_reply_to":"691f516d_371e288b","updated":"2022-06-29 22:50:29.000000000","message":"At the end of the day, it all comes down to what user someone configures in their nova-compute.conf file to talk to ironic. If that user is system scoped, or not access. Amazingly enough, system scoped access just works in that context, and we have a CI job to prove it.\n\nI believe the fundamental issue here is we\u0027re conflating things like standalone service usage with access models.\n\nIt might be better to just state \"There are cases where some services (like ironic) enable the use of a system scoped access model, and that is okay.\" Kind of going back to what Dan said elsewhere, OpenStack is trying to reach the 90%. Ironic worked to the overall end goal because it was the same amount of overall work and with some extra unit tests, and there is still compelling reason to keep the usage moving forward, but maybe not for every service, since in Ironic\u0027s case we\u0027re talking about physical assets and a global view is a necessary first class use. We can\u0027t allow one project admin to see all of the other project\u0027s resources that they don\u0027t have explicit access to. There is also a finite amount of human resources combined with work already completed, *and* use in the field at this point, so doing anything aside from leaving it as-is and enabling the newly identified access models/patterns, is ultimately kind of harmful.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":257,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":258,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"* If your service is standalone like Ironic then you can still have the `scope`"},{"line_number":261,"context_line":"  implementation as long as it does not break any cross-service communication."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"* Project (non standalone services) who have already implemented the `scope` for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"691f516d_371e288b","line":260,"in_reply_to":"910a8680_722ee673","updated":"2022-06-29 18:35:57.000000000","message":"yeah, If we consider Ironic with nova and other service deployments, then we should keep scope things the same as any other service, which means dropping the system scope.\n\nYes, I will ping Ironic people to provide theor opinion on the use case here.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"aa35074c6ec945e4452fec2509f73a680687cd86","unresolved":false,"context_lines":[{"line_number":257,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":258,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"* If your service is standalone like Ironic then you can still have the `scope`"},{"line_number":261,"context_line":"  implementation as long as it does not break any cross-service communication."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"* Project (non standalone services) who have already implemented the `scope` for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0e182ae1_493acd64","line":260,"in_reply_to":"977f5f88_85890b94","updated":"2022-06-30 21:58:56.000000000","message":"Done","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"943b6a3b15fdbfec2e61b02b2e909ff362fb840e","unresolved":true,"context_lines":[{"line_number":257,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":258,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"* If your service is standalone like Ironic then you can still have the `scope`"},{"line_number":261,"context_line":"  implementation as long as it does not break any cross-service communication."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"* Project (non standalone services) who have already implemented the `scope` for"}],"source_content_type":"text/x-rst","patch_set":5,"id":"977f5f88_85890b94","line":260,"in_reply_to":"b730c185_358749e4","updated":"2022-06-30 11:09:48.000000000","message":"I totally agree that Ironic having scope can be very useful. You have that working, so we should keep that working, for sure.\n\nThank you for testing the nova.conf setup there, that sounds good. I wasn\u0027t overly worried by that, but super happy that it works for sure.\n\nMy case is more the Nova users that create servers wanting to find their pet baremetal node to target via --availability_zone::\u003cironic-uuid\u003e\n\nWe do this today via a simple policy tweak, so some project members also get baremetal-observer, so they can list baremetal nodes using their project token. I mean yes, its an abomination, but its also a nice trade off. (These people are typically running large Slurm clusters, or similar network latency sensitive workloads).\n\nIt sounds like I can still make that work via some policy tweaks, which is cool. I just don\u0027t like the idea of needing to patch the code to make that work. Its something a bit odd, so I don\u0027t expect it out the box (although clearly I am not against making that easier, but that is out of scope here).\n\ntl;dr\nI am happy we agree on the direction, and its a good direction.\nMaybe we should say something like this?\n\n    Ironic has made good use of system scope, and has some users adopting it.\n    We must not break these users while making project_reader work for\n    Nova, Cinder, Neutron, Keystone, Heat, et al.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":333,"context_line":"            }"},{"line_number":334,"context_line":"        ],"},{"line_number":335,"context_line":"    )"},{"line_number":336,"context_line":""},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"`project-member`:"},{"line_number":339,"context_line":"~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0666af9b_70d05a36","line":336,"updated":"2022-06-29 17:39:05.000000000","message":"To be explicit: this excites me because it means I can add users into a project as a reader, then create some new role \"foobar\" which allows them to do select operations on top, like \"reboot\" or maybe \"live-migration\"... without worrying that means they can delete volumes.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fb6e0f907776d4b953ff9bab0813e3018a11350","unresolved":true,"context_lines":[{"line_number":333,"context_line":"            }"},{"line_number":334,"context_line":"        ],"},{"line_number":335,"context_line":"    )"},{"line_number":336,"context_line":""},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"`project-member`:"},{"line_number":339,"context_line":"~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4f2865cd_8ca3bf20","line":336,"in_reply_to":"0666af9b_70d05a36","updated":"2022-06-29 17:51:51.000000000","message":"Right, this is _critical_ and really silly that we\u0027re here in 2022 and this is still not possible. My primary goal here is to make sure we can get to this spot and not let system scope or the admin problem (which it turns out is not as important to people) cloud over that.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":333,"context_line":"            }"},{"line_number":334,"context_line":"        ],"},{"line_number":335,"context_line":"    )"},{"line_number":336,"context_line":""},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"`project-member`:"},{"line_number":339,"context_line":"~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d927a16a_2365366a","line":336,"in_reply_to":"4f2865cd_8ca3bf20","updated":"2022-06-29 18:35:57.000000000","message":"+1. \"give me a testing role in project and I just want to run test and then I am able to delete anyone server in that project :)\"","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"943b6a3b15fdbfec2e61b02b2e909ff362fb840e","unresolved":false,"context_lines":[{"line_number":333,"context_line":"            }"},{"line_number":334,"context_line":"        ],"},{"line_number":335,"context_line":"    )"},{"line_number":336,"context_line":""},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"`project-member`:"},{"line_number":339,"context_line":"~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f13aeaf5_a414de65","line":336,"in_reply_to":"d927a16a_2365366a","updated":"2022-06-30 11:09:48.000000000","message":"I got quite embarrassed discussing this with a customer the other day.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":498,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":499,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":500,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":501,"context_line":"audit."},{"line_number":502,"context_line":""},{"line_number":503,"context_line":"Phase 2"},{"line_number":504,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"c64b8ff9_24c05cc8","line":501,"updated":"2022-06-29 17:39:05.000000000","message":"I don\u0027t think this fixes cloud audit really, but I don\u0027t think that matters right now. Maybe remove that bit?\n\nHow would cloud audit work ... you need to have reader in all projects, so inherited for the whole domain... but how do you list all the projects? You need something more privileged than \"reader\" in keystone? Its a bit like domain_manager (similar to project_manager)? I guess keystone has something like this in the scoped token world?","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":false,"context_lines":[{"line_number":498,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":499,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":500,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":501,"context_line":"audit."},{"line_number":502,"context_line":""},{"line_number":503,"context_line":"Phase 2"},{"line_number":504,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"8908755c_6fee4226","line":501,"in_reply_to":"2fc1c399_f5f9029e","updated":"2022-07-01 13:50:54.000000000","message":"IIRC, we have a specific requirement for an \"auditor\" role that does *not* mean a global auditor (for security reasons). So I think it\u0027s worth keeping in here.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":498,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":499,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":500,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":501,"context_line":"audit."},{"line_number":502,"context_line":""},{"line_number":503,"context_line":"Phase 2"},{"line_number":504,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"fc6d60c0_3261cb7c","line":501,"in_reply_to":"83e7efe3_7647a0f6","updated":"2022-06-29 18:35:57.000000000","message":"agree, it solve the audit within project but not global audit. May be sometime later we can add a global_reader role or so.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"aa35074c6ec945e4452fec2509f73a680687cd86","unresolved":false,"context_lines":[{"line_number":498,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":499,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":500,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":501,"context_line":"audit."},{"line_number":502,"context_line":""},{"line_number":503,"context_line":"Phase 2"},{"line_number":504,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2fc1c399_f5f9029e","line":501,"in_reply_to":"b2e54398_3040110c","updated":"2022-06-30 21:58:56.000000000","message":"yeah. I will modify this line to explicitly about project audits vs global audits","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fb6e0f907776d4b953ff9bab0813e3018a11350","unresolved":true,"context_lines":[{"line_number":498,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":499,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":500,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":501,"context_line":"audit."},{"line_number":502,"context_line":""},{"line_number":503,"context_line":"Phase 2"},{"line_number":504,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"83e7efe3_7647a0f6","line":501,"in_reply_to":"c64b8ff9_24c05cc8","updated":"2022-06-29 17:51:51.000000000","message":"It helps the audit case, just not necessarily the \"global I can read anything\" audit case, yeah.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"12787330317aff25203fda5ef48bb44f6922b8b4","unresolved":false,"context_lines":[{"line_number":498,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":499,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":500,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":501,"context_line":"audit."},{"line_number":502,"context_line":""},{"line_number":503,"context_line":"Phase 2"},{"line_number":504,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b2e54398_3040110c","line":501,"in_reply_to":"df458b35_ab9ce686","updated":"2022-06-30 11:13:21.000000000","message":"Ack","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"943b6a3b15fdbfec2e61b02b2e909ff362fb840e","unresolved":true,"context_lines":[{"line_number":498,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":499,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":500,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":501,"context_line":"audit."},{"line_number":502,"context_line":""},{"line_number":503,"context_line":"Phase 2"},{"line_number":504,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"df458b35_ab9ce686","line":501,"in_reply_to":"fc6d60c0_3261cb7c","updated":"2022-06-30 11:09:48.000000000","message":"OK, sounds like we are agreed here. I just worry someone reads this and gets upset when their global audit has to use global admin still. Maybe just remove that sentence for now?","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":510,"context_line":"``service`` role. This is an important part in reducing authorization for each"},{"line_number":511,"context_line":"service. For example, neutron needs to inform nova about network changes, but"},{"line_number":512,"context_line":"it shouldn\u0027t need the ability to create new users and groups in keystone, which"},{"line_number":513,"context_line":"it currently has."},{"line_number":514,"context_line":""},{"line_number":515,"context_line":"Phase 3"},{"line_number":516,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"923ea24b_2bd04316","line":513,"updated":"2022-06-29 17:39:05.000000000","message":"And to aid transition, I assume it would be role:sevice with the deprecated rule of role:admin ?","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":510,"context_line":"``service`` role. This is an important part in reducing authorization for each"},{"line_number":511,"context_line":"service. For example, neutron needs to inform nova about network changes, but"},{"line_number":512,"context_line":"it shouldn\u0027t need the ability to create new users and groups in keystone, which"},{"line_number":513,"context_line":"it currently has."},{"line_number":514,"context_line":""},{"line_number":515,"context_line":"Phase 3"},{"line_number":516,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bd854bd8_300afdc8","line":513,"in_reply_to":"923ea24b_2bd04316","updated":"2022-06-29 18:35:57.000000000","message":"good question, I am thinking to do only role:service for the API which is purely for internal usage. and if APIs for both usage internal and external then  yes \u0027role:service or role:admin\u0027\n\nIt is hard to say this is purely internal as it might have been used somewhere like nova swap volume  API. But having access to such API to \u0027role:service\u0027 only can give a good notification to users?","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"12787330317aff25203fda5ef48bb44f6922b8b4","unresolved":false,"context_lines":[{"line_number":510,"context_line":"``service`` role. This is an important part in reducing authorization for each"},{"line_number":511,"context_line":"service. For example, neutron needs to inform nova about network changes, but"},{"line_number":512,"context_line":"it shouldn\u0027t need the ability to create new users and groups in keystone, which"},{"line_number":513,"context_line":"it currently has."},{"line_number":514,"context_line":""},{"line_number":515,"context_line":"Phase 3"},{"line_number":516,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"cda4bc4f_d997a987","line":513,"in_reply_to":"bd854bd8_300afdc8","updated":"2022-06-30 11:13:21.000000000","message":"I am specifically thinking about kolla-ansible and upgrade here. At the moment most of those users are admin users, and do not have the service role. So we need a release where we add the service role before adopting the defaults, I think. I guess the deprecated rule will probably cover us here.\n\nIts probably a detail for code review I guess.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"aa35074c6ec945e4452fec2509f73a680687cd86","unresolved":false,"context_lines":[{"line_number":510,"context_line":"``service`` role. This is an important part in reducing authorization for each"},{"line_number":511,"context_line":"service. For example, neutron needs to inform nova about network changes, but"},{"line_number":512,"context_line":"it shouldn\u0027t need the ability to create new users and groups in keystone, which"},{"line_number":513,"context_line":"it currently has."},{"line_number":514,"context_line":""},{"line_number":515,"context_line":"Phase 3"},{"line_number":516,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"031715e1_b549bb97","line":513,"in_reply_to":"cda4bc4f_d997a987","updated":"2022-06-30 21:58:56.000000000","message":"Yeah, removal of old deprecated rule is planned at the end but I am sure that will be more delay as we always deprecated things for longer.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3ee9f7ef2b4ab18dc87ffb5e9767911ea121c2a1","unresolved":true,"context_lines":[{"line_number":518,"context_line":"Implement support for `project-manager` personas"},{"line_number":519,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":520,"context_line":""},{"line_number":521,"context_line":"`project-manager`:"},{"line_number":522,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":523,"context_line":""},{"line_number":524,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b47fb5c2_17a48aca","line":521,"updated":"2022-06-29 17:39:05.000000000","message":"tl;dr I think this is a distraction from project-reader","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"19a20ba193996e15ecfeef34adbdd8c9ec502aa6","unresolved":true,"context_lines":[{"line_number":518,"context_line":"Implement support for `project-manager` personas"},{"line_number":519,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":520,"context_line":""},{"line_number":521,"context_line":"`project-manager`:"},{"line_number":522,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":523,"context_line":""},{"line_number":524,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"}],"source_content_type":"text/x-rst","patch_set":5,"id":"c1da5630_7fbf013a","line":521,"in_reply_to":"17dadc86_fc159b64","updated":"2022-06-29 18:35:57.000000000","message":"The only purpose of this is to have a separate project level admin access role. So that operator can assign project manager role instead of assigning global admin role to people want to do admin things in a project.\n\nBut yes we will focus on this after \u0027project reader\u0027 is done.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9fb6e0f907776d4b953ff9bab0813e3018a11350","unresolved":true,"context_lines":[{"line_number":518,"context_line":"Implement support for `project-manager` personas"},{"line_number":519,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":520,"context_line":""},{"line_number":521,"context_line":"`project-manager`:"},{"line_number":522,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":523,"context_line":""},{"line_number":524,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"}],"source_content_type":"text/x-rst","patch_set":5,"id":"17dadc86_fc159b64","line":521,"in_reply_to":"b47fb5c2_17a48aca","updated":"2022-06-29 17:51:51.000000000","message":"I think that\u0027s why it\u0027s phase 3, i.e. \"after all the other stuff like project reader\".","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"943b6a3b15fdbfec2e61b02b2e909ff362fb840e","unresolved":false,"context_lines":[{"line_number":518,"context_line":"Implement support for `project-manager` personas"},{"line_number":519,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":520,"context_line":""},{"line_number":521,"context_line":"`project-manager`:"},{"line_number":522,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":523,"context_line":""},{"line_number":524,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"}],"source_content_type":"text/x-rst","patch_set":5,"id":"8f8e6fff_5f142f31","line":521,"in_reply_to":"c1da5630_7fbf013a","updated":"2022-06-30 11:09:48.000000000","message":"OK, fair enough. I think I missed the \"phase 3\"-ness of it.","commit_id":"20ea87284b9d06940cc122f76fead5112c548c8c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":true,"context_lines":[{"line_number":215,"context_line":""},{"line_number":216,"context_line":"* Change the `scope` implementation to be `project` only"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services implemented the `scope` implementation for example, Nova, Neutron, Octavia"},{"line_number":219,"context_line":"  etc or any project yet to implement it need to make everything scoped to `project`"},{"line_number":220,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make sure"},{"line_number":221,"context_line":"  if system scoped token (which does not have project_id) is used to perform operation"}],"source_content_type":"text/x-rst","patch_set":7,"id":"6dbbcf43_cca840aa","line":218,"range":{"start_line":218,"start_character":23,"end_line":218,"end_character":49},"updated":"2022-07-01 13:50:54.000000000","message":"This is repetitive and doesn\u0027t sound quite right. Perhaps just change this to \"Services that have implemented scope\"","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":215,"context_line":""},{"line_number":216,"context_line":"* Change the `scope` implementation to be `project` only"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services implemented the `scope` implementation for example, Nova, Neutron, Octavia"},{"line_number":219,"context_line":"  etc or any project yet to implement it need to make everything scoped to `project`"},{"line_number":220,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make sure"},{"line_number":221,"context_line":"  if system scoped token (which does not have project_id) is used to perform operation"}],"source_content_type":"text/x-rst","patch_set":7,"id":"70e67662_3e7855a7","line":218,"range":{"start_line":218,"start_character":23,"end_line":218,"end_character":49},"in_reply_to":"6dbbcf43_cca840aa","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":true,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services implemented the `scope` implementation for example, Nova, Neutron, Octavia"},{"line_number":219,"context_line":"  etc or any project yet to implement it need to make everything scoped to `project`"},{"line_number":220,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make sure"},{"line_number":221,"context_line":"  if system scoped token (which does not have project_id) is used to perform operation"},{"line_number":222,"context_line":"  in service like nova, neutron will fail early with 403 instead of failing it in the"},{"line_number":223,"context_line":"  lower layer than policy enforcement. One exception here is Ironic, who has implemented"}],"source_content_type":"text/x-rst","patch_set":7,"id":"35fd0b6a_103ee7c8","line":220,"updated":"2022-07-01 13:50:54.000000000","message":"This whole first sentence is hard to understand. Suggestion:\n\n Services with project resources that have already implemented\n scope (or have yet to) should make all policy rules set\n scope_types\u003d[\u0027project\u0027]. This will help ensure that any API\n operations performed with a system-scoped token will fail early,\n with a 403, instead of later in the process when a project_id\n is required. One exception here is Ironic, which has implemented\n scope and has some users adopting it. We must not break these\n users so it is okay to keep the scope implementation as-is.","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services implemented the `scope` implementation for example, Nova, Neutron, Octavia"},{"line_number":219,"context_line":"  etc or any project yet to implement it need to make everything scoped to `project`"},{"line_number":220,"context_line":"  (`scope_type` to `project` only). Keeping everything as `project` scoped will make sure"},{"line_number":221,"context_line":"  if system scoped token (which does not have project_id) is used to perform operation"},{"line_number":222,"context_line":"  in service like nova, neutron will fail early with 403 instead of failing it in the"},{"line_number":223,"context_line":"  lower layer than policy enforcement. One exception here is Ironic, who has implemented"}],"source_content_type":"text/x-rst","patch_set":7,"id":"8c447d85_cd0fd102","line":220,"in_reply_to":"35fd0b6a_103ee7c8","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":true,"context_lines":[{"line_number":258,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":259,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"* Ironic has implemented the `scope` and has some users adopting it. We must not"},{"line_number":262,"context_line":"  break these users so it is ok to keep scope implementation as it is."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"2544a9a3_537e5891","line":261,"updated":"2022-07-01 13:50:54.000000000","message":"This duplicates what you say above, exactly. Maybe it\u0027s worth being extra explicit, but just thought I\u0027d point it out.","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":258,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":259,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"* Ironic has implemented the `scope` and has some users adopting it. We must not"},{"line_number":262,"context_line":"  break these users so it is ok to keep scope implementation as it is."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"d1d3628d_5ffc3bb3","line":261,"in_reply_to":"2544a9a3_537e5891","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":true,"context_lines":[{"line_number":261,"context_line":"* Ironic has implemented the `scope` and has some users adopting it. We must not"},{"line_number":262,"context_line":"  break these users so it is ok to keep scope implementation as it is."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"},{"line_number":265,"context_line":"  Octavia etc or any project who has not yet implemented it, need to make everything"},{"line_number":266,"context_line":"  scoped to `project` (`scope_type` to `project` only). Keeping everything as"},{"line_number":267,"context_line":"  `project` scoped will make sure to fail the system scoped token (which does not have"}],"source_content_type":"text/x-rst","patch_set":7,"id":"bfafcd98_9bc380a7","line":264,"range":{"start_line":264,"start_character":46,"end_line":264,"end_character":49},"updated":"2022-07-01 13:50:54.000000000","message":"s/the//","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":261,"context_line":"* Ironic has implemented the `scope` and has some users adopting it. We must not"},{"line_number":262,"context_line":"  break these users so it is ok to keep scope implementation as it is."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"},{"line_number":265,"context_line":"  Octavia etc or any project who has not yet implemented it, need to make everything"},{"line_number":266,"context_line":"  scoped to `project` (`scope_type` to `project` only). Keeping everything as"},{"line_number":267,"context_line":"  `project` scoped will make sure to fail the system scoped token (which does not have"}],"source_content_type":"text/x-rst","patch_set":7,"id":"0599bf05_33e9630d","line":264,"range":{"start_line":264,"start_character":46,"end_line":264,"end_character":49},"in_reply_to":"bfafcd98_9bc380a7","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":true,"context_lines":[{"line_number":262,"context_line":"  break these users so it is ok to keep scope implementation as it is."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"},{"line_number":265,"context_line":"  Octavia etc or any project who has not yet implemented it, need to make everything"},{"line_number":266,"context_line":"  scoped to `project` (`scope_type` to `project` only). Keeping everything as"},{"line_number":267,"context_line":"  `project` scoped will make sure to fail the system scoped token (which does not have"},{"line_number":268,"context_line":"  project_id) early with 403 instead of failing it with 500 in the lower layer."}],"source_content_type":"text/x-rst","patch_set":7,"id":"4410da4a_bd652288","line":265,"range":{"start_line":265,"start_character":61,"end_line":265,"end_character":68},"updated":"2022-07-01 13:50:54.000000000","message":"should","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":262,"context_line":"  break these users so it is ok to keep scope implementation as it is."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"},{"line_number":265,"context_line":"  Octavia etc or any project who has not yet implemented it, need to make everything"},{"line_number":266,"context_line":"  scoped to `project` (`scope_type` to `project` only). Keeping everything as"},{"line_number":267,"context_line":"  `project` scoped will make sure to fail the system scoped token (which does not have"},{"line_number":268,"context_line":"  project_id) early with 403 instead of failing it with 500 in the lower layer."}],"source_content_type":"text/x-rst","patch_set":7,"id":"aff6e200_416c0ab1","line":265,"range":{"start_line":265,"start_character":61,"end_line":265,"end_character":68},"in_reply_to":"4410da4a_bd652288","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"69b88530e6a221432af6e8599049e3087f047dc4","unresolved":true,"context_lines":[{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"},{"line_number":265,"context_line":"  Octavia etc or any project who has not yet implemented it, need to make everything"},{"line_number":266,"context_line":"  scoped to `project` (`scope_type` to `project` only). Keeping everything as"},{"line_number":267,"context_line":"  `project` scoped will make sure to fail the system scoped token (which does not have"},{"line_number":268,"context_line":"  project_id) early with 403 instead of failing it with 500 in the lower layer."},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"* Keystone will continue supporting the `scope` implementation for deployment"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5b5f5c98_5903c3db","line":267,"range":{"start_line":267,"start_character":41,"end_line":267,"end_character":45},"updated":"2022-07-01 13:50:54.000000000","message":"\"...operations performed with a system...\"","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1fe4daaa45904d06cd20c31bc4160612155ef258","unresolved":false,"context_lines":[{"line_number":264,"context_line":"* Other projects who have already implemented the `scope` for example, Nova, Neutron,"},{"line_number":265,"context_line":"  Octavia etc or any project who has not yet implemented it, need to make everything"},{"line_number":266,"context_line":"  scoped to `project` (`scope_type` to `project` only). Keeping everything as"},{"line_number":267,"context_line":"  `project` scoped will make sure to fail the system scoped token (which does not have"},{"line_number":268,"context_line":"  project_id) early with 403 instead of failing it with 500 in the lower layer."},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"* Keystone will continue supporting the `scope` implementation for deployment"}],"source_content_type":"text/x-rst","patch_set":7,"id":"10355d1d_3d3bc4dc","line":267,"range":{"start_line":267,"start_character":41,"end_line":267,"end_character":45},"in_reply_to":"5b5f5c98_5903c3db","updated":"2022-07-01 15:34:12.000000000","message":"Done","commit_id":"441f691afef949c22f8f449016d5ab2e9c6d3121"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5d8a48d0c7c3dd86696b575b8297d42729447488","unresolved":true,"context_lines":[{"line_number":252,"context_line":"Change in `scope` implementation"},{"line_number":253,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"There are some project like nova, neutron, ironic, octavia have already implemented"},{"line_number":256,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":257,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":258,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"f72b9da2_82bee83e","line":255,"updated":"2022-07-04 15:07:53.000000000","message":"nitty nit: projects","commit_id":"e479b882559d096f1aae332eeebd537b18b4912c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f15defde7b230722b4e11872c90dce1c727e8604","unresolved":false,"context_lines":[{"line_number":252,"context_line":"Change in `scope` implementation"},{"line_number":253,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"There are some project like nova, neutron, ironic, octavia have already implemented"},{"line_number":256,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":257,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":258,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"b44d1e39_7c814d0c","line":255,"in_reply_to":"f72b9da2_82bee83e","updated":"2022-07-06 16:29:00.000000000","message":"Done","commit_id":"e479b882559d096f1aae332eeebd537b18b4912c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5d8a48d0c7c3dd86696b575b8297d42729447488","unresolved":true,"context_lines":[{"line_number":267,"context_line":""},{"line_number":268,"context_line":"* Keystone will continue supporting the `scope` implementation for deployment"},{"line_number":269,"context_line":"  moved/can move to `system scope` enable for example, ironic + keystone. But we need to"},{"line_number":270,"context_line":"  make sure it also work for the deployment does not use `system scope` token means"},{"line_number":271,"context_line":"  continue working with the project scoped token. For that we need to do two changes in"},{"line_number":272,"context_line":"  keystone:"},{"line_number":273,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"28239652_482a49f9","line":270,"updated":"2022-07-04 15:07:53.000000000","message":"nit: works","commit_id":"e479b882559d096f1aae332eeebd537b18b4912c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f15defde7b230722b4e11872c90dce1c727e8604","unresolved":false,"context_lines":[{"line_number":267,"context_line":""},{"line_number":268,"context_line":"* Keystone will continue supporting the `scope` implementation for deployment"},{"line_number":269,"context_line":"  moved/can move to `system scope` enable for example, ironic + keystone. But we need to"},{"line_number":270,"context_line":"  make sure it also work for the deployment does not use `system scope` token means"},{"line_number":271,"context_line":"  continue working with the project scoped token. For that we need to do two changes in"},{"line_number":272,"context_line":"  keystone:"},{"line_number":273,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"aa94a8e4_579286cd","line":270,"in_reply_to":"28239652_482a49f9","updated":"2022-07-06 16:29:00.000000000","message":"Done","commit_id":"e479b882559d096f1aae332eeebd537b18b4912c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5d8a48d0c7c3dd86696b575b8297d42729447488","unresolved":true,"context_lines":[{"line_number":559,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":560,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":561,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":562,"context_line":"project resource. From existing policy point of view, we can say this a \u0027admin\u0027 at"},{"line_number":563,"context_line":"project level but we will not use the term \u0027admin\u0027 as it can be confused with the"},{"line_number":564,"context_line":"\u0027legacy admin (``admin``)\u0027. It can do all the operations that the ``admin`` role user"},{"line_number":565,"context_line":"can do on project level resources but within its own project. For example, it can"}],"source_content_type":"text/x-rst","patch_set":8,"id":"1bd924eb_27d89d17","line":562,"range":{"start_line":562,"start_character":70,"end_line":562,"end_character":71},"updated":"2022-07-04 15:07:53.000000000","message":"nit: I think it\u0027s not needed here","commit_id":"e479b882559d096f1aae332eeebd537b18b4912c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f15defde7b230722b4e11872c90dce1c727e8604","unresolved":false,"context_lines":[{"line_number":559,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":560,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":561,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":562,"context_line":"project resource. From existing policy point of view, we can say this a \u0027admin\u0027 at"},{"line_number":563,"context_line":"project level but we will not use the term \u0027admin\u0027 as it can be confused with the"},{"line_number":564,"context_line":"\u0027legacy admin (``admin``)\u0027. It can do all the operations that the ``admin`` role user"},{"line_number":565,"context_line":"can do on project level resources but within its own project. For example, it can"}],"source_content_type":"text/x-rst","patch_set":8,"id":"bfbecf05_efd7dd20","line":562,"range":{"start_line":562,"start_character":70,"end_line":562,"end_character":71},"in_reply_to":"1bd924eb_27d89d17","updated":"2022-07-06 16:29:00.000000000","message":"Done","commit_id":"e479b882559d096f1aae332eeebd537b18b4912c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"62bafe5e8a0cd861c9061a0a722ca3a9a1c03d75","unresolved":true,"context_lines":[{"line_number":505,"context_line":"   - *Create new volume types*"},{"line_number":506,"context_line":"   - *Move pre-existing volumes in and out of projects*"},{"line_number":507,"context_line":"   - *Create or delete HSM transport keys*"},{"line_number":508,"context_line":"   - *Create physical provider networks*"},{"line_number":509,"context_line":""},{"line_number":510,"context_line":"- Project Member"},{"line_number":511,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5d6dccf3_cc222ac2","line":508,"updated":"2022-07-07 06:00:39.000000000","message":"sorry for nit picking but this is already in L503 :)\nI simply removed duplicate line to not hold this change more.","commit_id":"f67b41cdee5b0e01f0c6ef1fbb4e33f0f084beeb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7646c75e291eb37372a97c1d13b1b4d2e4d1567a","unresolved":true,"context_lines":[{"line_number":505,"context_line":"   - *Create new volume types*"},{"line_number":506,"context_line":"   - *Move pre-existing volumes in and out of projects*"},{"line_number":507,"context_line":"   - *Create or delete HSM transport keys*"},{"line_number":508,"context_line":"   - *Create physical provider networks*"},{"line_number":509,"context_line":""},{"line_number":510,"context_line":"- Project Member"},{"line_number":511,"context_line":"   - Denoted by someone with the ``member`` role on a project"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7b08a1d2_2a03593d","line":508,"in_reply_to":"5d6dccf3_cc222ac2","updated":"2022-07-07 06:11:11.000000000","message":"ah, thanks slawek for update","commit_id":"f67b41cdee5b0e01f0c6ef1fbb4e33f0f084beeb"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8b5c3af4b88da170c44d5eba63c616bcc61ce5e1","unresolved":true,"context_lines":[{"line_number":216,"context_line":"* Change the `scope` implementation to be `project` only"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services with project resources that have already implemented scope (or have yet to)"},{"line_number":219,"context_line":"  should make all policy rules set scope_types\u003d[\u0027project\u0027]. This will help ensure"},{"line_number":220,"context_line":"  that any API operations performed with a system-scoped token will fail early, with a"},{"line_number":221,"context_line":"  403, instead of later in the process when a project_id is required. One exception"},{"line_number":222,"context_line":"  here is Ironic, which has implemented scope and has some users adopting it. We must"}],"source_content_type":"text/x-rst","patch_set":10,"id":"7f8c6d19_f6c33b3d","line":219,"range":{"start_line":219,"start_character":2,"end_line":219,"end_character":8},"updated":"2022-07-07 14:03:45.000000000","message":"is this a SHOULD or a MUST (in the rfc2119 sense)?","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d3f11729eaf2e254d2eaf9d4ed5b9bd16940b06c","unresolved":false,"context_lines":[{"line_number":216,"context_line":"* Change the `scope` implementation to be `project` only"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services with project resources that have already implemented scope (or have yet to)"},{"line_number":219,"context_line":"  should make all policy rules set scope_types\u003d[\u0027project\u0027]. This will help ensure"},{"line_number":220,"context_line":"  that any API operations performed with a system-scoped token will fail early, with a"},{"line_number":221,"context_line":"  403, instead of later in the process when a project_id is required. One exception"},{"line_number":222,"context_line":"  here is Ironic, which has implemented scope and has some users adopting it. We must"}],"source_content_type":"text/x-rst","patch_set":10,"id":"4d6c6422_dd791ecd","line":219,"range":{"start_line":219,"start_character":2,"end_line":219,"end_character":8},"in_reply_to":"02d9564d_9ab23cc9","updated":"2022-07-21 15:11:20.000000000","message":"Ack","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"eb531ec2084f39289eef16208ec588f6257095d9","unresolved":true,"context_lines":[{"line_number":216,"context_line":"* Change the `scope` implementation to be `project` only"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services with project resources that have already implemented scope (or have yet to)"},{"line_number":219,"context_line":"  should make all policy rules set scope_types\u003d[\u0027project\u0027]. This will help ensure"},{"line_number":220,"context_line":"  that any API operations performed with a system-scoped token will fail early, with a"},{"line_number":221,"context_line":"  403, instead of later in the process when a project_id is required. One exception"},{"line_number":222,"context_line":"  here is Ironic, which has implemented scope and has some users adopting it. We must"}],"source_content_type":"text/x-rst","patch_set":10,"id":"9b89d104_5a09e43c","line":219,"range":{"start_line":219,"start_character":2,"end_line":219,"end_character":8},"in_reply_to":"7f8c6d19_f6c33b3d","updated":"2022-07-07 16:07:54.000000000","message":"The reason I\u0027m asking is that if we do the scope_types\u003d[\u0027project\u0027] in the rule definition, that\u0027s not overrideable by operators, so wouldn\u0027t that prohibit them from checking for system scope as part of the checkstring for calls where the project_id doesn\u0027t matter?","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"957976e15ad8e5f1b7ec2bca83ca682e1c5379c4","unresolved":true,"context_lines":[{"line_number":216,"context_line":"* Change the `scope` implementation to be `project` only"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services with project resources that have already implemented scope (or have yet to)"},{"line_number":219,"context_line":"  should make all policy rules set scope_types\u003d[\u0027project\u0027]. This will help ensure"},{"line_number":220,"context_line":"  that any API operations performed with a system-scoped token will fail early, with a"},{"line_number":221,"context_line":"  403, instead of later in the process when a project_id is required. One exception"},{"line_number":222,"context_line":"  here is Ironic, which has implemented scope and has some users adopting it. We must"}],"source_content_type":"text/x-rst","patch_set":10,"id":"02d9564d_9ab23cc9","line":219,"range":{"start_line":219,"start_character":2,"end_line":219,"end_character":8},"in_reply_to":"87f25083_99ec0300","updated":"2022-07-12 13:38:48.000000000","message":"Right, the operator being able to override the scope is not a good thing. Anything that expects a project token can (and likely will) crash with a system scoped token because context.project_id will be None. If the API works (and is tested, as gmann says) then it\u0027s fine to enable both types, if there\u0027s some reason to do so. However, doing it in some places (where it can work) and not others is likely to just confuse operators in the sense of \"I don\u0027t really understand why this works sometimes and not others\" if they don\u0027t realize they\u0027re still using a system token from a recent keystone operation, or similar example.","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ce51aa92a9960176a006612aaeb7e9861c46a07a","unresolved":true,"context_lines":[{"line_number":216,"context_line":"* Change the `scope` implementation to be `project` only"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"  Services with project resources that have already implemented scope (or have yet to)"},{"line_number":219,"context_line":"  should make all policy rules set scope_types\u003d[\u0027project\u0027]. This will help ensure"},{"line_number":220,"context_line":"  that any API operations performed with a system-scoped token will fail early, with a"},{"line_number":221,"context_line":"  403, instead of later in the process when a project_id is required. One exception"},{"line_number":222,"context_line":"  here is Ironic, which has implemented scope and has some users adopting it. We must"}],"source_content_type":"text/x-rst","patch_set":10,"id":"87f25083_99ec0300","line":219,"range":{"start_line":219,"start_character":2,"end_line":219,"end_character":8},"in_reply_to":"9b89d104_5a09e43c","updated":"2022-07-08 14:31:24.000000000","message":"I will say SHOULD. The main goal here is to provide the better error message when it fail with system scope and project_id required in that operation. \n\nIf any operation does not need project id and we make sure (tested) that with system scope then it is ok to skip the scope_type for that operation completely.\n\nBut I feel it is better to tell operator whether my services will work for system scope or not. And as we do not test them with system scope it is better to not to document/talk or implement about it.","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8b5c3af4b88da170c44d5eba63c616bcc61ce5e1","unresolved":true,"context_lines":[{"line_number":559,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":560,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":561,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":562,"context_line":"project resource. From existing policy point of view, we can say this is \u0027admin\u0027 at"},{"line_number":563,"context_line":"project level but we will not use the term \u0027admin\u0027 as it can be confused with the"},{"line_number":564,"context_line":"\u0027legacy admin (``admin``)\u0027. It can do all the operations that the ``admin`` role user"},{"line_number":565,"context_line":"can do on project level resources but within its own project. For example, it can"},{"line_number":566,"context_line":"delete only its own project instance, can list all the instances of its own project"},{"line_number":567,"context_line":"only."}],"source_content_type":"text/x-rst","patch_set":10,"id":"6bb46a33_698eff81","line":564,"range":{"start_line":562,"start_character":18,"end_line":564,"end_character":28},"updated":"2022-07-07 14:03:45.000000000","message":"So I think we should not say this at all!  I\u0027d prefer to introduce this as:\n\n  `project-manager` used for project-level management APIs and is denoted\n   by someone with the ``manager`` role on a project.\n\nThen we don\u0027t have to make this distinction about them not being able to act on other projects ... being a manager on a project, you would not expect them to manage other peoples\u0027 projects.\n\nWhat is a \"project-level management API\"?  Well, we still need to define that for each service.  But I don\u0027t see that as a problem, because we still need to define what exactly is a project-level administrative API, so let\u0027s eliminate any possible confusion by not using admin/administrative terminology at all here.","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":559,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":560,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":561,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":562,"context_line":"project resource. From existing policy point of view, we can say this is \u0027admin\u0027 at"},{"line_number":563,"context_line":"project level but we will not use the term \u0027admin\u0027 as it can be confused with the"},{"line_number":564,"context_line":"\u0027legacy admin (``admin``)\u0027. It can do all the operations that the ``admin`` role user"},{"line_number":565,"context_line":"can do on project level resources but within its own project. For example, it can"},{"line_number":566,"context_line":"delete only its own project instance, can list all the instances of its own project"},{"line_number":567,"context_line":"only."}],"source_content_type":"text/x-rst","patch_set":10,"id":"65e6eb24_70b83aab","line":564,"range":{"start_line":562,"start_character":18,"end_line":564,"end_character":28},"in_reply_to":"61952363_df5708d5","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ce51aa92a9960176a006612aaeb7e9861c46a07a","unresolved":true,"context_lines":[{"line_number":559,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":560,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":561,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":562,"context_line":"project resource. From existing policy point of view, we can say this is \u0027admin\u0027 at"},{"line_number":563,"context_line":"project level but we will not use the term \u0027admin\u0027 as it can be confused with the"},{"line_number":564,"context_line":"\u0027legacy admin (``admin``)\u0027. It can do all the operations that the ``admin`` role user"},{"line_number":565,"context_line":"can do on project level resources but within its own project. For example, it can"},{"line_number":566,"context_line":"delete only its own project instance, can list all the instances of its own project"},{"line_number":567,"context_line":"only."}],"source_content_type":"text/x-rst","patch_set":10,"id":"61952363_df5708d5","line":564,"range":{"start_line":562,"start_character":18,"end_line":564,"end_character":28},"in_reply_to":"6bb46a33_698eff81","updated":"2022-07-08 14:31:24.000000000","message":"make sense. done","commit_id":"9e07edac3aba4170716f7ad412595a3aaaec0273"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":556,"context_line":"`project-manager`:"},{"line_number":557,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":558,"context_line":""},{"line_number":559,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":560,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":561,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":562,"context_line":"project resource. `project-manager` used for project-level management APIs and is"},{"line_number":563,"context_line":"denoted by someone with the ``manager`` role on a project. It can do all the"},{"line_number":564,"context_line":"operations that the ``admin`` role user can do on project level resources but within"},{"line_number":565,"context_line":"its own project. For example, it can delete only its own project instance, can list"},{"line_number":566,"context_line":"all the instances of its own project only."},{"line_number":567,"context_line":""},{"line_number":568,"context_line":"`project-manager` persona in the policy check string:"},{"line_number":569,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"b9ee9094_477327a9","line":566,"range":{"start_line":559,"start_character":0,"end_line":566,"end_character":42},"updated":"2022-07-08 16:20:14.000000000","message":"Sorry, I wasn\u0027t more clear on the previous PS.  I meant replacing the entire paragraph with something like this:\n\n--start--\nA `project-manager` can use project-level management APIs and is denoted by someone with the ``manager`` role on a project.  It is intended to perform more privileged operations than `project-member` on its project resources.  A `project-manager` can also perform any operations allowed to a `project-member` or `project-reader`.\n\nAn example of a project-level management API is the Block Storage default-types API, which allows a default volume type to be set for a particular project.  Since the change affects only that project, it makes sense to allow a responsible person within the project to set the default type, rather than require them contact an administrator to do it.  Implementing the `project-manager` persona will make this possible.\n\nIt is up to each service to define which API calls (if any) should be considered as project-level management APIs.\n\nThe `project-manager` fits into the default permission hierarchy as follows:\n\n  Admin -\u003e project-manager -\u003e project-member -\u003e project-reader\n\nThus, an Admin can do anything a project-manager can do, a project-manager can do anything a project-member can do, and a project-member can do anything a project-reader can do.\n--end--\n\nThis repeats some of the info in lines 620-644, but I think it\u0027s helpful to get a clear statement right at the beginning for people who skim through the text, and then state it again the way it is below.","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":556,"context_line":"`project-manager`:"},{"line_number":557,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":558,"context_line":""},{"line_number":559,"context_line":"`project-manager` used for project-level administrative APIs and is denoted by"},{"line_number":560,"context_line":"someone with the ``manager`` role on a project and operate within the own project."},{"line_number":561,"context_line":"It is intended to perform more privileged operation than `project-member` on its"},{"line_number":562,"context_line":"project resource. `project-manager` used for project-level management APIs and is"},{"line_number":563,"context_line":"denoted by someone with the ``manager`` role on a project. It can do all the"},{"line_number":564,"context_line":"operations that the ``admin`` role user can do on project level resources but within"},{"line_number":565,"context_line":"its own project. For example, it can delete only its own project instance, can list"},{"line_number":566,"context_line":"all the instances of its own project only."},{"line_number":567,"context_line":""},{"line_number":568,"context_line":"`project-manager` persona in the policy check string:"},{"line_number":569,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"d4915bc5_f535bda8","line":566,"range":{"start_line":559,"start_character":0,"end_line":566,"end_character":42},"in_reply_to":"b9ee9094_477327a9","updated":"2022-07-08 16:59:46.000000000","message":"Make sense to give that detail at the start and with more information. thanks.","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":572,"context_line":"    policy.RuleDefault("},{"line_number":573,"context_line":"        name\u003d\"project_manager\","},{"line_number":574,"context_line":"        check_str\u003d\"role:manager and project_id:%(project_id)s\","},{"line_number":575,"context_line":"        description\u003d\"Default rule for  project-level administrative APIs.\""},{"line_number":576,"context_line":"    )"},{"line_number":577,"context_line":""},{"line_number":578,"context_line":"Using it in policy rule (with `admin` + `manager` access):"}],"source_content_type":"text/x-rst","patch_set":11,"id":"99d22f3c_4f3e4b4e","line":575,"range":{"start_line":575,"start_character":53,"end_line":575,"end_character":67},"updated":"2022-07-08 16:20:14.000000000","message":"management","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":572,"context_line":"    policy.RuleDefault("},{"line_number":573,"context_line":"        name\u003d\"project_manager\","},{"line_number":574,"context_line":"        check_str\u003d\"role:manager and project_id:%(project_id)s\","},{"line_number":575,"context_line":"        description\u003d\"Default rule for  project-level administrative APIs.\""},{"line_number":576,"context_line":"    )"},{"line_number":577,"context_line":""},{"line_number":578,"context_line":"Using it in policy rule (with `admin` + `manager` access):"}],"source_content_type":"text/x-rst","patch_set":11,"id":"e6add8e0_6985bf7c","line":575,"range":{"start_line":575,"start_character":53,"end_line":575,"end_character":67},"in_reply_to":"99d22f3c_4f3e4b4e","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":577,"context_line":""},{"line_number":578,"context_line":"Using it in policy rule (with `admin` + `manager` access):"},{"line_number":579,"context_line":"(because we want to keep legacy `admin` behavior same we need"},{"line_number":580,"context_line":"to give access of project manager (project admin level) APIs to"},{"line_number":581,"context_line":"`admin` role too.)"},{"line_number":582,"context_line":""},{"line_number":583,"context_line":".. code-block:: python"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9d028a41_4a72ad9a","line":580,"range":{"start_line":580,"start_character":15,"end_line":580,"end_character":60},"updated":"2022-07-08 16:20:14.000000000","message":"Instead:\n\nto project-level management APIs","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":577,"context_line":""},{"line_number":578,"context_line":"Using it in policy rule (with `admin` + `manager` access):"},{"line_number":579,"context_line":"(because we want to keep legacy `admin` behavior same we need"},{"line_number":580,"context_line":"to give access of project manager (project admin level) APIs to"},{"line_number":581,"context_line":"`admin` role too.)"},{"line_number":582,"context_line":""},{"line_number":583,"context_line":".. code-block:: python"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b66882fd_80e9ae3e","line":580,"range":{"start_line":580,"start_character":15,"end_line":580,"end_character":60},"in_reply_to":"9d028a41_4a72ad9a","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":622,"context_line":"sure the legacy admin continues working as it is."},{"line_number":623,"context_line":""},{"line_number":624,"context_line":"This will provide a way for the operator to configure a user to give the more"},{"line_number":625,"context_line":"privileged access within a project (a way to achieve the project admin functionality)"},{"line_number":626,"context_line":"but no access to system-level resources or cross-project operations."},{"line_number":627,"context_line":""},{"line_number":628,"context_line":"This need to update the role implication so that the ``admin`` role implies"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3ce86171_dd44b26e","line":625,"range":{"start_line":625,"start_character":35,"end_line":625,"end_character":85},"updated":"2022-07-08 16:20:14.000000000","message":"I suggest deleting this.","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":622,"context_line":"sure the legacy admin continues working as it is."},{"line_number":623,"context_line":""},{"line_number":624,"context_line":"This will provide a way for the operator to configure a user to give the more"},{"line_number":625,"context_line":"privileged access within a project (a way to achieve the project admin functionality)"},{"line_number":626,"context_line":"but no access to system-level resources or cross-project operations."},{"line_number":627,"context_line":""},{"line_number":628,"context_line":"This need to update the role implication so that the ``admin`` role implies"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f3f9855f_87a54578","line":625,"range":{"start_line":625,"start_character":35,"end_line":625,"end_character":85},"in_reply_to":"3ce86171_dd44b26e","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":632,"context_line":""},{"line_number":633,"context_line":"The `project-manager` persona is described as follows:"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"- Project Manager (project-level administration)"},{"line_number":636,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":637,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":638,"context_line":"   - Not intended for end users"}],"source_content_type":"text/x-rst","patch_set":11,"id":"373d8a61_79d1723e","line":635,"range":{"start_line":635,"start_character":33,"end_line":635,"end_character":47},"updated":"2022-07-08 16:20:14.000000000","message":"management","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":632,"context_line":""},{"line_number":633,"context_line":"The `project-manager` persona is described as follows:"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"- Project Manager (project-level administration)"},{"line_number":636,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":637,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":638,"context_line":"   - Not intended for end users"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f39cbd6e_2a4197ad","line":635,"range":{"start_line":635,"start_character":33,"end_line":635,"end_character":47},"in_reply_to":"373d8a61_79d1723e","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":634,"context_line":""},{"line_number":635,"context_line":"- Project Manager (project-level administration)"},{"line_number":636,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":637,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":638,"context_line":"   - Not intended for end users"},{"line_number":639,"context_line":"   - Can perform more privileged than project-members on a project"},{"line_number":640,"context_line":"   - *Forcibly reset the state of an instance*"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3600b621_73012890","line":637,"range":{"start_line":637,"start_character":5,"end_line":637,"end_character":76},"updated":"2022-07-08 16:20:14.000000000","message":"maybe: Intended for responsible end-users to give them slightly elevated privileges that affect only their own project\u0027s resources","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":634,"context_line":""},{"line_number":635,"context_line":"- Project Manager (project-level administration)"},{"line_number":636,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":637,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":638,"context_line":"   - Not intended for end users"},{"line_number":639,"context_line":"   - Can perform more privileged than project-members on a project"},{"line_number":640,"context_line":"   - *Forcibly reset the state of an instance*"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a45a9411_ab8b8b80","line":637,"range":{"start_line":637,"start_character":5,"end_line":637,"end_character":76},"in_reply_to":"3600b621_73012890","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":635,"context_line":"- Project Manager (project-level administration)"},{"line_number":636,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":637,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":638,"context_line":"   - Not intended for end users"},{"line_number":639,"context_line":"   - Can perform more privileged than project-members on a project"},{"line_number":640,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":641,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a0626e2_92e420b0","line":638,"range":{"start_line":638,"start_character":5,"end_line":638,"end_character":31},"updated":"2022-07-08 16:20:14.000000000","message":"Delete.","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":635,"context_line":"- Project Manager (project-level administration)"},{"line_number":636,"context_line":"   - Denoted by someone with the ``manager`` role on a project"},{"line_number":637,"context_line":"   - Intended for operators who need elevated privilege on project resources"},{"line_number":638,"context_line":"   - Not intended for end users"},{"line_number":639,"context_line":"   - Can perform more privileged than project-members on a project"},{"line_number":640,"context_line":"   - *Forcibly reset the state of an instance*"},{"line_number":641,"context_line":"   - *Forcibly deleting an application stack*"}],"source_content_type":"text/x-rst","patch_set":11,"id":"26bbbc70_dde5aa37","line":638,"range":{"start_line":638,"start_character":5,"end_line":638,"end_character":31},"in_reply_to":"5a0626e2_92e420b0","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":670,"context_line":"Work completed by Yoga Timeline (7th Mar 2022)"},{"line_number":671,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":672,"context_line":""},{"line_number":673,"context_line":"#. Keystone has the project persona (admin, member, reader) ready to by"},{"line_number":674,"context_line":"   used by the services."},{"line_number":675,"context_line":""},{"line_number":676,"context_line":"#. Few projects like keystone, nova, neutron, octavia etc adopted the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b040eca9_0a8b8e7c","line":673,"range":{"start_line":673,"start_character":69,"end_line":673,"end_character":71},"updated":"2022-07-08 16:20:14.000000000","message":"be","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":670,"context_line":"Work completed by Yoga Timeline (7th Mar 2022)"},{"line_number":671,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":672,"context_line":""},{"line_number":673,"context_line":"#. Keystone has the project persona (admin, member, reader) ready to by"},{"line_number":674,"context_line":"   used by the services."},{"line_number":675,"context_line":""},{"line_number":676,"context_line":"#. Few projects like keystone, nova, neutron, octavia etc adopted the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"365698ab_07828552","line":673,"range":{"start_line":673,"start_character":69,"end_line":673,"end_character":71},"in_reply_to":"b040eca9_0a8b8e7c","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":680,"context_line":"Z-Release Timeline"},{"line_number":681,"context_line":"^^^^^^^^^^^^^^^^^^"},{"line_number":682,"context_line":""},{"line_number":683,"context_line":"#. Convert the `scope_type` of every policy rule to `project`"},{"line_number":684,"context_line":""},{"line_number":685,"context_line":"   Some standalone services like Ironic can still have their existing  `scope`"},{"line_number":686,"context_line":"   implementation as long as it does not break any cross service communication."}],"source_content_type":"text/x-rst","patch_set":11,"id":"951f8a61_28f353b1","line":683,"updated":"2022-07-08 16:20:14.000000000","message":"add (given that it\u0027s a SHOULD):\n\n  , or specify no scope_type, as appropriate.","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":680,"context_line":"Z-Release Timeline"},{"line_number":681,"context_line":"^^^^^^^^^^^^^^^^^^"},{"line_number":682,"context_line":""},{"line_number":683,"context_line":"#. Convert the `scope_type` of every policy rule to `project`"},{"line_number":684,"context_line":""},{"line_number":685,"context_line":"   Some standalone services like Ironic can still have their existing  `scope`"},{"line_number":686,"context_line":"   implementation as long as it does not break any cross service communication."}],"source_content_type":"text/x-rst","patch_set":11,"id":"43df7c40_af22052a","line":683,"in_reply_to":"951f8a61_28f353b1","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"28e4e65b8575125cc8bc48a1eb45ca95383077ca","unresolved":true,"context_lines":[{"line_number":727,"context_line":"   it to understand what personas are the most appropriate for their users"},{"line_number":728,"context_line":"   based on the permissions they need."},{"line_number":729,"context_line":""},{"line_number":730,"context_line":"At this point, operators can choose to enable the new defaults for services that\u0027s"},{"line_number":731,"context_line":"completed `Phase 1`_. This will require the operator to configure the service to use"},{"line_number":732,"context_line":"``enforce_new_defaults\u003dTrue`` if they chose to adopt the new behavior for"},{"line_number":733,"context_line":"services that support it."}],"source_content_type":"text/x-rst","patch_set":11,"id":"88423134_96a8cae1","line":730,"range":{"start_line":730,"start_character":76,"end_line":730,"end_character":82},"updated":"2022-07-08 16:20:14.000000000","message":"that have","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"98453ba35ee2b45708d67c080199ddcd10472439","unresolved":false,"context_lines":[{"line_number":727,"context_line":"   it to understand what personas are the most appropriate for their users"},{"line_number":728,"context_line":"   based on the permissions they need."},{"line_number":729,"context_line":""},{"line_number":730,"context_line":"At this point, operators can choose to enable the new defaults for services that\u0027s"},{"line_number":731,"context_line":"completed `Phase 1`_. This will require the operator to configure the service to use"},{"line_number":732,"context_line":"``enforce_new_defaults\u003dTrue`` if they chose to adopt the new behavior for"},{"line_number":733,"context_line":"services that support it."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ac629e32_50ed0698","line":730,"range":{"start_line":730,"start_character":76,"end_line":730,"end_character":82},"in_reply_to":"88423134_96a8cae1","updated":"2022-07-08 16:59:46.000000000","message":"Done","commit_id":"b471b561943f53f39528f245e0eb2adc42027e42"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"267253a71999748a76e70900a29ca7397a92d03c","unresolved":true,"context_lines":[{"line_number":574,"context_line":"role implies ``manager``, the ``manager`` role implies ``member``, the ``member`` role"},{"line_number":575,"context_line":"implies ``reader``. This needs the modification in the already merged `keystone specification"},{"line_number":576,"context_line":"\u003chttps://review.opendev.org/c/openstack/keystone-specs/+/818603\u003e`_."},{"line_number":577,"context_line":"needs to be added in the role implication in permission hierarchy"},{"line_number":578,"context_line":"as follows:"},{"line_number":579,"context_line":""},{"line_number":580,"context_line":"`project-manager` persona in the policy check string:"},{"line_number":581,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"1fe7fb4d_00904531","line":578,"range":{"start_line":577,"start_character":0,"end_line":578,"end_character":11},"updated":"2022-07-08 17:36:13.000000000","message":"I think this was pasted by mistake?","commit_id":"ef46aa20febcf8c2ac2a0d09d5b2155991aef886"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"160396bb1f2604ea5e954d0a9ea1743d1a2a1569","unresolved":false,"context_lines":[{"line_number":574,"context_line":"role implies ``manager``, the ``manager`` role implies ``member``, the ``member`` role"},{"line_number":575,"context_line":"implies ``reader``. This needs the modification in the already merged `keystone specification"},{"line_number":576,"context_line":"\u003chttps://review.opendev.org/c/openstack/keystone-specs/+/818603\u003e`_."},{"line_number":577,"context_line":"needs to be added in the role implication in permission hierarchy"},{"line_number":578,"context_line":"as follows:"},{"line_number":579,"context_line":""},{"line_number":580,"context_line":"`project-manager` persona in the policy check string:"},{"line_number":581,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"648e4b7d_28667988","line":578,"range":{"start_line":577,"start_character":0,"end_line":578,"end_character":11},"in_reply_to":"1fe7fb4d_00904531","updated":"2022-07-08 17:39:02.000000000","message":"Done","commit_id":"ef46aa20febcf8c2ac2a0d09d5b2155991aef886"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":151,"context_line":"been done for nova and neutron."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"This was not the end of the RBAC design discussion. After knowing the operators"},{"line_number":154,"context_line":"use cases, feedbacks we redefined the direction in Zed cycle."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"The issues we are facing with `scope` concept:"},{"line_number":157,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":13,"id":"6e8911a0_399127bd","line":154,"range":{"start_line":154,"start_character":1,"end_line":154,"end_character":61},"updated":"2022-07-14 16:33:27.000000000","message":"This is worded awkardly.  Would say:  After knowing the operators\u0027 use cases we used the feedback to redefine the direction in the Zed cycle.","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":151,"context_line":"been done for nova and neutron."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"This was not the end of the RBAC design discussion. After knowing the operators"},{"line_number":154,"context_line":"use cases, feedbacks we redefined the direction in Zed cycle."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"The issues we are facing with `scope` concept:"},{"line_number":157,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":13,"id":"8225cf12_62ec90e8","line":154,"range":{"start_line":154,"start_character":1,"end_line":154,"end_character":61},"in_reply_to":"6e8911a0_399127bd","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"957976e15ad8e5f1b7ec2bca83ca682e1c5379c4","unresolved":true,"context_lines":[{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavors in nova (system"},{"line_number":169,"context_line":"   level resource), servers in nova (project level resource), and networks in"},{"line_number":170,"context_line":"   neutron (project level resource). If we enable the scope in services, then"},{"line_number":171,"context_line":"   the user calling heat \u0027create stack\u0027 APIs which are scoped to either project"},{"line_number":172,"context_line":"   (existing way) or system (if we change that) will not be able to call the"},{"line_number":173,"context_line":"   system and project scoped APIs on the service side. We discussed the possible"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3f07d71e_fdfc8342","line":170,"range":{"start_line":170,"start_character":50,"end_line":170,"end_character":59},"updated":"2022-07-12 13:38:48.000000000","message":"\"scope checking\"","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":167,"context_line":"   and system-level resources in backend services. For example, it creates"},{"line_number":168,"context_line":"   project users in keystone (system level resource), flavors in nova (system"},{"line_number":169,"context_line":"   level resource), servers in nova (project level resource), and networks in"},{"line_number":170,"context_line":"   neutron (project level resource). If we enable the scope in services, then"},{"line_number":171,"context_line":"   the user calling heat \u0027create stack\u0027 APIs which are scoped to either project"},{"line_number":172,"context_line":"   (existing way) or system (if we change that) will not be able to call the"},{"line_number":173,"context_line":"   system and project scoped APIs on the service side. We discussed the possible"}],"source_content_type":"text/x-rst","patch_set":13,"id":"37411aa8_607a8247","line":170,"range":{"start_line":170,"start_character":50,"end_line":170,"end_character":59},"in_reply_to":"3f07d71e_fdfc8342","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"957976e15ad8e5f1b7ec2bca83ca682e1c5379c4","unresolved":true,"context_lines":[{"line_number":175,"context_line":"   `openstack-discuss ML"},{"line_number":176,"context_line":"   \u003chttp://lists.openstack.org/pipermail/openstack-discuss/2022-March/027614.html\u003e`_,"},{"line_number":177,"context_line":"   and `in policy popup meetings \u003chttps://etherpad.opendev.org/p/rbac-zed-ptg#L99\u003e`_"},{"line_number":178,"context_line":"   but none of those are best suited and end up breaking the existing stack."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   Enabling scope checking also breaks Tacker (NFV Orchestration service) deployment"},{"line_number":181,"context_line":"   as they uses heat \u0027create stack\u0027 to build OpenStack infrastructure."}],"source_content_type":"text/x-rst","patch_set":13,"id":"0d4eeeb0_07129735","line":178,"range":{"start_line":178,"start_character":25,"end_line":178,"end_character":36},"updated":"2022-07-12 13:38:48.000000000","message":"\"good solutions\"","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":175,"context_line":"   `openstack-discuss ML"},{"line_number":176,"context_line":"   \u003chttp://lists.openstack.org/pipermail/openstack-discuss/2022-March/027614.html\u003e`_,"},{"line_number":177,"context_line":"   and `in policy popup meetings \u003chttps://etherpad.opendev.org/p/rbac-zed-ptg#L99\u003e`_"},{"line_number":178,"context_line":"   but none of those are best suited and end up breaking the existing stack."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   Enabling scope checking also breaks Tacker (NFV Orchestration service) deployment"},{"line_number":181,"context_line":"   as they uses heat \u0027create stack\u0027 to build OpenStack infrastructure."}],"source_content_type":"text/x-rst","patch_set":13,"id":"94f4546b_ababd498","line":178,"range":{"start_line":178,"start_character":25,"end_line":178,"end_character":36},"in_reply_to":"0d4eeeb0_07129735","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"957976e15ad8e5f1b7ec2bca83ca682e1c5379c4","unresolved":true,"context_lines":[{"line_number":178,"context_line":"   but none of those are best suited and end up breaking the existing stack."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   Enabling scope checking also breaks Tacker (NFV Orchestration service) deployment"},{"line_number":181,"context_line":"   as they uses heat \u0027create stack\u0027 to build OpenStack infrastructure."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"#. `Operator feedbacks \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback\u003e`_ on"},{"line_number":184,"context_line":"   `scope`:"}],"source_content_type":"text/x-rst","patch_set":13,"id":"d12096f8_c55bca7d","line":181,"range":{"start_line":181,"start_character":11,"end_line":181,"end_character":15},"updated":"2022-07-12 13:38:48.000000000","message":"\"use\"","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":178,"context_line":"   but none of those are best suited and end up breaking the existing stack."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   Enabling scope checking also breaks Tacker (NFV Orchestration service) deployment"},{"line_number":181,"context_line":"   as they uses heat \u0027create stack\u0027 to build OpenStack infrastructure."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"#. `Operator feedbacks \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback\u003e`_ on"},{"line_number":184,"context_line":"   `scope`:"}],"source_content_type":"text/x-rst","patch_set":13,"id":"93958e31_e18786ec","line":181,"range":{"start_line":181,"start_character":11,"end_line":181,"end_character":15},"in_reply_to":"d12096f8_c55bca7d","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":180,"context_line":"   Enabling scope checking also breaks Tacker (NFV Orchestration service) deployment"},{"line_number":181,"context_line":"   as they uses heat \u0027create stack\u0027 to build OpenStack infrastructure."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"#. `Operator feedbacks \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback\u003e`_ on"},{"line_number":184,"context_line":"   `scope`:"},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"   We collected the operators\u0027 feedback on `scope` and how OpenStack APIs will be"}],"source_content_type":"text/x-rst","patch_set":13,"id":"8c3b2237_0f930221","line":183,"range":{"start_line":183,"start_character":13,"end_line":183,"end_character":22},"updated":"2022-07-14 16:33:27.000000000","message":"feedback","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":180,"context_line":"   Enabling scope checking also breaks Tacker (NFV Orchestration service) deployment"},{"line_number":181,"context_line":"   as they uses heat \u0027create stack\u0027 to build OpenStack infrastructure."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"#. `Operator feedbacks \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback\u003e`_ on"},{"line_number":184,"context_line":"   `scope`:"},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"   We collected the operators\u0027 feedback on `scope` and how OpenStack APIs will be"}],"source_content_type":"text/x-rst","patch_set":13,"id":"cbf95dca_e5c0b366","line":183,"range":{"start_line":183,"start_character":13,"end_line":183,"end_character":22},"in_reply_to":"8c3b2237_0f930221","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":191,"context_line":"   `scope` things are difficult to understand for most of the operators. It will"},{"line_number":192,"context_line":"   break their use case of \u0027accessing everything with a single token\u0027. \u0027Admin\u0027"},{"line_number":193,"context_line":"   is already a confusing concept for many of them and `admin` with `scope`"},{"line_number":194,"context_line":"   combination make it more confusing. The operators agreed with postponing the `scope`"},{"line_number":195,"context_line":"   implementation to be able to land the project persona first."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"   `KDDI, japanese telco company \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback#L88\u003e`_"}],"source_content_type":"text/x-rst","patch_set":13,"id":"d11e802a_f742a106","line":194,"range":{"start_line":194,"start_character":15,"end_line":194,"end_character":20},"updated":"2022-07-14 16:33:27.000000000","message":"makes","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":191,"context_line":"   `scope` things are difficult to understand for most of the operators. It will"},{"line_number":192,"context_line":"   break their use case of \u0027accessing everything with a single token\u0027. \u0027Admin\u0027"},{"line_number":193,"context_line":"   is already a confusing concept for many of them and `admin` with `scope`"},{"line_number":194,"context_line":"   combination make it more confusing. The operators agreed with postponing the `scope`"},{"line_number":195,"context_line":"   implementation to be able to land the project persona first."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"   `KDDI, japanese telco company \u003chttps://etherpad.opendev.org/p/rbac-operator-feedback#L88\u003e`_"}],"source_content_type":"text/x-rst","patch_set":13,"id":"ef742d46_970e0d45","line":194,"range":{"start_line":194,"start_character":15,"end_line":194,"end_character":20},"in_reply_to":"d11e802a_f742a106","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":198,"context_line":"   shared the feedback about their use case and how the `scope` will break their use"},{"line_number":199,"context_line":"   case also. An \"OpenStack Administrator\" who is created by the \"keystone-manage"},{"line_number":200,"context_line":"   bootstrap\" command, should be able to operate the complete stack even that is"},{"line_number":201,"context_line":"   project-level or system-level resources. Dividing the permission for project"},{"line_number":202,"context_line":"   and system level resources may have an impact on echo systems or scripts outside"},{"line_number":203,"context_line":"   OpenStack. Another point they raised is that there should be a way that the operator can"},{"line_number":204,"context_line":"   configure the policy permission in policy.json and with the `scope` that cannot be done"}],"source_content_type":"text/x-rst","patch_set":13,"id":"9d25d0ba_296ac56f","line":201,"updated":"2022-07-14 16:33:27.000000000","message":"permissions","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":198,"context_line":"   shared the feedback about their use case and how the `scope` will break their use"},{"line_number":199,"context_line":"   case also. An \"OpenStack Administrator\" who is created by the \"keystone-manage"},{"line_number":200,"context_line":"   bootstrap\" command, should be able to operate the complete stack even that is"},{"line_number":201,"context_line":"   project-level or system-level resources. Dividing the permission for project"},{"line_number":202,"context_line":"   and system level resources may have an impact on echo systems or scripts outside"},{"line_number":203,"context_line":"   OpenStack. Another point they raised is that there should be a way that the operator can"},{"line_number":204,"context_line":"   configure the policy permission in policy.json and with the `scope` that cannot be done"}],"source_content_type":"text/x-rst","patch_set":13,"id":"d4dbbd6b_b71bd32f","line":201,"in_reply_to":"9d25d0ba_296ac56f","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":199,"context_line":"   case also. An \"OpenStack Administrator\" who is created by the \"keystone-manage"},{"line_number":200,"context_line":"   bootstrap\" command, should be able to operate the complete stack even that is"},{"line_number":201,"context_line":"   project-level or system-level resources. Dividing the permission for project"},{"line_number":202,"context_line":"   and system level resources may have an impact on echo systems or scripts outside"},{"line_number":203,"context_line":"   OpenStack. Another point they raised is that there should be a way that the operator can"},{"line_number":204,"context_line":"   configure the policy permission in policy.json and with the `scope` that cannot be done"},{"line_number":205,"context_line":"   as the `scope` is not the configurable thing."}],"source_content_type":"text/x-rst","patch_set":13,"id":"97256393_2f17dd86","line":202,"range":{"start_line":202,"start_character":52,"end_line":202,"end_character":65},"updated":"2022-07-14 16:33:27.000000000","message":"echosystems","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":199,"context_line":"   case also. An \"OpenStack Administrator\" who is created by the \"keystone-manage"},{"line_number":200,"context_line":"   bootstrap\" command, should be able to operate the complete stack even that is"},{"line_number":201,"context_line":"   project-level or system-level resources. Dividing the permission for project"},{"line_number":202,"context_line":"   and system level resources may have an impact on echo systems or scripts outside"},{"line_number":203,"context_line":"   OpenStack. Another point they raised is that there should be a way that the operator can"},{"line_number":204,"context_line":"   configure the policy permission in policy.json and with the `scope` that cannot be done"},{"line_number":205,"context_line":"   as the `scope` is not the configurable thing."}],"source_content_type":"text/x-rst","patch_set":13,"id":"1aa0c9cb_6f4382b3","line":202,"range":{"start_line":202,"start_character":52,"end_line":202,"end_character":65},"in_reply_to":"97256393_2f17dd86","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":201,"context_line":"   project-level or system-level resources. Dividing the permission for project"},{"line_number":202,"context_line":"   and system level resources may have an impact on echo systems or scripts outside"},{"line_number":203,"context_line":"   OpenStack. Another point they raised is that there should be a way that the operator can"},{"line_number":204,"context_line":"   configure the policy permission in policy.json and with the `scope` that cannot be done"},{"line_number":205,"context_line":"   as the `scope` is not the configurable thing."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Due to the above feedback and use case, we decided to postpone the `scope` implementation."}],"source_content_type":"text/x-rst","patch_set":13,"id":"78f60aa0_7914d26e","line":204,"range":{"start_line":204,"start_character":24,"end_line":204,"end_character":35},"updated":"2022-07-14 16:33:27.000000000","message":"permissions","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":201,"context_line":"   project-level or system-level resources. Dividing the permission for project"},{"line_number":202,"context_line":"   and system level resources may have an impact on echo systems or scripts outside"},{"line_number":203,"context_line":"   OpenStack. Another point they raised is that there should be a way that the operator can"},{"line_number":204,"context_line":"   configure the policy permission in policy.json and with the `scope` that cannot be done"},{"line_number":205,"context_line":"   as the `scope` is not the configurable thing."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Due to the above feedback and use case, we decided to postpone the `scope` implementation."}],"source_content_type":"text/x-rst","patch_set":13,"id":"2e959b9d_a9bae50f","line":204,"range":{"start_line":204,"start_character":24,"end_line":204,"end_character":35},"in_reply_to":"78f60aa0_7914d26e","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"957976e15ad8e5f1b7ec2bca83ca682e1c5379c4","unresolved":true,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Due to the above feedback and use case, we decided to postpone the `scope` implementation."},{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Finish delivering project personas"},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."}],"source_content_type":"text/x-rst","patch_set":13,"id":"5aa323e3_838ee37c","line":209,"range":{"start_line":209,"start_character":44,"end_line":209,"end_character":49},"updated":"2022-07-12 13:38:48.000000000","message":"\"scope\" might be a bad term to use here, because it\u0027s overloaded. Perhaps:\n\n Basically, we define the boundaries of this goal as:","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Due to the above feedback and use case, we decided to postpone the `scope` implementation."},{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Finish delivering project personas"},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."}],"source_content_type":"text/x-rst","patch_set":13,"id":"98f79b30_94fbc973","line":209,"range":{"start_line":209,"start_character":44,"end_line":209,"end_character":49},"in_reply_to":"5aa323e3_838ee37c","updated":"2022-07-14 16:33:27.000000000","message":"Agreed!","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Due to the above feedback and use case, we decided to postpone the `scope` implementation."},{"line_number":208,"context_line":"That is the way forward to at least implement the project personas which is asked by"},{"line_number":209,"context_line":"many operators. Basically, define the below scope for this goal:"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"* Finish delivering project personas"},{"line_number":212,"context_line":"  This is to introduce the `member` and `reader` roles to operate things within their project."}],"source_content_type":"text/x-rst","patch_set":13,"id":"1d571370_f62d8ac2","line":209,"range":{"start_line":209,"start_character":44,"end_line":209,"end_character":49},"in_reply_to":"98f79b30_94fbc973","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":240,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":241,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":242,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":243,"context_line":"implementing it, there is high possibility that developers involve in this work"},{"line_number":244,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":245,"context_line":"OpenStack RBAC. Let\u0027s accept all the challenges we have with `scope` concept and"},{"line_number":246,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":13,"id":"aa1b39c4_54d30738","line":243,"range":{"start_line":243,"start_character":59,"end_line":243,"end_character":66},"updated":"2022-07-14 16:33:27.000000000","message":"involved","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":240,"context_line":"on a timeline for future improvements, and at least deliver something useful to"},{"line_number":241,"context_line":"operators sooner rather than later. At least we have a clear understanding on"},{"line_number":242,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":243,"context_line":"implementing it, there is high possibility that developers involve in this work"},{"line_number":244,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":245,"context_line":"OpenStack RBAC. Let\u0027s accept all the challenges we have with `scope` concept and"},{"line_number":246,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"}],"source_content_type":"text/x-rst","patch_set":13,"id":"d2c3d2c3_56ecbd58","line":243,"range":{"start_line":243,"start_character":59,"end_line":243,"end_character":66},"in_reply_to":"aa1b39c4_54d30738","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":242,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":243,"context_line":"implementing it, there is high possibility that developers involve in this work"},{"line_number":244,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":245,"context_line":"OpenStack RBAC. Let\u0027s accept all the challenges we have with `scope` concept and"},{"line_number":246,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"},{"line_number":247,"context_line":"project."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"Phase 1"}],"source_content_type":"text/x-rst","patch_set":13,"id":"fd194685_02f6bd67","line":246,"range":{"start_line":245,"start_character":77,"end_line":246,"end_character":5},"updated":"2022-07-14 16:33:27.000000000","message":"and be ready","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":242,"context_line":"project persona from developer as well from operator side and if we again delay"},{"line_number":243,"context_line":"implementing it, there is high possibility that developers involve in this work"},{"line_number":244,"context_line":"will loose the motivation and we will never ship the usable project persona in"},{"line_number":245,"context_line":"OpenStack RBAC. Let\u0027s accept all the challenges we have with `scope` concept and"},{"line_number":246,"context_line":"ready to revert the `scope` implemented even that is already implemented in your"},{"line_number":247,"context_line":"project."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"Phase 1"}],"source_content_type":"text/x-rst","patch_set":13,"id":"89cd2948_40bae62e","line":246,"range":{"start_line":245,"start_character":77,"end_line":246,"end_character":5},"in_reply_to":"fd194685_02f6bd67","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":252,"context_line":"Change in `scope` implementation"},{"line_number":253,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"There are some projects like nova, neutron, ironic, octavia have already implemented"},{"line_number":256,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":257,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":258,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"af11932a_e7381323","line":255,"range":{"start_line":255,"start_character":44,"end_line":255,"end_character":64},"updated":"2022-07-14 16:33:27.000000000","message":"ironic and octavia that have","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":252,"context_line":"Change in `scope` implementation"},{"line_number":253,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"There are some projects like nova, neutron, ironic, octavia have already implemented"},{"line_number":256,"context_line":"the `scope_type` in their policy. This section will provide a clear direction for"},{"line_number":257,"context_line":"such project as well as if any new projects want to implement the `scope`."},{"line_number":258,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"78e3a29b_5ecc316e","line":255,"range":{"start_line":255,"start_character":44,"end_line":255,"end_character":64},"in_reply_to":"af11932a_e7381323","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":267,"context_line":""},{"line_number":268,"context_line":"* Keystone will continue supporting the `scope` implementation for deployment"},{"line_number":269,"context_line":"  moved/can move to `system scope` enable for example, ironic + keystone. But we need to"},{"line_number":270,"context_line":"  make sure it also works for the deployment does not use `system scope` token means"},{"line_number":271,"context_line":"  continue working with the project scoped token. For that we need to do two changes in"},{"line_number":272,"context_line":"  keystone:"},{"line_number":273,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"58522fbe_574d302e","line":270,"range":{"start_line":270,"start_character":30,"end_line":270,"end_character":49},"updated":"2022-07-14 16:33:27.000000000","message":"deployments that do","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":267,"context_line":""},{"line_number":268,"context_line":"* Keystone will continue supporting the `scope` implementation for deployment"},{"line_number":269,"context_line":"  moved/can move to `system scope` enable for example, ironic + keystone. But we need to"},{"line_number":270,"context_line":"  make sure it also works for the deployment does not use `system scope` token means"},{"line_number":271,"context_line":"  continue working with the project scoped token. For that we need to do two changes in"},{"line_number":272,"context_line":"  keystone:"},{"line_number":273,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"9b43b36a_b6442813","line":270,"range":{"start_line":270,"start_character":30,"end_line":270,"end_character":49},"in_reply_to":"58522fbe_574d302e","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":312,"context_line":"    )"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"Using it in policy rule (with `admin` + `reader` access):"},{"line_number":315,"context_line":"(because we want to keep legacy `admin` behavior same we need"},{"line_number":316,"context_line":"to give access of reader APIs to `admin` role too.)"},{"line_number":317,"context_line":""},{"line_number":318,"context_line":".. code-block:: python"}],"source_content_type":"text/x-rst","patch_set":13,"id":"370e13d0_285c980d","line":315,"range":{"start_line":315,"start_character":39,"end_line":315,"end_character":54},"updated":"2022-07-14 16:33:27.000000000","message":"behavior the same","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":312,"context_line":"    )"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"Using it in policy rule (with `admin` + `reader` access):"},{"line_number":315,"context_line":"(because we want to keep legacy `admin` behavior same we need"},{"line_number":316,"context_line":"to give access of reader APIs to `admin` role too.)"},{"line_number":317,"context_line":""},{"line_number":318,"context_line":".. code-block:: python"}],"source_content_type":"text/x-rst","patch_set":13,"id":"00d3d5e7_62d88edf","line":315,"range":{"start_line":315,"start_character":39,"end_line":315,"end_character":54},"in_reply_to":"370e13d0_285c980d","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":415,"context_line":"    )"},{"line_number":416,"context_line":""},{"line_number":417,"context_line":""},{"line_number":418,"context_line":"\u0027project_id:%(project_id)s\u0027 in the check_str is important to restrict these"},{"line_number":419,"context_line":"access within the requested project."},{"line_number":420,"context_line":""},{"line_number":421,"context_line":"This would push the functionality even closer to end users, making the API more"}],"source_content_type":"text/x-rst","patch_set":13,"id":"346cd87c_12487775","line":418,"range":{"start_line":418,"start_character":69,"end_line":418,"end_character":75},"updated":"2022-07-14 16:33:27.000000000","message":"the","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":415,"context_line":"    )"},{"line_number":416,"context_line":""},{"line_number":417,"context_line":""},{"line_number":418,"context_line":"\u0027project_id:%(project_id)s\u0027 in the check_str is important to restrict these"},{"line_number":419,"context_line":"access within the requested project."},{"line_number":420,"context_line":""},{"line_number":421,"context_line":"This would push the functionality even closer to end users, making the API more"}],"source_content_type":"text/x-rst","patch_set":13,"id":"708e20a8_f9f1e0a5","line":418,"range":{"start_line":418,"start_character":69,"end_line":418,"end_character":75},"in_reply_to":"346cd87c_12487775","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":424,"context_line":"Legacy admin continues to work as it is"},{"line_number":425,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":426,"context_line":""},{"line_number":427,"context_line":"During the operator feedback, it is clear that we need to make the legacy admin"},{"line_number":428,"context_line":"working as it is currently. We will not do any change in legacy admin behavior"},{"line_number":429,"context_line":"and access information. In `Phase 2`_, we will introduce the"},{"line_number":430,"context_line":"`project manager` persona who will be able to do the more privileged operation"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a4c568d_e630c05d","line":427,"range":{"start_line":427,"start_character":58,"end_line":427,"end_character":62},"updated":"2022-07-14 16:33:27.000000000","message":"keep","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":424,"context_line":"Legacy admin continues to work as it is"},{"line_number":425,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":426,"context_line":""},{"line_number":427,"context_line":"During the operator feedback, it is clear that we need to make the legacy admin"},{"line_number":428,"context_line":"working as it is currently. We will not do any change in legacy admin behavior"},{"line_number":429,"context_line":"and access information. In `Phase 2`_, we will introduce the"},{"line_number":430,"context_line":"`project manager` persona who will be able to do the more privileged operation"}],"source_content_type":"text/x-rst","patch_set":13,"id":"f2c1f5b8_996e7e44","line":427,"range":{"start_line":427,"start_character":58,"end_line":427,"end_character":62},"in_reply_to":"3a4c568d_e630c05d","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":508,"context_line":""},{"line_number":509,"context_line":"- Project Member"},{"line_number":510,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":511,"context_line":"   - Operate within the own project resource"},{"line_number":512,"context_line":"   - Intended to be used by end users who consume resources within a project"},{"line_number":513,"context_line":"   - *Create, delete, or update an instance*"},{"line_number":514,"context_line":"   - *Create, delete, or update a volume*"}],"source_content_type":"text/x-rst","patch_set":13,"id":"2d2b4643_d6fe47fc","line":511,"range":{"start_line":511,"start_character":20,"end_line":511,"end_character":23},"updated":"2022-07-14 16:33:27.000000000","message":"their","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":508,"context_line":""},{"line_number":509,"context_line":"- Project Member"},{"line_number":510,"context_line":"   - Denoted by someone with the ``member`` role on a project"},{"line_number":511,"context_line":"   - Operate within the own project resource"},{"line_number":512,"context_line":"   - Intended to be used by end users who consume resources within a project"},{"line_number":513,"context_line":"   - *Create, delete, or update an instance*"},{"line_number":514,"context_line":"   - *Create, delete, or update a volume*"}],"source_content_type":"text/x-rst","patch_set":13,"id":"b512949a_efee288b","line":511,"range":{"start_line":511,"start_character":20,"end_line":511,"end_character":23},"in_reply_to":"2d2b4643_d6fe47fc","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":530,"context_line":"   - *Cannot get or list instances, volumes, or networks of other project*"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":533,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":534,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":535,"context_line":"auditing the project resources/activities. This does not directly solve the case"},{"line_number":536,"context_line":"of doing global audit with single role."}],"source_content_type":"text/x-rst","patch_set":13,"id":"67b9729c_41d5f3d9","line":533,"range":{"start_line":533,"start_character":33,"end_line":533,"end_character":51},"updated":"2022-07-14 16:33:27.000000000","message":"can create or delete","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":530,"context_line":"   - *Cannot get or list instances, volumes, or networks of other project*"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"These new personas fix the existing issue where any user having any role within"},{"line_number":533,"context_line":"project (for example \u0027foo\u0027 role) can create, delete the resources in that project."},{"line_number":534,"context_line":"It also provides the ability for the operator to assign the read-only role for cloud"},{"line_number":535,"context_line":"auditing the project resources/activities. This does not directly solve the case"},{"line_number":536,"context_line":"of doing global audit with single role."}],"source_content_type":"text/x-rst","patch_set":13,"id":"7199f07a_4a2ea834","line":533,"range":{"start_line":533,"start_character":33,"end_line":533,"end_character":51},"in_reply_to":"67b9729c_41d5f3d9","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":564,"context_line":"An example of a project-level management API is the Block Storage default-types API,"},{"line_number":565,"context_line":"which allows a default volume type to be set for a particular project. Since the change"},{"line_number":566,"context_line":"affects only that project, it makes sense to allow a responsible person within the"},{"line_number":567,"context_line":"project to set the default type, rather than require them contact an administrator to"},{"line_number":568,"context_line":"do it.  Implementing the `project-manager` persona will make this possible."},{"line_number":569,"context_line":""},{"line_number":570,"context_line":"It is up to each service to define which API calls (if any) should be considered as"}],"source_content_type":"text/x-rst","patch_set":13,"id":"aa7dc343_7f9d9e8a","line":567,"range":{"start_line":567,"start_character":46,"end_line":567,"end_character":65},"updated":"2022-07-14 16:33:27.000000000","message":"require them to contact","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":564,"context_line":"An example of a project-level management API is the Block Storage default-types API,"},{"line_number":565,"context_line":"which allows a default volume type to be set for a particular project. Since the change"},{"line_number":566,"context_line":"affects only that project, it makes sense to allow a responsible person within the"},{"line_number":567,"context_line":"project to set the default type, rather than require them contact an administrator to"},{"line_number":568,"context_line":"do it.  Implementing the `project-manager` persona will make this possible."},{"line_number":569,"context_line":""},{"line_number":570,"context_line":"It is up to each service to define which API calls (if any) should be considered as"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a47ae74_f962ad05","line":567,"range":{"start_line":567,"start_character":46,"end_line":567,"end_character":65},"in_reply_to":"aa7dc343_7f9d9e8a","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":750,"context_line":"#. Any service that completed `Phase 1`_ in Zed can set ``enforce_new_defaults\u003dTrue``"},{"line_number":751,"context_line":"   by default. It means new defaults will be enabled by default but operator"},{"line_number":752,"context_line":"   will have way to disable it with ``enforce_new_defaults\u003dFalse`` for that service."},{"line_number":753,"context_line":"   Also make ``enforce_scope\u003dTrue`` to make sure `project` scope are enforced."},{"line_number":754,"context_line":""},{"line_number":755,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":756,"context_line":"allows operators to opt into using project-member and project-reader across their"}],"source_content_type":"text/x-rst","patch_set":13,"id":"67e428a2_9e0c613e","line":753,"range":{"start_line":753,"start_character":65,"end_line":753,"end_character":69},"updated":"2022-07-14 16:33:27.000000000","message":"is","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":750,"context_line":"#. Any service that completed `Phase 1`_ in Zed can set ``enforce_new_defaults\u003dTrue``"},{"line_number":751,"context_line":"   by default. It means new defaults will be enabled by default but operator"},{"line_number":752,"context_line":"   will have way to disable it with ``enforce_new_defaults\u003dFalse`` for that service."},{"line_number":753,"context_line":"   Also make ``enforce_scope\u003dTrue`` to make sure `project` scope are enforced."},{"line_number":754,"context_line":""},{"line_number":755,"context_line":"At this point, every OpenStack service will have completed `Phase 1`_, which"},{"line_number":756,"context_line":"allows operators to opt into using project-member and project-reader across their"}],"source_content_type":"text/x-rst","patch_set":13,"id":"e1ac8c55_2626d454","line":753,"range":{"start_line":753,"start_character":65,"end_line":753,"end_character":69},"in_reply_to":"67e428a2_9e0c613e","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"ca80e0da69dac4fbf3bb40f93640d2d8faedc7e1","unresolved":true,"context_lines":[{"line_number":806,"context_line":"#. Remove the oslo.policy ``enforce_scope`` config flag"},{"line_number":807,"context_line":""},{"line_number":808,"context_line":"   Since all services have completed `Phase 1`_, and have ``enforce_scope\u003dTrue``"},{"line_number":809,"context_line":"   by default in oslo.policy for every services, we can remove this configuration"},{"line_number":810,"context_line":"   flag itself and have scope checks enable by default."},{"line_number":811,"context_line":""},{"line_number":812,"context_line":"Operators consuming the 2024.1 release will have full support for project-manager,"}],"source_content_type":"text/x-rst","patch_set":13,"id":"ff7db2cd_7a0c6d02","line":809,"range":{"start_line":809,"start_character":39,"end_line":809,"end_character":47},"updated":"2022-07-14 16:33:27.000000000","message":"service","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19fa2ff1643132dab356ce708b3a7c9cb8ba735d","unresolved":false,"context_lines":[{"line_number":806,"context_line":"#. Remove the oslo.policy ``enforce_scope`` config flag"},{"line_number":807,"context_line":""},{"line_number":808,"context_line":"   Since all services have completed `Phase 1`_, and have ``enforce_scope\u003dTrue``"},{"line_number":809,"context_line":"   by default in oslo.policy for every services, we can remove this configuration"},{"line_number":810,"context_line":"   flag itself and have scope checks enable by default."},{"line_number":811,"context_line":""},{"line_number":812,"context_line":"Operators consuming the 2024.1 release will have full support for project-manager,"}],"source_content_type":"text/x-rst","patch_set":13,"id":"fc1a302e_2e31cced","line":809,"range":{"start_line":809,"start_character":39,"end_line":809,"end_character":47},"in_reply_to":"ff7db2cd_7a0c6d02","updated":"2022-07-21 08:43:48.000000000","message":"Done","commit_id":"f16d5ba0cc6c8ea25e4c0bb8e45cdab2afc6d8ae"}]}