)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"83dd3e7c21f0b3fbc494bb7a71a20a5583f0c07b","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Fix missing creator role for encrypted volume creation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"When Barbican is used as a key backend, creating an encrypted volume"},{"line_number":10,"context_line":"requires the creator role."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Add the creator role when barbican is enabled, to fix grenade job in"},{"line_number":13,"context_line":"Barbican."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"1ca9ea52_a76d703c","line":10,"updated":"2026-04-13 10:31:16.000000000","message":"that was true many year ago but i dont think this is corect now\n\nit shoudl only require member\n\nthe creator role was removed 4 years ago\n\nhttps://opendev.org/openstack/barbican/src/branch/master/barbican/common/policies/secrets.py\n\nthe legacy roles use creator\n```\ndeprecated_secret_decrypt \u003d policy.DeprecatedRule(\n    name\u003d\u0027secret:decrypt\u0027,\n    check_str\u003d\u0027rule:secret_decrypt_non_private_read or \u0027 +\n              \u0027rule:secret_project_creator or \u0027 +\n              \u0027rule:secret_project_admin or rule:secret_acl_read\u0027,\n    deprecated_reason\u003dbase.LEGACY_POLICY_DEPRECATION,\n    deprecated_since\u003dversionutils.deprecated.WALLABY\n)\ndeprecated_secret_get \u003d policy.DeprecatedRule(\n    name\u003d\u0027secret:get\u0027,\n    check_str\u003d\u0027rule:secret_non_private_read or \u0027 +\n              \u0027rule:secret_project_creator or \u0027 +\n              \u0027rule:secret_project_admin or rule:secret_acl_read\u0027,\n    deprecated_reason\u003dbase.LEGACY_POLICY_DEPRECATION,\n    deprecated_since\u003dversionutils.deprecated.WALLABY\n)\ndeprecated_secret_put \u003d policy.DeprecatedRule(\n    name\u003d\u0027secret:put\u0027,\n    check_str\u003d\u0027rule:admin_or_creator and rule:secret_project_match\u0027,\n    deprecated_reason\u003dbase.LEGACY_POLICY_DEPRECATION,\n    deprecated_since\u003dversionutils.deprecated.WALLABY\n)\ndeprecated_secret_delete \u003d policy.DeprecatedRule(\n    name\u003d\u0027secret:delete\u0027,\n    check_str\u003d\u0027rule:secret_project_admin or \u0027 +\n              \u0027rule:secret_project_creator or \u0027 +\n              \u0027(rule:secret_project_creator_role and \u0027 +\n              \u0027not rule:secret_private_read)\u0027,\n    deprecated_reason\u003dbase.LEGACY_POLICY_DEPRECATION,\n    deprecated_since\u003dversionutils.deprecated.WALLABY\n)\n```\nbut the modern rule do not \n```\n  policy.DocumentedRuleDefault(\n        name\u003d\u0027secret:decrypt\u0027,\n        check_str\u003d(\n            \"True:%(enforce_new_defaults)s and \"\n            \"(rule:secret_project_admin or \"\n            \"(rule:secret_project_member and rule:secret_owner) or \"\n            \"(rule:secret_project_member and rule:secret_is_not_private) or \"\n            \"rule:secret_acl_read)\"),\n        scope_types\u003d[\u0027project\u0027],\n        description\u003d\u0027Retrieve a secrets payload.\u0027,\n        operations\u003d[\n            {\n                \u0027path\u0027: \u0027/v1/secrets/{uuid}/payload\u0027,\n                \u0027method\u0027: \u0027GET\u0027\n            }\n        ],\n        deprecated_rule\u003ddeprecated_secret_decrypt\n    ),\n    policy.DocumentedRuleDefault(\n        name\u003d\u0027secret:get\u0027,\n        check_str\u003d(\n            \"True:%(enforce_new_defaults)s and \"\n            \"(role:admin or \"\n            \"rule:secret_project_admin or \"\n            \"(rule:secret_project_member and rule:secret_owner) or \"\n            \"(rule:secret_project_member and rule:secret_is_not_private) or \"\n            \"rule:secret_acl_read)\"),\n        scope_types\u003d[\u0027project\u0027],\n        description\u003d\u0027Retrieves a secrets metadata.\u0027,\n        operations\u003d[\n            {\n                \u0027path\u0027: \u0027/v1/secrets/{secret-id}\u0027,\n                \u0027method\u0027: \u0027GET\u0027\n            }\n        ],\n        deprecated_rule\u003ddeprecated_secret_get\n    ),\n    policy.DocumentedRuleDefault(\n        name\u003d\u0027secret:put\u0027,\n        check_str\u003d(\n            \"True:%(enforce_new_defaults)s and \"\n            \"(rule:secret_project_admin or \"\n            \"(rule:secret_project_member and rule:secret_owner) or \"\n            \"(rule:secret_project_member and rule:secret_is_not_private))\"),\n        scope_types\u003d[\u0027project\u0027],\n        description\u003d\u0027Add the payload to an existing metadata-only secret.\u0027,\n        operations\u003d[\n            {\n                \u0027path\u0027: \u0027/v1/secrets/{secret-id}\u0027,\n                \u0027method\u0027: \u0027PUT\u0027\n            }\n        ],\n        deprecated_rule\u003ddeprecated_secret_put\n    ),\n    policy.DocumentedRuleDefault(\n        name\u003d\u0027secret:delete\u0027,\n        check_str\u003d(\n            \"True:%(enforce_new_defaults)s and \"\n            \"(role:admin or \"\n            \"rule:secret_project_admin or \"\n            \"(rule:secret_project_member and rule:secret_owner) or \"\n            \"(rule:secret_project_member and rule:secret_is_not_private))\"),\n        scope_types\u003d[\u0027project\u0027],\n        description\u003d\u0027Delete a secret by uuid.\u0027,\n        operations\u003d[\n            {\n                \u0027path\u0027: \u0027/v1/secrets/{secret-id}\u0027,\n                \u0027method\u0027: \u0027DELETE\u0027\n            }\n        ],\n        deprecated_rule\u003ddeprecated_secret_delete\n    ),\n```\n\nthe new default have been the defautl for a few years not so im not sure addign this now makes sense","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"a6701219f8834f35ebd9f9ed8707e5131151b40f","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Fix missing creator role for encrypted volume creation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"When Barbican is used as a key backend, creating an encrypted volume"},{"line_number":10,"context_line":"requires the creator role."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Add the creator role when barbican is enabled, to fix grenade job in"},{"line_number":13,"context_line":"Barbican."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"7210cf3d_06d184c1","line":10,"in_reply_to":"1ca9ea52_a76d703c","updated":"2026-04-13 16:01:17.000000000","message":"No. Even the latest barbican completely ignores the new rules unless you set enforce_new_defaults\u003dTrue.\n\nhttps://github.com/openstack/barbican/blob/f8a331a40eb21e6c8f37e07794d57aa98b120af9/barbican/common/policies/secrets.py#L104\n\nThe enforce_new_defaults option still defaults to False in barbican due to remaining override.\nhttps://github.com/openstack/barbican/blob/f8a331a40eb21e6c8f37e07794d57aa98b120af9/barbican/common/policy.py#L32\n\nWe can fix that in master, though granade needs to be compatible with old/new version so we still have to consider the old source version with that legacy policies.","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8db6f7bb7081d71d11d0d21e48c4c0bba2fa0277","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Fix missing creator role for encrypted volume creation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"When Barbican is used as a key backend, creating an encrypted volume"},{"line_number":10,"context_line":"requires the creator role."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Add the creator role when barbican is enabled, to fix grenade job in"},{"line_number":13,"context_line":"Barbican."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"a0c5b20b_2b2e292f","line":10,"in_reply_to":"7210cf3d_06d184c1","updated":"2026-04-13 16:31:58.000000000","message":"that unfortunate since that config option was ment to be remvoed in 2025.2 with ture as the new behvior. the service were intede to have enforce_new_defaults\u003dTrue\nform 2024.2\n\nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id4\n\ni guess we could continue to do this for grenade for this release but i think we do need to proceed with remvoing both \n\nenforce_scope this release and likely enforce_new_defaults next release 2027.1 since we are already 2 relase overdue at this point.\n\ni do need to implemnt this for cyborg in 2026.2 so there is at least one other project that is behind\n\n@gmaan.os14@gmail.com are you ok with proceeding with this workaroudn for now until barbican can be updated?","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"bce11bdadee0f9b105974c2934311ba61c0f11f8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"cc0ae687_29217bf4","updated":"2025-08-05 09:57:45.000000000","message":"recheck the timeout in doc job is quite strange...","commit_id":"e56e498468a9690cb079f37981509b4e87016775"},{"author":{"_account_id":10459,"name":"Luigi Toscano","email":"ltoscano@redhat.com","username":"ltoscano"},"change_message_id":"44b6a5db0669d485a0cc7f6cc9ab1cc72a21808f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"affb7149_c0304264","updated":"2025-11-25 15:16:35.000000000","message":"Uh, I had tried https://review.opendev.org/c/openstack/grenade/+/748413 back then, but it didn\u0027t work and there were other priorities and I dropped it.\n\nSo do you think it just makes sense to depend on the \"barbican\" service officially here even though it is defined and used by a devstack plugin?","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8db6f7bb7081d71d11d0d21e48c4c0bba2fa0277","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"22c289c3_c1ffacf3","updated":"2026-04-13 16:31:58.000000000","message":"ill leave -w for gmaan to weigh in","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"9084a6bc20098c1f2a77976b10b7d7b0d537c52a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9bf2e07d_574a692e","in_reply_to":"8aa786ec_14b30f20","updated":"2026-04-13 09:16:41.000000000","message":"Done","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"e74c8b161a9e85448a72485664a10e99c1382eb2","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"8aa786ec_14b30f20","in_reply_to":"affb7149_c0304264","updated":"2025-11-25 16:28:42.000000000","message":"I see a similar logic already exists within devstack[1] so I think this is consistent.\n\n[1] https://opendev.org/openstack/devstack/src/commit/f9448d8978ebd7862a5019e8e023836aee248a18/lib/cinder#L466-L469\n\nIf we want to do it more cleanly we may need some hooks in devstack/grenade side which barbican plugin can inject some steps but I\u0027d start with simplified solution now to unblock long-time missing test coverage...","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"}],"projects/70_cinder/resources.sh":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"83dd3e7c21f0b3fbc494bb7a71a20a5583f0c07b","unresolved":true,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"    openstack role add member --user $id --project $project_id"},{"line_number":104,"context_line":"    if is_service_enabled barbican; then"},{"line_number":105,"context_line":"        openstack role add creator --user $id --project $project_id"},{"line_number":106,"context_line":"    fi"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"    # Create an encrypted volume type as admin"}],"source_content_type":"text/x-sh","patch_set":2,"id":"d6cfbf62_bed17ddd","line":105,"updated":"2026-04-13 10:31:16.000000000","message":"the creator role is deprecated an opnly used when usign the legacy rules\n\nso this shoudl only be done if you are overried the oslo policy default adn disbaleing the new defaults\n\nhttps://opendev.org/openstack/oslo.policy/src/branch/master/oslo_policy/opts.py#L49-L67\n\nenforcing new default was enabel by defualt 2 years ago in 2025.1\nhttps://opendev.org/openstack/oslo.policy/commit/206ae19f48dfcd5c2fb34439de02694b1a78594e","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1a0282391f75b22d418904fc48645909806b9be0","unresolved":true,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"    openstack role add member --user $id --project $project_id"},{"line_number":104,"context_line":"    if is_service_enabled barbican; then"},{"line_number":105,"context_line":"        openstack role add creator --user $id --project $project_id"},{"line_number":106,"context_line":"    fi"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"    # Create an encrypted volume type as admin"}],"source_content_type":"text/x-sh","patch_set":2,"id":"e83a4445_123cd27e","line":105,"in_reply_to":"d6cfbf62_bed17ddd","updated":"2026-04-13 17:49:09.000000000","message":"Unfortunately, Barbican has not enabled the new default yet. Barbican was not ready (I remember there were some failures) when I enabled those by default in Oslo, so I have to disable them for Barbican.\n\nI am enabling them in the below change, and let\u0027s see how it goes. But as old defaults are the default, I am ok to add this role, and once Barbican runs with new defaults, then we can remove this role (once base release has the new defaults enabled by default)\n\nhttps://review.opendev.org/c/openstack/barbican/+/984422","commit_id":"1363f0fce6091a8c2c2a63aeabca7dcbbb053afa"}]}