)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"930e3c216cd273b4b71749ae26c6edefb9f14e3d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"21d8b83c_2465d2ef","updated":"2021-10-12 12:47:05.000000000","message":"\u003e Patch Set 3: Code-Review-1\n\u003e \n\u003e I have used the default policy rule \u0027create_port:port_security_enabled\u0027 and created a demo user with a member role and now If I apply this patch it always hides \u0027Port Security\u0027 checkbox for the non-admin user which is Wrong. I have generated default policy rule using the below command in my devstack env:\n\u003e ``oslopolicy-policy-generator --namespace neutron --output-file /etc/neutron/policy.yaml`` and updated policy_file path in \\etc\\neutron\\neutron.conf.\n\u003e \n\u003e This patch works fine for the policy mentioned in the bug summary.\n\nCan you attach the relevant policy file somewhere?","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":29313,"name":"Vishal Manchanda","email":"manchandavishal143@gmail.com","username":"vishalmanchanda"},"change_message_id":"0e65908569b941bb0449e325b040d483fcd6863a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"52372386_99ddeca7","in_reply_to":"21d8b83c_2465d2ef","updated":"2021-10-12 13:27:19.000000000","message":"default policy.yaml for neutron in my env. can be found here https://paste.opendev.org/show/809921/\n\nYou can also generate using oslopolicy-policy-generator command.","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":29313,"name":"Vishal Manchanda","email":"manchandavishal143@gmail.com","username":"vishalmanchanda"},"change_message_id":"1e5178416ed944ba9f910385d03523e316c2eb28","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e80872b6_ea64a7cc","in_reply_to":"47aaf9d2_619b74ca","updated":"2021-10-21 12:13:05.000000000","message":"hi, I can still see the same issue after applying your patch \u0027port security\u0027 checkbox always hide for the non-admin user with the default policy rule.","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"5d5a4a5f72f2136acd63e5d194135c1d46ed95f3","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"c177a02f_10021681","in_reply_to":"52372386_99ddeca7","updated":"2021-10-13 12:44:44.000000000","message":"It says:\n\"create_port:port_security_enabled\": \"rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s\"\n\nIf I read this right, you should have the right as an admin if you have the system scope (which we don\u0027t support) or it\u0027s your own project?\n\nDid this change recently? It doesn\u0027t seem right.","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"e0568ef9d78a9563660ada72758790d7caec658e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"fd6deaad_d2fc9ab8","in_reply_to":"7a5d3efe_54152e92","updated":"2021-10-14 14:21:34.000000000","message":"I think I know what\u0027s wrong. I need to pass the network id to the policy check, so it can make sure the user is the owner.","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"4797808507b44a30d79bd18d8af7a3c9001a0bde","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"fe27fad0_f12e8242","in_reply_to":"b37d614e_881984df","updated":"2021-10-26 09:47:05.000000000","message":"Done","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":29313,"name":"Vishal Manchanda","email":"manchandavishal143@gmail.com","username":"vishalmanchanda"},"change_message_id":"620b1930eed5b4adfa17e651718be36b1e26089a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"7a5d3efe_54152e92","in_reply_to":"c177a02f_10021681","updated":"2021-10-13 13:40:38.000000000","message":"You can find the same in neutron code [1]\n\n[1] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/port.py#L162","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"4bededfaa42933001d1abcefcc7c015b1a2fd121","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"acf7224f_77f9c89e","in_reply_to":"d5a27cd8_e380cc9b","updated":"2021-11-04 10:53:28.000000000","message":"It looks like we are always passing the domain name to token creation (the comments say this is necessary for multi-domain support), and this makes oslo.policy think this is a domain-scoped token?","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"9c32f021d6b5d3bf71839aab5dbb57706dd9e23e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"b37d614e_881984df","in_reply_to":"e80872b6_ea64a7cc","updated":"2021-10-25 10:52:31.000000000","message":"I\u0027m getting this now too, so this is definitely a problem. Looking in the logs, I also get this:\n\noslo_policy/policy.py:1064: UserWarning: Policy update_port:port_security_enabled failed scope check. The token used to make the request was domain scoped but the policy requires [\u0027system\u0027, \u0027project\u0027] scope. This behavior may change in the future where using the intended scope is required.\n\nWhy is this a system scope policy?","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"90abf385fd06d1b1470f1f17514e34e8c3f0e5b8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"47aaf9d2_619b74ca","in_reply_to":"fd6deaad_d2fc9ab8","updated":"2021-10-19 13:21:06.000000000","message":"Done","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"3afacf9e0eb3d9aec576a5ab465fd7156e925cf2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d5a27cd8_e380cc9b","in_reply_to":"fe27fad0_f12e8242","updated":"2021-10-27 07:33:48.000000000","message":"\u003e oslo_policy/policy.py:1064: UserWarning: Policy update_port:port_security_enabled failed scope check. The token used to make the request was domain scoped but the policy requires [\u0027system\u0027, \u0027project\u0027] scope. This behavior may change in the future where using the intended scope is required.\n\u003e \n\u003e Why is this a system scope policy?\n\nAt least a domain scoped token is not correct as there is no resource scoped to a specific domain in neutron.\n\nRegarding the system-scoped, the reason that a system-scoped token is included in the list of the expected token is because neutron allows system-level admin to specify the field on behalf of a project. Note that there were many discussions on how to manipulate a project-level resource with a superuser priviledge (so far and in the last PTG) and it is just what neutron does from the initial era.","commit_id":"19294199f424ac1e3fab9dbdbf093894b91453ee"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"e0568ef9d78a9563660ada72758790d7caec658e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"3712e154_10f512af","updated":"2021-10-14 14:21:34.000000000","message":"I\u0027m now passing the network_id and port_id to the policy check function, so that the ownership checks should work.","commit_id":"bf3c2a09bee132d7123dd78c9e5afbd5130f72cf"},{"author":{"_account_id":29313,"name":"Vishal Manchanda","email":"manchandavishal143@gmail.com","username":"vishalmanchanda"},"change_message_id":"1e5178416ed944ba9f910385d03523e316c2eb28","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"b1725d57_d6b0c00d","updated":"2021-10-21 12:13:05.000000000","message":"It would be nice if someone else could also test your patch then I will do my vote.\nMaybe I am missing something.","commit_id":"1372a55807ebeceb6e90d76ae3b70adc41b38ea2"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"14fa3996177b48c6bbe3bf410631e9155dd7d6e1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"69933f0f_c2a6ad52","updated":"2021-10-19 13:24:39.000000000","message":"recheck","commit_id":"1372a55807ebeceb6e90d76ae3b70adc41b38ea2"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"db174cc636e1ab924209b3cc8d497d11dede0d6b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"c7f547d9_2b1ec028","updated":"2021-10-18 08:56:33.000000000","message":"recheck random integration test failure","commit_id":"1372a55807ebeceb6e90d76ae3b70adc41b38ea2"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"f38148863022aa4e5d858e1c5e41a55af62b067b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"f8440c05_48187838","updated":"2021-10-25 10:53:46.000000000","message":"I think I figured it out, and it seems to work in my tests now.\n\nThe trick is to also specify \"network:tenant_id\" in the target.\n\nThe warning about wrong scope is because we pass domain_id always. It\u0027s a separate issue.","commit_id":"878e3345a7bef5f9bb7efdc1954a21fed2add490"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"985dd8c3e9ba5db6de681b08ebb1879183cab2cf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"5f3eb630_e4103604","updated":"2021-10-27 09:51:09.000000000","message":"recheck","commit_id":"d7321c9468d81627f4ac24d44c0009b2d471e8ed"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"3f011522e26517465d996c75a4c15f890c1e1fba","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"85763cef_a2fc3a73","updated":"2021-10-26 09:46:45.000000000","message":"recheck","commit_id":"d7321c9468d81627f4ac24d44c0009b2d471e8ed"},{"author":{"_account_id":8648,"name":"Radomir Dopieralski","email":"openstack@dopieralski.pl","username":"thesheep"},"change_message_id":"87c3240f7e826ead89ce61bfebe7fce34d8c9464","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"f0dc9422_18f105d9","updated":"2021-10-29 14:17:50.000000000","message":"recheck","commit_id":"d7321c9468d81627f4ac24d44c0009b2d471e8ed"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"3afacf9e0eb3d9aec576a5ab465fd7156e925cf2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"b405554e_ce518c5f","updated":"2021-10-27 07:33:48.000000000","message":"recheck I believe CI issues have been fixed","commit_id":"d7321c9468d81627f4ac24d44c0009b2d471e8ed"}]}
