)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"587268650ea935fd89175688873789068eb0d07a","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"The default policy will been replaced with one which aligns with the"},{"line_number":10,"context_line":"Secure-RBAC scopes and roles. Since ironic-inspector is a tool used only"},{"line_number":11,"context_line":"by system-level admins, only the ``system`` scope is supported, and the"},{"line_number":12,"context_line":"only roles in the policy rules are ``admin`` and ``reader``."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"The is_admin and is_observer rules are deprecated for removal, and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"d508bfe4_708de212","line":11,"updated":"2021-02-12 13:05:12.000000000","message":"Well... There is a potentially valid case of exposing introspection data to owners or even lessees. But that\u0027s not trivial, so I\u0027m fine with postponing.","commit_id":"d353786756daaec458e66b96331afb8810635cc1"}],"ironic_inspector/policy.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"587268650ea935fd89175688873789068eb0d07a","unresolved":false,"context_lines":[{"line_number":125,"context_line":"introspection_policies \u003d ["},{"line_number":126,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":127,"context_line":"        name\u003d\u0027introspection:continue\u0027,"},{"line_number":128,"context_line":"        check_str\u003d\u0027rule:public_api\u0027,"},{"line_number":129,"context_line":"        description\u003d\u0027Ramdisk callback to continue introspection\u0027,"},{"line_number":130,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/continue\u0027, \u0027method\u0027: \u0027POST\u0027}],"},{"line_number":131,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":4,"id":"1787de70_1e35049f","line":128,"updated":"2021-02-12 13:05:12.000000000","message":"This endpoint is not authenticated.","commit_id":"d353786756daaec458e66b96331afb8810635cc1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"240a520ca48f52bbc759a2d46fbddafd4ac0379b","unresolved":true,"context_lines":[{"line_number":125,"context_line":"introspection_policies \u003d ["},{"line_number":126,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":127,"context_line":"        name\u003d\u0027introspection:continue\u0027,"},{"line_number":128,"context_line":"        check_str\u003d\u0027rule:public_api\u0027,"},{"line_number":129,"context_line":"        description\u003d\u0027Ramdisk callback to continue introspection\u0027,"},{"line_number":130,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/continue\u0027, \u0027method\u0027: \u0027POST\u0027}],"},{"line_number":131,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":4,"id":"e56b82a5_8f4601f1","line":128,"updated":"2021-02-05 03:49:44.000000000","message":"This is going to remain open or unprotected?","commit_id":"d353786756daaec458e66b96331afb8810635cc1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1ccdc85de7e0bd571e38f93391120072df01b635","unresolved":false,"context_lines":[{"line_number":125,"context_line":"introspection_policies \u003d ["},{"line_number":126,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":127,"context_line":"        name\u003d\u0027introspection:continue\u0027,"},{"line_number":128,"context_line":"        check_str\u003d\u0027rule:public_api\u0027,"},{"line_number":129,"context_line":"        description\u003d\u0027Ramdisk callback to continue introspection\u0027,"},{"line_number":130,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/continue\u0027, \u0027method\u0027: \u0027POST\u0027}],"},{"line_number":131,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":4,"id":"76b5330b_ac14331c","line":128,"in_reply_to":"e56b82a5_8f4601f1","updated":"2021-02-15 15:46:55.000000000","message":"Ack","commit_id":"d353786756daaec458e66b96331afb8810635cc1"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"587268650ea935fd89175688873789068eb0d07a","unresolved":false,"context_lines":[{"line_number":160,"context_line":"    ),"},{"line_number":161,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":162,"context_line":"        name\u003d\u0027introspection:data\u0027,"},{"line_number":163,"context_line":"        check_str\u003dSYSTEM_ADMIN,"},{"line_number":164,"context_line":"        description\u003d\u0027Get introspection data\u0027,"},{"line_number":165,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/introspection/{node_id}/data\u0027,"},{"line_number":166,"context_line":"                     \u0027method\u0027: \u0027GET\u0027}],"}],"source_content_type":"text/x-python","patch_set":4,"id":"fc18d79b_3db00852","line":163,"updated":"2021-02-12 13:05:12.000000000","message":"Hmm. Probably ADMIN is a good default since we don\u0027t want everyone to see introspection data.","commit_id":"d353786756daaec458e66b96331afb8810635cc1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"240a520ca48f52bbc759a2d46fbddafd4ac0379b","unresolved":true,"context_lines":[{"line_number":183,"context_line":"rule_policies \u003d ["},{"line_number":184,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":185,"context_line":"        name\u003d\u0027introspection:rule:get\u0027,"},{"line_number":186,"context_line":"        check_str\u003dSYSTEM_ADMIN,"},{"line_number":187,"context_line":"        description\u003d\u0027Get introspection rule(s)\u0027,"},{"line_number":188,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/rules\u0027, \u0027method\u0027: \u0027GET\u0027},"},{"line_number":189,"context_line":"                    {\u0027path\u0027: \u0027/rules/{rule_id}\u0027, \u0027method\u0027: \u0027GET\u0027}],"}],"source_content_type":"text/x-python","patch_set":4,"id":"982bc17f_4eb899e1","line":186,"range":{"start_line":186,"start_character":18,"end_line":186,"end_character":30},"updated":"2021-02-05 03:49:44.000000000","message":"Is this read-only? Could this use system-reader instead or are inspection rules not something we should expose to system-readers?","commit_id":"d353786756daaec458e66b96331afb8810635cc1"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"587268650ea935fd89175688873789068eb0d07a","unresolved":false,"context_lines":[{"line_number":183,"context_line":"rule_policies \u003d ["},{"line_number":184,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":185,"context_line":"        name\u003d\u0027introspection:rule:get\u0027,"},{"line_number":186,"context_line":"        check_str\u003dSYSTEM_ADMIN,"},{"line_number":187,"context_line":"        description\u003d\u0027Get introspection rule(s)\u0027,"},{"line_number":188,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/rules\u0027, \u0027method\u0027: \u0027GET\u0027},"},{"line_number":189,"context_line":"                    {\u0027path\u0027: \u0027/rules/{rule_id}\u0027, \u0027method\u0027: \u0027GET\u0027}],"}],"source_content_type":"text/x-python","patch_set":4,"id":"287157bb_83d85623","line":186,"updated":"2021-02-12 13:05:12.000000000","message":"Well... Introspection rules may contain passwords (e.g. if a rule is used to set IPMI credentials).","commit_id":"d353786756daaec458e66b96331afb8810635cc1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1ccdc85de7e0bd571e38f93391120072df01b635","unresolved":false,"context_lines":[{"line_number":183,"context_line":"rule_policies \u003d ["},{"line_number":184,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":185,"context_line":"        name\u003d\u0027introspection:rule:get\u0027,"},{"line_number":186,"context_line":"        check_str\u003dSYSTEM_ADMIN,"},{"line_number":187,"context_line":"        description\u003d\u0027Get introspection rule(s)\u0027,"},{"line_number":188,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/rules\u0027, \u0027method\u0027: \u0027GET\u0027},"},{"line_number":189,"context_line":"                    {\u0027path\u0027: \u0027/rules/{rule_id}\u0027, \u0027method\u0027: \u0027GET\u0027}],"}],"source_content_type":"text/x-python","patch_set":4,"id":"18503a5b_dc2d6987","line":186,"in_reply_to":"287157bb_83d85623","updated":"2021-02-15 15:46:55.000000000","message":"That makes sense. Thanks for the followup.","commit_id":"d353786756daaec458e66b96331afb8810635cc1"}],"ironic_inspector/test/unit/test_acl.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"240a520ca48f52bbc759a2d46fbddafd4ac0379b","unresolved":true,"context_lines":[{"line_number":372,"context_line":""},{"line_number":373,"context_line":"    def test_rule_list_system_reader(self):"},{"line_number":374,"context_line":"        self.assert_status(403, READER_TOKEN, self.app.get,"},{"line_number":375,"context_line":"                           \u0027/v1/rules\u0027)"},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"    def test_rule_get_system_admin(self):"},{"line_number":378,"context_line":"        self.assert_status(404, ADMIN_TOKEN, self.app.get,"}],"source_content_type":"text/x-python","patch_set":4,"id":"01b0e1f3_70b50257","line":375,"updated":"2021-02-05 03:49:44.000000000","message":"Similar comment as the corresponding policy.","commit_id":"d353786756daaec458e66b96331afb8810635cc1"}]}
