)]}'
{"specs/approved/secure-rbac.rst":[{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"02cbed52ef014dc45fd1da296ce26c448dff2b36","unresolved":true,"context_lines":[{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Title of the Spec"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your StoryBoard story (which should have an `rfe`` tag):"}],"source_content_type":"text/x-rst","patch_set":2,"id":"0ed26f54_6f0876df","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":17},"updated":"2020-12-03 00:48:48.000000000","message":":) I did\u0027nt find it at first glance in the rendered docs.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Title of the Spec"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your StoryBoard story (which should have an `rfe`` tag):"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9cf1c41c_ff42b21e","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":17},"in_reply_to":"0ed26f54_6f0876df","updated":"2020-12-04 23:00:05.000000000","message":"Yeah, missed that.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Title of the Spec"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your StoryBoard story (which should have an `rfe`` tag):"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ab3c9577_cc3a6dbc","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":17},"in_reply_to":"9cf1c41c_ff42b21e","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Title of the Spec"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your StoryBoard story (which should have an `rfe`` tag):"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Specification Scope: OpenStack Integrated"},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1d27b1b3_6e6cb232","line":11,"updated":"2020-12-04 19:44:32.000000000","message":"Instructions like this should be completely removed from the spec, once followed. We need this linked to a story.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Title of the Spec"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your StoryBoard story (which should have an `rfe`` tag):"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Specification Scope: OpenStack Integrated"},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"524f4690_ebb7b247","line":11,"in_reply_to":"1d27b1b3_6e6cb232","updated":"2020-12-04 23:00:05.000000000","message":"Yeah, I\u0027ve not gotten that far yet. :)","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Title of the Spec"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your StoryBoard story (which should have an `rfe`` tag):"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Specification Scope: OpenStack Integrated"},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b17ee857_b58f55b8","line":11,"in_reply_to":"524f4690_ebb7b247","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Ironic has long been considered an \"admin-only\" service."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Recent work thanks to the Mass Open Cloud community pushed ironic towards"},{"line_number":20,"context_line":"having a concept of enabling tenants to be able to use and leverage the"},{"line_number":21,"context_line":"ironic API."},{"line_number":22,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"6eae85cf_35a7ad1e","line":19,"updated":"2020-12-04 19:44:32.000000000","message":"I don\u0027t think this is a necessary paragraph; and if it is, its very ambiguous -- I didn\u0027t know \"Mass\" referred to the US State until a conversation.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Ironic has long been considered an \"admin-only\" service."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Recent work thanks to the Mass Open Cloud community pushed ironic towards"},{"line_number":20,"context_line":"having a concept of enabling tenants to be able to use and leverage the"},{"line_number":21,"context_line":"ironic API."},{"line_number":22,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f92e33ed_53b54fc6","line":19,"in_reply_to":"6eae85cf_35a7ad1e","updated":"2020-12-04 23:00:05.000000000","message":"I need to find the spec link to it... just OMGSOOMANYTHINGSTODO","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Ironic has long been considered an \"admin-only\" service."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Recent work thanks to the Mass Open Cloud community pushed ironic towards"},{"line_number":20,"context_line":"having a concept of enabling tenants to be able to use and leverage the"},{"line_number":21,"context_line":"ironic API."},{"line_number":22,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"fc42cebc_fa25986f","line":19,"in_reply_to":"f92e33ed_53b54fc6","updated":"2020-12-09 15:33:39.000000000","message":"Revising the statement to provide further context into the background.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":21,"context_line":"ironic API."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"However a newer model effort is in the work called \"Secure RBAC\" which is"},{"line_number":24,"context_line":"an initiative to try and make secure access."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"}],"source_content_type":"text/x-rst","patch_set":2,"id":"46072f9c_5f6688ea","line":24,"updated":"2020-12-04 19:44:32.000000000","message":"There should be a link to a spec related to this work for keystone or overall openstack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":21,"context_line":"ironic API."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"However a newer model effort is in the work called \"Secure RBAC\" which is"},{"line_number":24,"context_line":"an initiative to try and make secure access."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"}],"source_content_type":"text/x-rst","patch_set":2,"id":"69ca3543_4a218a16","line":24,"in_reply_to":"46072f9c_5f6688ea","updated":"2020-12-09 15:33:39.000000000","message":"Found the original keystone spec describing system scoped role assignments. Adding.\nhttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":23,"context_line":"However a newer model effort is in the work called \"Secure RBAC\" which is"},{"line_number":24,"context_line":"an initiative to try and make secure access."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"},{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."}],"source_content_type":"text/x-rst","patch_set":2,"id":"da2f330d_ba4ab094","line":28,"range":{"start_line":26,"start_character":0,"end_line":28,"end_character":16},"updated":"2020-11-30 21:21:04.000000000","message":"++\n\nUltimately, this exercise is applied consistently across projects, which provides a consistent authorization experience about various personas.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"02cbed52ef014dc45fd1da296ce26c448dff2b36","unresolved":true,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"},{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."}],"source_content_type":"text/x-rst","patch_set":2,"id":"93cef197_33356225","line":28,"range":{"start_line":28,"start_character":52,"end_line":28,"end_character":64},"updated":"2020-12-03 00:48:48.000000000","message":"maybe elaborate a little, the previous what?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"},{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."}],"source_content_type":"text/x-rst","patch_set":2,"id":"a7412fba_288c68e0","line":28,"range":{"start_line":28,"start_character":52,"end_line":28,"end_character":64},"in_reply_to":"93cef197_33356225","updated":"2020-12-09 15:33:39.000000000","message":"Part of this is covered in the next paragraph, but I\u0027m moving those details up.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":23,"context_line":"However a newer model effort is in the work called \"Secure RBAC\" which is"},{"line_number":24,"context_line":"an initiative to try and make secure access."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"},{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."}],"source_content_type":"text/x-rst","patch_set":2,"id":"9dd2b76b_8d4b281e","line":28,"range":{"start_line":26,"start_character":0,"end_line":28,"end_character":16},"in_reply_to":"da2f330d_ba4ab094","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"},{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."},{"line_number":32,"context_line":"          Implies member access."}],"source_content_type":"text/x-rst","patch_set":2,"id":"2d49acd0_f4b2903d","line":29,"updated":"2020-12-04 20:31:38.000000000","message":"Lines 19-29 are a difficult read, and I\u0027m not sure if the information is useful. I suggest deleting 19-29, then perhaps adding a single line that says something like:\n\n\"Role definitions:\"","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":26,"context_line":"In essence group the access and actions behind personas which are granted"},{"line_number":27,"context_line":"to users and then ensuring that the invoked access rights do not permit"},{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."},{"line_number":32,"context_line":"          Implies member access."}],"source_content_type":"text/x-rst","patch_set":2,"id":"062f0a1b_58eeadc1","line":29,"in_reply_to":"2d49acd0_f4b2903d","updated":"2020-12-09 15:33:39.000000000","message":"Resorting the text and kind of merging things around to make things a little more clear and less confusing.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."},{"line_number":32,"context_line":"          Implies member access."},{"line_number":33,"context_line":"* member - Can act upon $things, maybe update certian $things,"},{"line_number":34,"context_line":"           but not delete $things. Implies Reader."}],"source_content_type":"text/x-rst","patch_set":2,"id":"b732b616_812cfa4c","line":31,"updated":"2020-12-04 20:31:38.000000000","message":"Can you define what \"administrator\" actually means? Is this just \"can delete things, in addition to all \u0027member\u0027 privileges\"?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."},{"line_number":32,"context_line":"          Implies member access."},{"line_number":33,"context_line":"* member - Can act upon $things, maybe update certian $things,"},{"line_number":34,"context_line":"           but not delete $things. Implies Reader."}],"source_content_type":"text/x-rst","patch_set":2,"id":"cefc7600_0f1ef8f5","line":31,"in_reply_to":"5fa9b18f_68b9e252","updated":"2020-12-09 15:33:39.000000000","message":"Done, and linking to the keystone scope and role specs.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":28,"context_line":"access to items. Now, some of this was modeled with the previous, but the"},{"line_number":29,"context_line":"roles to consider in this discussion moving forward is:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."},{"line_number":32,"context_line":"          Implies member access."},{"line_number":33,"context_line":"* member - Can act upon $things, maybe update certian $things,"},{"line_number":34,"context_line":"           but not delete $things. Implies Reader."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5fa9b18f_68b9e252","line":31,"in_reply_to":"b732b616_812cfa4c","updated":"2020-12-04 23:00:05.000000000","message":"That is conceptually what I\u0027m thinking. I think phase two of this spec enumeration would be making a table with all of the endpoints and more explicitly detailing a lot of it for each.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."},{"line_number":32,"context_line":"          Implies member access."},{"line_number":33,"context_line":"* member - Can act upon $things, maybe update certian $things,"},{"line_number":34,"context_line":"           but not delete $things. Implies Reader."},{"line_number":35,"context_line":"* reader - This is in essence an auditor to has full read-only access."},{"line_number":36,"context_line":"           Can only list and get $things"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6b316d1c_dafc8f08","line":33,"range":{"start_line":33,"start_character":46,"end_line":33,"end_character":53},"updated":"2020-12-04 20:31:38.000000000","message":"\"certain\"\n\nWhat does \"maybe update\" mean? How is that different from \"act\"?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":30,"context_line":""},{"line_number":31,"context_line":"* admin - This is in essence an administrator. Create/Delete $things."},{"line_number":32,"context_line":"          Implies member access."},{"line_number":33,"context_line":"* member - Can act upon $things, maybe update certian $things,"},{"line_number":34,"context_line":"           but not delete $things. Implies Reader."},{"line_number":35,"context_line":"* reader - This is in essence an auditor to has full read-only access."},{"line_number":36,"context_line":"           Can only list and get $things"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ca31ff67_3ea80289","line":33,"range":{"start_line":33,"start_character":46,"end_line":33,"end_character":53},"in_reply_to":"6b316d1c_dafc8f08","updated":"2020-12-09 15:33:39.000000000","message":"I wrote this to try and spur discussion, but I think I\u0027m going to need to make a detailed table.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"02cbed52ef014dc45fd1da296ce26c448dff2b36","unresolved":true,"context_lines":[{"line_number":32,"context_line":"          Implies member access."},{"line_number":33,"context_line":"* member - Can act upon $things, maybe update certian $things,"},{"line_number":34,"context_line":"           but not delete $things. Implies Reader."},{"line_number":35,"context_line":"* reader - This is in essence an auditor to has full read-only access."},{"line_number":36,"context_line":"           Can only list and get $things"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":".. note: A future potential is that an ``auditor`` role may exist, but it"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5f545fb8_063c85e2","line":35,"range":{"start_line":35,"start_character":33,"end_line":35,"end_character":47},"updated":"2020-12-03 00:48:48.000000000","message":"auditor that has ? or \u0027auditor to have full ...\u0027","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":32,"context_line":"          Implies member access."},{"line_number":33,"context_line":"* member - Can act upon $things, maybe update certian $things,"},{"line_number":34,"context_line":"           but not delete $things. Implies Reader."},{"line_number":35,"context_line":"* reader - This is in essence an auditor to has full read-only access."},{"line_number":36,"context_line":"           Can only list and get $things"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":".. note: A future potential is that an ``auditor`` role may exist, but it"}],"source_content_type":"text/x-rst","patch_set":2,"id":"87d44f81_447e3088","line":35,"range":{"start_line":35,"start_character":33,"end_line":35,"end_character":47},"in_reply_to":"5f545fb8_063c85e2","updated":"2020-12-09 15:33:39.000000000","message":"Rewrote.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":40,"context_line":"   role would potentially allow sensitive values to be unmasked."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Currently we have ``baremetal_admin`` and ``baremetal_observer``, however"},{"line_number":43,"context_line":"these are custom role names introduced during the `policy in code effort \u003chttps://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html\u003e`_,"},{"line_number":44,"context_line":"except these roles are not scoped and ultimately the roles need to be able"},{"line_number":45,"context_line":"to be scoped with consistent role naming and meaning"},{"line_number":46,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"81b9f419_409fc1c1","line":43,"range":{"start_line":43,"start_character":28,"end_line":43,"end_character":72},"updated":"2020-12-04 20:31:38.000000000","message":"Is this useful information?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":40,"context_line":"   role would potentially allow sensitive values to be unmasked."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Currently we have ``baremetal_admin`` and ``baremetal_observer``, however"},{"line_number":43,"context_line":"these are custom role names introduced during the `policy in code effort \u003chttps://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html\u003e`_,"},{"line_number":44,"context_line":"except these roles are not scoped and ultimately the roles need to be able"},{"line_number":45,"context_line":"to be scoped with consistent role naming and meaning"},{"line_number":46,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b50312d4_1f0521dd","line":43,"range":{"start_line":43,"start_character":28,"end_line":43,"end_character":72},"in_reply_to":"7f522657_45620cbc","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":40,"context_line":"   role would potentially allow sensitive values to be unmasked."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Currently we have ``baremetal_admin`` and ``baremetal_observer``, however"},{"line_number":43,"context_line":"these are custom role names introduced during the `policy in code effort \u003chttps://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html\u003e`_,"},{"line_number":44,"context_line":"except these roles are not scoped and ultimately the roles need to be able"},{"line_number":45,"context_line":"to be scoped with consistent role naming and meaning"},{"line_number":46,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7f522657_45620cbc","line":43,"range":{"start_line":43,"start_character":28,"end_line":43,"end_character":72},"in_reply_to":"81b9f419_409fc1c1","updated":"2020-12-04 23:00:05.000000000","message":"It is background context to know how we got to where we\u0027re at today.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Currently we have ``baremetal_admin`` and ``baremetal_observer``, however"},{"line_number":43,"context_line":"these are custom role names introduced during the `policy in code effort \u003chttps://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html\u003e`_,"},{"line_number":44,"context_line":"except these roles are not scoped and ultimately the roles need to be able"},{"line_number":45,"context_line":"to be scoped with consistent role naming and meaning"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"In the secure RBAC world, roles are scoped to one of three scopes with"}],"source_content_type":"text/x-rst","patch_set":2,"id":"56c967fd_5e8d6ae3","line":44,"range":{"start_line":44,"start_character":13,"end_line":44,"end_character":33},"updated":"2020-11-30 21:21:04.000000000","message":"It looks like the current baremetal_admin and baremetal_observer rules check for project membership using rule:is_member[0].\n\nBy default, it looks like those check strings are only valid if a user has the baremetal_admin role on a project named demo or baremetal in the default domain or no domain[1].\n\nCurrently, the majority of the policies in ironic are project-scoped. I think this is pretty typical since system-scope is relatively new.\n\n[0] https://opendev.org/openstack/ironic/src/branch/master/ironic/common/policy.py#L58\n[1] I don\u0027t think this is actually possible since all projects must have a domain in keystone","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Currently we have ``baremetal_admin`` and ``baremetal_observer``, however"},{"line_number":43,"context_line":"these are custom role names introduced during the `policy in code effort \u003chttps://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html\u003e`_,"},{"line_number":44,"context_line":"except these roles are not scoped and ultimately the roles need to be able"},{"line_number":45,"context_line":"to be scoped with consistent role naming and meaning"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"In the secure RBAC world, roles are scoped to one of three scopes with"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f063e4f2_beb2a1e0","line":44,"range":{"start_line":44,"start_character":13,"end_line":44,"end_character":33},"in_reply_to":"56c967fd_5e8d6ae3","updated":"2020-12-09 15:33:39.000000000","message":"I\u0027m interpreting this comment as informational, And this paragraph has been re-written with some details moving to the prior paragraph.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":50,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":51,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":52,"context_line":"           in ironic."},{"line_number":53,"context_line":"* project - This is the existing concept of concept."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5de26234_ba6d8fca","line":53,"updated":"2020-12-04 20:31:38.000000000","message":"Perhaps it would be clearer if 31-53 was reworked into two sections:\n\n- roles and scopes (none?) that currently exist in Ironic, and the definitions of the privileges that each provides.\n\n- the proposed role and scope definitions","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":50,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":51,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":52,"context_line":"           in ironic."},{"line_number":53,"context_line":"* project - This is the existing concept of concept."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5595037d_483acea3","line":53,"range":{"start_line":53,"start_character":33,"end_line":53,"end_character":51},"updated":"2020-12-04 20:31:38.000000000","message":"Typo?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":50,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":51,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":52,"context_line":"           in ironic."},{"line_number":53,"context_line":"* project - This is the existing concept of concept."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4d742b32_84179992","line":53,"range":{"start_line":53,"start_character":33,"end_line":53,"end_character":51},"in_reply_to":"418a8690_b2d13ef1","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":50,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":51,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":52,"context_line":"           in ironic."},{"line_number":53,"context_line":"* project - This is the existing concept of concept."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"418a8690_b2d13ef1","line":53,"range":{"start_line":53,"start_character":33,"end_line":53,"end_character":51},"in_reply_to":"5595037d_483acea3","updated":"2020-12-04 23:00:05.000000000","message":"All the typos. :)","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":50,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":51,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":52,"context_line":"           in ironic."},{"line_number":53,"context_line":"* project - This is the existing concept of concept."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e659b403_227c0d66","line":53,"in_reply_to":"5de26234_ba6d8fca","updated":"2020-12-04 23:00:05.000000000","message":"42 is basically it, but makes sense, and I think a more in-depth table is really needed, will clarify in next update.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":50,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":51,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":52,"context_line":"           in ironic."},{"line_number":53,"context_line":"* project - This is the existing concept of concept."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1443f206_8d5f86e0","line":53,"in_reply_to":"e659b403_227c0d66","updated":"2020-12-09 15:33:39.000000000","message":"I think the new text kind of better lays out the context.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The fundimental issue at hand is ironic does not understand the scope concept"},{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"}],"source_content_type":"text/x-rst","patch_set":2,"id":"cbf38b3c_7de36f0b","line":58,"range":{"start_line":58,"start_character":4,"end_line":58,"end_character":15},"updated":"2020-12-04 20:31:38.000000000","message":"fundamental","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The fundimental issue at hand is ironic does not understand the scope concept"},{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d08b987b_8d064bdf","line":58,"updated":"2020-12-04 19:44:32.000000000","message":"fundamental","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The fundimental issue at hand is ironic does not understand the scope concept"},{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4192c593_fe317138","line":58,"range":{"start_line":58,"start_character":4,"end_line":58,"end_character":15},"in_reply_to":"cbf38b3c_7de36f0b","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The fundimental issue at hand is ironic does not understand the scope concept"},{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"}],"source_content_type":"text/x-rst","patch_set":2,"id":"34639692_5f9c810b","line":58,"in_reply_to":"d08b987b_8d064bdf","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The fundimental issue at hand is ironic does not understand the scope concept"},{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"},{"line_number":62,"context_line":"OpenStack operators."}],"source_content_type":"text/x-rst","patch_set":2,"id":"40d79719_3279bc22","line":59,"range":{"start_line":58,"start_character":0,"end_line":59,"end_character":57},"updated":"2020-12-04 20:31:38.000000000","message":"Excessively wordy. Can this be rewritten as roughly?:\n\n\u003e Ironic has no concept of \"scope\".\n\n\u003e \"scope\" is defined as [...].\n\n\u003e We would like to implement this concept in Ironic.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":55,"context_line":"Problem description"},{"line_number":56,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The fundimental issue at hand is ironic does not understand the scope concept"},{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"},{"line_number":62,"context_line":"OpenStack operators."}],"source_content_type":"text/x-rst","patch_set":2,"id":"2d61d0e4_4beaac94","line":59,"range":{"start_line":58,"start_character":0,"end_line":59,"end_character":57},"in_reply_to":"40d79719_3279bc22","updated":"2020-12-04 23:00:05.000000000","message":"Well, Truthfully, only two projects in openstack, as of today, grok scope. Keystone and Nova.  Of course, I am also overly wordy.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"},{"line_number":62,"context_line":"OpenStack operators."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Further compounded by this is that scope based definition may compound and"},{"line_number":65,"context_line":"cascade down through other sevice interactions as deployers move from using"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bc2be639_879de7ab","line":62,"updated":"2020-12-04 20:31:38.000000000","message":"What desire? Can you explain more specifically why larger operators desire this?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"},{"line_number":62,"context_line":"OpenStack operators."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Further compounded by this is that scope based definition may compound and"},{"line_number":65,"context_line":"cascade down through other sevice interactions as deployers move from using"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e22d2254_7c7b7d80","line":62,"in_reply_to":"92bb359d_08818ff7","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":59,"context_line":"and desired restriction and delineation model to leverage."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Coincidently there is a desire with in the larger community coming from larger"},{"line_number":62,"context_line":"OpenStack operators."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Further compounded by this is that scope based definition may compound and"},{"line_number":65,"context_line":"cascade down through other sevice interactions as deployers move from using"}],"source_content_type":"text/x-rst","patch_set":2,"id":"92bb359d_08818ff7","line":62,"in_reply_to":"bc2be639_879de7ab","updated":"2020-12-04 23:00:05.000000000","message":"Its a fragment pointing back to the prior sentence. I must have stopped/started a few times around here. I\u0027ll likely nuke it.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Further compounded by this is that scope based definition may compound and"},{"line_number":65,"context_line":"cascade down through other sevice interactions as deployers move from using"},{"line_number":66,"context_line":"projects exclusively to project *and* scope."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Proposed change"},{"line_number":69,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"cd0265d6_b51a296d","line":66,"updated":"2020-12-04 20:31:38.000000000","message":"I *think* line 64-66 is actually trying to say something like:\n\n\u003e Other OpenStack services are also implementing a \"project, scope\" authorization model, so Ironic needs to implement a concept of \"scope\" to remain compatible. [explain what the specific interactions are].","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"d16e15d1675b856d07815b175783b5a489d4e5cd","unresolved":true,"context_lines":[{"line_number":70,"context_line":""},{"line_number":71,"context_line":"At a high level, the desire is to:"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"a) have greater consistency through the adoption of of standard roles, and"},{"line_number":74,"context_line":"b) implement the ability to move to scope based restriction."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fb74643_981c5556","line":73,"range":{"start_line":73,"start_character":49,"end_line":73,"end_character":54},"updated":"2020-12-01 02:41:14.000000000","message":"of of","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":70,"context_line":""},{"line_number":71,"context_line":"At a high level, the desire is to:"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"a) have greater consistency through the adoption of of standard roles, and"},{"line_number":74,"context_line":"b) implement the ability to move to scope based restriction."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f2c63f9_f3408998","line":73,"range":{"start_line":73,"start_character":49,"end_line":73,"end_character":54},"in_reply_to":"9fb74643_981c5556","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":71,"context_line":"At a high level, the desire is to:"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"a) have greater consistency through the adoption of of standard roles, and"},{"line_number":74,"context_line":"b) implement the ability to move to scope based restriction."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3660ac53_35960e98","line":74,"range":{"start_line":74,"start_character":36,"end_line":74,"end_character":59},"updated":"2020-12-04 20:31:38.000000000","message":"\"scope based restriction\" is still undefined at this point in the article. This is also the first instance of the phrase \"scope based restriction\"--I believe this is just wordiness, and a synonym with \"scope\".\n\nLess wordy might be:\n\n\u003e a) adopt standard role names and semantics\n\u003e b) implement a \"scope\" concept","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":70,"context_line":""},{"line_number":71,"context_line":"At a high level, the desire is to:"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"a) have greater consistency through the adoption of of standard roles, and"},{"line_number":74,"context_line":"b) implement the ability to move to scope based restriction."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5d69bb49_b8c1a7b9","line":74,"range":{"start_line":73,"start_character":0,"end_line":74,"end_character":60},"updated":"2020-11-30 21:21:04.000000000","message":"+1","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":73,"context_line":"a) have greater consistency through the adoption of of standard roles, and"},{"line_number":74,"context_line":"b) implement the ability to move to scope based restriction."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9aa655b9_499a5806","line":77,"range":{"start_line":76,"start_character":65,"end_line":77,"end_character":10},"updated":"2020-12-04 20:31:38.000000000","message":"This is not yet defined in this article. Should this be an inline link to another article?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":true,"context_lines":[{"line_number":73,"context_line":"a) have greater consistency through the adoption of of standard roles, and"},{"line_number":74,"context_line":"b) implement the ability to move to scope based restriction."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"}],"source_content_type":"text/x-rst","patch_set":2,"id":"06e80bc5_bb4d6ff0","line":77,"range":{"start_line":76,"start_character":65,"end_line":77,"end_character":10},"in_reply_to":"9aa655b9_499a5806","updated":"2020-12-09 15:33:39.000000000","message":"Still moderately nebulous, and started towards line 88.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"0347fece_71ce245a","line":79,"range":{"start_line":79,"start_character":62,"end_line":79,"end_character":72},"updated":"2020-12-04 20:31:38.000000000","message":"\"At present\" -\u003e \"By default\"?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"8f965f7f_cdb1d22b","line":79,"range":{"start_line":78,"start_character":66,"end_line":79,"end_character":25},"updated":"2020-12-04 20:31:38.000000000","message":"Delete and replace with `.`","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"75418b6c_459bc6bf","line":79,"range":{"start_line":79,"start_character":26,"end_line":79,"end_character":61},"updated":"2020-12-04 20:31:38.000000000","message":"Guessing this is trying to say:\n\n\u003e During the deprecation period, Operators will be able to choose to between using the old authorization model/policies, and the new model defined in this spec.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"02cbed52ef014dc45fd1da296ce26c448dff2b36","unresolved":true,"context_lines":[{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"890a64fc_fd346f3c","line":79,"range":{"start_line":79,"start_character":61,"end_line":79,"end_character":62},"updated":"2020-12-03 00:48:48.000000000","message":"incomplete sentence?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"60687cab_64096ca6","line":79,"range":{"start_line":79,"start_character":62,"end_line":79,"end_character":72},"in_reply_to":"0347fece_71ce245a","updated":"2020-12-09 15:33:39.000000000","message":"Rewrote.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"73e62fe5_a98b63f6","line":79,"range":{"start_line":79,"start_character":26,"end_line":79,"end_character":61},"in_reply_to":"75418b6c_459bc6bf","updated":"2020-12-09 15:33:39.000000000","message":"I like it!","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"1c5927e1_7dbf5294","line":79,"range":{"start_line":79,"start_character":61,"end_line":79,"end_character":62},"in_reply_to":"890a64fc_fd346f3c","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"We will do this by constructing a new set of policies to reflect the secure"},{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"15d0dc2a_78e3aef8","line":79,"range":{"start_line":78,"start_character":66,"end_line":79,"end_character":25},"in_reply_to":"8f965f7f_cdb1d22b","updated":"2020-12-09 15:33:39.000000000","message":"Rewrote","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"02cbed52ef014dc45fd1da296ce26c448dff2b36","unresolved":true,"context_lines":[{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"4323ebde_ec207de6","line":80,"range":{"start_line":80,"start_character":69,"end_line":80,"end_character":73},"updated":"2020-12-03 00:48:48.000000000","message":"available?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":77,"context_line":"RBAC model where the \"scope\" is included as part of the definition."},{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b94b8427_062c47e1","line":80,"range":{"start_line":80,"start_character":69,"end_line":80,"end_character":73},"in_reply_to":"4323ebde_ec207de6","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"These new policies would model our existing modeling and mapping however"},{"line_number":85,"context_line":"with scope applied."}],"source_content_type":"text/x-rst","patch_set":2,"id":"b203ef11_ff467c7d","line":82,"range":{"start_line":81,"start_character":27,"end_line":82,"end_character":19},"updated":"2020-12-04 20:31:38.000000000","message":"Delete this.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"02cbed52ef014dc45fd1da296ce26c448dff2b36","unresolved":true,"context_lines":[{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"These new policies would model our existing modeling and mapping however"},{"line_number":85,"context_line":"with scope applied."}],"source_content_type":"text/x-rst","patch_set":2,"id":"c5c9b4a8_1caf1600","line":82,"range":{"start_line":82,"start_character":0,"end_line":82,"end_character":19},"updated":"2020-12-03 00:48:48.000000000","message":"more context please, the old policies?  or the policy in code policies has been deprecated?\n\n (I\u0027m not sure if it\u0027s refering to deprecating policy in code policies or what.)","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":78,"context_line":"The previous policies in code will be deprecated for later removal, yet will"},{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"These new policies would model our existing modeling and mapping however"},{"line_number":85,"context_line":"with scope applied."}],"source_content_type":"text/x-rst","patch_set":2,"id":"03c0bedf_688d07c2","line":82,"range":{"start_line":81,"start_character":27,"end_line":82,"end_character":19},"in_reply_to":"b203ef11_ff467c7d","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":79,"context_line":"remain in place being and operators will be able to choose to At present,"},{"line_number":80,"context_line":"scope restriction is disabled in the policy enforcement, but will be able"},{"line_number":81,"context_line":"to be enabled by operators and projects at a later point in time once the"},{"line_number":82,"context_line":"deprecated policies."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"These new policies would model our existing modeling and mapping however"},{"line_number":85,"context_line":"with scope applied."}],"source_content_type":"text/x-rst","patch_set":2,"id":"187b2ca8_496ae3e4","line":82,"range":{"start_line":82,"start_character":0,"end_line":82,"end_character":19},"in_reply_to":"c5c9b4a8_1caf1600","updated":"2020-12-09 15:33:39.000000000","message":"Policies in code being deprecated. Rewording.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"dce051f0dd506b5fb2786a7eaf02dd292da789ce","unresolved":true,"context_lines":[{"line_number":85,"context_line":"with scope applied."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":88,"context_line":"| Role/Scope  | System          | Domain | Project                           |"},{"line_number":89,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":90,"context_line":"| admin       | \"admin\" role    | N/A    | \"is_node_owner\" plus              |"},{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"56017703_a65ec943","line":88,"updated":"2020-11-30 20:00:29.000000000","message":"Aren\u0027t role/scope two different concepts? I may be misunderstanding this column.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c504e163382b63517078b2809e29da920800dd2b","unresolved":true,"context_lines":[{"line_number":85,"context_line":"with scope applied."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":88,"context_line":"| Role/Scope  | System          | Domain | Project                           |"},{"line_number":89,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":90,"context_line":"| admin       | \"admin\" role    | N/A    | \"is_node_owner\" plus              |"},{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6cd95e58_c5a45433","line":88,"in_reply_to":"3c8677c8_d1d549f4","updated":"2020-12-01 14:54:51.000000000","message":"Correct - since we have an implication between the roles, we assume admins can do anything. It implies the highest level of authorization, which makes sense logically and for backwards compatibility.\n\nThe member role may have a subset of the permissions admin has. Reader has a subset of the member\u0027s permissions.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":85,"context_line":"with scope applied."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":88,"context_line":"| Role/Scope  | System          | Domain | Project                           |"},{"line_number":89,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":90,"context_line":"| admin       | \"admin\" role    | N/A    | \"is_node_owner\" plus              |"},{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"74116c5a_79bd7ee7","line":88,"in_reply_to":"56017703_a65ec943","updated":"2020-11-30 21:21:04.000000000","message":"Correct. A role is a construct within keystone that is used in building role assignments. A scope is the authorization target. For example:\n\n  $IDENTITY has the $ROLE role on $SCOPE\n\nCould be substituted with:\n\n  Jane has the member role on project foo\n\nWhich, we can classify as saying:\n\n  Jane falls within the project member persona for project foo, or\n  she is a project member of project foo\n\nPart of the work we\u0027re doing is to break the automatic implication that \u0027admin\u0027 roles carry authorization to do most anything, simply because of the role name. By consuming scope, we can deliver nine different personas using three roles and three scopes as opposed to creating nine different roles:\n\n* project_reader\n* project_member\n* project_admin \n* domain_reader (n/a for the time being)\n* domain_member (n/a for the time being)\n* domain_admin (n/a for the time being)\n* system_reader\n* system_member\n* system_admin\n\nOverloading role name with scope information is redundant since it\u0027s already built into the role assignment (even though this is typically how operators solved this problem before keystone supported system-scope). It can also be misleading if you mix the implied scope with the actual scope. For example, what should services do when a user has the project_member role on the system? What should they do if a user has the system_admin role on a project?\n\nI\u0027m only providing this as historical context to explain how and why we decided to build common personas from roles and scopes. In case it\u0027s helpful in building out this table.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":85,"context_line":"with scope applied."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":88,"context_line":"| Role/Scope  | System          | Domain | Project                           |"},{"line_number":89,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":90,"context_line":"| admin       | \"admin\" role    | N/A    | \"is_node_owner\" plus              |"},{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"67c04b8e_de2cf2fe","line":88,"in_reply_to":"6cd95e58_c5a45433","updated":"2020-12-04 19:44:32.000000000","message":"Lance, are these things documented externally, where we can link to them in this spec? Specifically the keystone spec related to the addition of the idea of scope.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"48a78e3744383d12359901ebfee32c53d82f527c","unresolved":true,"context_lines":[{"line_number":85,"context_line":"with scope applied."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":88,"context_line":"| Role/Scope  | System          | Domain | Project                           |"},{"line_number":89,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":90,"context_line":"| admin       | \"admin\" role    | N/A    | \"is_node_owner\" plus              |"},{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3c8677c8_d1d549f4","line":88,"in_reply_to":"74116c5a_79bd7ee7","updated":"2020-12-01 00:28:58.000000000","message":"So, the idea was a 2d array where Role/scope are the two things that are changing in the fields. I also think I can\u0027t have an empty field, but I might be wrong on the formatting constraints of using a table though.\n\nNow, One interesting thing is that effectively we would end up making someone need member and admin to be able to create a node in ironic and set it up, if we don\u0027t imply \"admin\" does not have read/update... or do we?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":87,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":88,"context_line":"| Role/Scope  | System          | Domain | Project                           |"},{"line_number":89,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":90,"context_line":"| admin       | \"admin\" role    | N/A    | \"is_node_owner\" plus              |"},{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"},{"line_number":92,"context_line":"|             |                 |        | owner field updates are blocked.  |"},{"line_number":93,"context_line":"+-------------+-----------------+--------+-----------------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8431e894_b7f81350","line":90,"range":{"start_line":90,"start_character":44,"end_line":90,"end_character":57},"updated":"2020-11-30 21:21:04.000000000","message":"Would this be a project administrator?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"48a78e3744383d12359901ebfee32c53d82f527c","unresolved":true,"context_lines":[{"line_number":87,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":88,"context_line":"| Role/Scope  | System          | Domain | Project                           |"},{"line_number":89,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":90,"context_line":"| admin       | \"admin\" role    | N/A    | \"is_node_owner\" plus              |"},{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"},{"line_number":92,"context_line":"|             |                 |        | owner field updates are blocked.  |"},{"line_number":93,"context_line":"+-------------+-----------------+--------+-----------------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"82aac8f7_8f6f9dbf","line":90,"range":{"start_line":90,"start_character":44,"end_line":90,"end_character":57},"in_reply_to":"8431e894_b7f81350","updated":"2020-12-01 00:28:58.000000000","message":"No, this is implied access and association if the node owner field is set and matches the requestor\u0027s project. This is functionally the way it is encoded today for the policy matching.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"},{"line_number":92,"context_line":"|             |                 |        | owner field updates are blocked.  |"},{"line_number":93,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":94,"context_line":"| member      | New             | N/A    | \"is_node_lessee\" plus             |"},{"line_number":95,"context_line":"|             |                 |        | member access concept where       |"},{"line_number":96,"context_line":"|             |                 |        | lessee field updates are blocked. |"},{"line_number":97,"context_line":"+-------------+-----------------+--------+-----------------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"fb281c0f_2898c0f1","line":94,"range":{"start_line":94,"start_character":44,"end_line":94,"end_character":58},"updated":"2020-11-30 21:21:04.000000000","message":"Would this be a project member?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"48a78e3744383d12359901ebfee32c53d82f527c","unresolved":true,"context_lines":[{"line_number":91,"context_line":"|             |                 |        | member access concept where       |"},{"line_number":92,"context_line":"|             |                 |        | owner field updates are blocked.  |"},{"line_number":93,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":94,"context_line":"| member      | New             | N/A    | \"is_node_lessee\" plus             |"},{"line_number":95,"context_line":"|             |                 |        | member access concept where       |"},{"line_number":96,"context_line":"|             |                 |        | lessee field updates are blocked. |"},{"line_number":97,"context_line":"+-------------+-----------------+--------+-----------------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c129ad05_d65e98d9","line":94,"range":{"start_line":94,"start_character":44,"end_line":94,"end_character":58},"in_reply_to":"fb281c0f_2898c0f1","updated":"2020-12-01 00:28:58.000000000","message":"Technically yes, however node object lessee field still needs to match the recorded/set value.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":99,"context_line":"|             |                 |        | \"is_node_owner\" or                |"},{"line_number":100,"context_line":"|             |                 |        | \"is_node_lessee\" applies          |"},{"line_number":101,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":102,"context_line":"| auditor     | Future but like | N/A    | Future but would coneptually be   |"},{"line_number":103,"context_line":"|             | reader with     |        | same as project reader given      |"},{"line_number":104,"context_line":"|             | unmaksed fields |        | driver_info must remain masked.   |"},{"line_number":105,"context_line":"+-------------+-----------------+--------+-----------------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f97611b6_dcf5f185","line":102,"range":{"start_line":102,"start_character":60,"end_line":102,"end_character":71},"updated":"2020-12-04 19:44:32.000000000","message":"conceptually","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":104,"context_line":"|             | unmaksed fields |        | driver_info must remain masked.   |"},{"line_number":105,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":".. note:: Auditor has not been proposed yet, but *does* make sense in the"},{"line_number":108,"context_line":"   long term, and should be logically considered as reader does not equal"},{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."}],"source_content_type":"text/x-rst","patch_set":2,"id":"b38489f2_10a01a03","line":109,"range":{"start_line":107,"start_character":0,"end_line":109,"end_character":10},"updated":"2020-11-30 21:21:04.000000000","message":"++\n\nCertainly something to keep in mind.\n\nKeystone automatically implies a relationship between the three roles. The admin role implies member, and the member role implies reader. This establishes a hierarchy between the roles, which is a desirable feature in any RBAC-based system [0].\n\nSince most OpenStack users have a member role on a project, and member implies reader, that means those users are going to inherit read-only permissions. This is typically straight-forward so long as the readable resource or API doesn\u0027t contain sensitive user-specific data. For example, we wouldn\u0027t want project readers to view secrets owned by other users simply because they have the reader role.\n\n[0] https://csrc.nist.gov/CSRC/media/Publications/conference-paper/2000/07/26/the-nist-model-for-role-based-access-control-towards-a-unified-/documents/sandhu-ferraiolo-kuhn-00.pdf see section 2.2 on Hierarchical RBAC","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":104,"context_line":"|             | unmaksed fields |        | driver_info must remain masked.   |"},{"line_number":105,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":".. note:: Auditor has not been proposed yet, but *does* make sense in the"},{"line_number":108,"context_line":"   long term, and should be logically considered as reader does not equal"},{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."}],"source_content_type":"text/x-rst","patch_set":2,"id":"abc87924_034276ca","line":109,"range":{"start_line":107,"start_character":0,"end_line":109,"end_character":10},"in_reply_to":"1cf8f7e3_2d2c8021","updated":"2020-12-04 23:00:05.000000000","message":"I wanted to mention it to kind of draw the line a little further to give readers a conceptual understanding of what else could be down the road. Although in the auditor case, in theory that would be really easy. Define reader + ability to unmask secret fields.\n\nI can absolutely remove it, but it is always a fine balance between additional context versus explicit detail. I personally try to fall in full picture if possible category.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":104,"context_line":"|             | unmaksed fields |        | driver_info must remain masked.   |"},{"line_number":105,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":".. note:: Auditor has not been proposed yet, but *does* make sense in the"},{"line_number":108,"context_line":"   long term, and should be logically considered as reader does not equal"},{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."}],"source_content_type":"text/x-rst","patch_set":2,"id":"2c506951_1cb01cee","line":109,"range":{"start_line":107,"start_character":0,"end_line":109,"end_character":10},"in_reply_to":"abc87924_034276ca","updated":"2020-12-09 15:33:39.000000000","message":"Removed the reference, kept the note. Clarified the note further.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"48a78e3744383d12359901ebfee32c53d82f527c","unresolved":false,"context_lines":[{"line_number":104,"context_line":"|             | unmaksed fields |        | driver_info must remain masked.   |"},{"line_number":105,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":".. note:: Auditor has not been proposed yet, but *does* make sense in the"},{"line_number":108,"context_line":"   long term, and should be logically considered as reader does not equal"},{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."}],"source_content_type":"text/x-rst","patch_set":2,"id":"f4b69b9f_cfcd5b2e","line":109,"range":{"start_line":107,"start_character":0,"end_line":109,"end_character":10},"in_reply_to":"b38489f2_10a01a03","updated":"2020-12-01 00:28:58.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":104,"context_line":"|             | unmaksed fields |        | driver_info must remain masked.   |"},{"line_number":105,"context_line":"+-------------+-----------------+--------+-----------------------------------+"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":".. note:: Auditor has not been proposed yet, but *does* make sense in the"},{"line_number":108,"context_line":"   long term, and should be logically considered as reader does not equal"},{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."}],"source_content_type":"text/x-rst","patch_set":2,"id":"1cf8f7e3_2d2c8021","line":109,"range":{"start_line":107,"start_character":0,"end_line":109,"end_character":10},"in_reply_to":"f4b69b9f_cfcd5b2e","updated":"2020-12-04 19:44:32.000000000","message":"If we\u0027re not implementing auditor now; why is it referenced in this spec at all?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":108,"context_line":"   long term, and should be logically considered as reader does not equal"},{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4ac595da_a0ba3e3e","line":111,"range":{"start_line":111,"start_character":36,"end_line":111,"end_character":48},"updated":"2020-12-04 20:31:38.000000000","message":"\u003e combinations","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":108,"context_line":"   long term, and should be logically considered as reader does not equal"},{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"}],"source_content_type":"text/x-rst","patch_set":2,"id":"02ae6521_3b35ec9d","line":111,"range":{"start_line":111,"start_character":36,"end_line":111,"end_character":48},"in_reply_to":"4ac595da_a0ba3e3e","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2d86ce0b_9d8e2e97","line":112,"updated":"2020-12-04 20:31:38.000000000","message":"Line 111-112 could be more clearly written as:\n\n\u003e scope-role combinations may be formatted as \"{scope}-{role}\". For example, the \"admin\" role in the \"project\" scope would be written as \"project-admin\".\n\nI suggest consistently using the term \"scope-role\" and \"scope/role\" rather than \"role-scope\" or \"role/scope\", to match the ordering in the formatting convention.\n\nTransposing the order of the formatting convention is also undesirable, because, for example, \"admin-project\" is ambiguous.\n\nYou might also consider a more qualified formatting convention like \"{{scope},{role}) scope-role\", to make it clear that we are talking about a tuple of two values of type scope-role.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":109,"context_line":"   reader."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"0a9255e9_07fb9080","line":112,"in_reply_to":"2d86ce0b_9d8e2e97","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"d16e15d1675b856d07815b175783b5a489d4e5cd","unresolved":true,"context_lines":[{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"},{"line_number":116,"context_line":"restrictions (Config parameter ``[oslo_policy]enforce_scope``)."},{"line_number":117,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f9337ec1_e81fbecc","line":114,"range":{"start_line":114,"start_character":63,"end_line":114,"end_character":76},"updated":"2020-12-01 02:41:14.000000000","message":"fundamentally","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":111,"context_line":".. note:: In some cases, role/scope combonations may be combined in"},{"line_number":112,"context_line":"   discussions and communication, and \u003cscope\u003e-\u003crole\u003e format."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"},{"line_number":116,"context_line":"restrictions (Config parameter ``[oslo_policy]enforce_scope``)."},{"line_number":117,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"0dd8a3f4_b6fcd389","line":114,"range":{"start_line":114,"start_character":63,"end_line":114,"end_character":76},"in_reply_to":"f9337ec1_e81fbecc","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"},{"line_number":116,"context_line":"restrictions (Config parameter ``[oslo_policy]enforce_scope``)."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"Above and beyond policy definitions, and creation of additional tests, along"},{"line_number":119,"context_line":"with requisite logic updates to support the scope limited policy enforcement."}],"source_content_type":"text/x-rst","patch_set":2,"id":"56d4afff_f3a32b11","line":116,"range":{"start_line":116,"start_character":46,"end_line":116,"end_character":59},"updated":"2020-11-30 21:21:04.000000000","message":"There is also another option called enforce_new_defaults, which works hand-in-hand with enforce_scope and lowers the bar for deployments looking to enable this functionality.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c504e163382b63517078b2809e29da920800dd2b","unresolved":true,"context_lines":[{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"},{"line_number":116,"context_line":"restrictions (Config parameter ``[oslo_policy]enforce_scope``)."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"Above and beyond policy definitions, and creation of additional tests, along"},{"line_number":119,"context_line":"with requisite logic updates to support the scope limited policy enforcement."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5d792e58_12ebbc60","line":116,"range":{"start_line":116,"start_character":46,"end_line":116,"end_character":59},"in_reply_to":"50f756d4_ef44679c","updated":"2020-12-01 14:54:51.000000000","message":"It\u0027s relatively new and it wasn\u0027t added at the same time as enforce_scope.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"48a78e3744383d12359901ebfee32c53d82f527c","unresolved":true,"context_lines":[{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"},{"line_number":116,"context_line":"restrictions (Config parameter ``[oslo_policy]enforce_scope``)."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"Above and beyond policy definitions, and creation of additional tests, along"},{"line_number":119,"context_line":"with requisite logic updates to support the scope limited policy enforcement."}],"source_content_type":"text/x-rst","patch_set":2,"id":"50f756d4_ef44679c","line":116,"range":{"start_line":116,"start_character":46,"end_line":116,"end_character":59},"in_reply_to":"56d4afff_f3a32b11","updated":"2020-12-01 00:28:58.000000000","message":"Good to know, I must not have noticed that one. thanks!","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Existing custom role definitions are not scoped, and thus will fundimentally"},{"line_number":115,"context_line":"be deprecated by this process and disabled by an operator enabling scope"},{"line_number":116,"context_line":"restrictions (Config parameter ``[oslo_policy]enforce_scope``)."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"Above and beyond policy definitions, and creation of additional tests, along"},{"line_number":119,"context_line":"with requisite logic updates to support the scope limited policy enforcement."}],"source_content_type":"text/x-rst","patch_set":2,"id":"d42d1360_001a746e","line":116,"range":{"start_line":116,"start_character":46,"end_line":116,"end_character":59},"in_reply_to":"5d792e58_12ebbc60","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":122,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":123,"context_line":"enforcement."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API. The System scope column would"},{"line_number":126,"context_line":"apply and as it is not used by any user activity, we should not need to"},{"line_number":127,"context_line":"worry about Domain or Project at any point in the future for the inspection"},{"line_number":128,"context_line":"service, as is a environment/hardware administrator oriented tool for"},{"line_number":129,"context_line":"the examination of the hardware."}],"source_content_type":"text/x-rst","patch_set":2,"id":"16873cec_9d58c743","line":126,"range":{"start_line":125,"start_character":0,"end_line":126,"end_character":5},"updated":"2020-12-04 20:31:38.000000000","message":"\u003e The default ironic-inspector API policies will require \"system\" scope authorization.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":122,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":123,"context_line":"enforcement."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API. The System scope column would"},{"line_number":126,"context_line":"apply and as it is not used by any user activity, we should not need to"},{"line_number":127,"context_line":"worry about Domain or Project at any point in the future for the inspection"},{"line_number":128,"context_line":"service, as is a environment/hardware administrator oriented tool for"},{"line_number":129,"context_line":"the examination of the hardware."}],"source_content_type":"text/x-rst","patch_set":2,"id":"6340c529_0dabce5e","line":126,"range":{"start_line":125,"start_character":0,"end_line":126,"end_character":5},"in_reply_to":"16873cec_9d58c743","updated":"2020-12-04 23:00:05.000000000","message":"It is a bit more nuanced then that, but I get your point. :)","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":122,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":123,"context_line":"enforcement."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API. The System scope column would"},{"line_number":126,"context_line":"apply and as it is not used by any user activity, we should not need to"},{"line_number":127,"context_line":"worry about Domain or Project at any point in the future for the inspection"},{"line_number":128,"context_line":"service, as is a environment/hardware administrator oriented tool for"},{"line_number":129,"context_line":"the examination of the hardware."}],"source_content_type":"text/x-rst","patch_set":2,"id":"104b388b_5c7cfc35","line":126,"range":{"start_line":125,"start_character":0,"end_line":126,"end_character":5},"in_reply_to":"6340c529_0dabce5e","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"02cbed52ef014dc45fd1da296ce26c448dff2b36","unresolved":true,"context_lines":[{"line_number":125,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API. The System scope column would"},{"line_number":126,"context_line":"apply and as it is not used by any user activity, we should not need to"},{"line_number":127,"context_line":"worry about Domain or Project at any point in the future for the inspection"},{"line_number":128,"context_line":"service, as is a environment/hardware administrator oriented tool for"},{"line_number":129,"context_line":"the examination of the hardware."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d8761159_e3ff2678","line":128,"range":{"start_line":128,"start_character":12,"end_line":128,"end_character":16},"updated":"2020-12-03 00:48:48.000000000","message":"s/as is a/as it is a/ ?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":125,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API. The System scope column would"},{"line_number":126,"context_line":"apply and as it is not used by any user activity, we should not need to"},{"line_number":127,"context_line":"worry about Domain or Project at any point in the future for the inspection"},{"line_number":128,"context_line":"service, as is a environment/hardware administrator oriented tool for"},{"line_number":129,"context_line":"the examination of the hardware."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":2,"id":"881951ee_6300588b","line":128,"range":{"start_line":128,"start_character":12,"end_line":128,"end_character":16},"in_reply_to":"d8761159_e3ff2678","updated":"2020-12-09 15:33:39.000000000","message":"Reworded and this paragraph is basically gone.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":146,"context_line":"REST API impact"},{"line_number":147,"context_line":"---------------"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"39d81233_1479eef3","line":149,"range":{"start_line":149,"start_character":0,"end_line":149,"end_character":20},"updated":"2020-12-04 20:31:38.000000000","message":"Delete this.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":146,"context_line":"REST API impact"},{"line_number":147,"context_line":"---------------"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"4c9bfeca_8c357521","line":149,"range":{"start_line":149,"start_character":0,"end_line":149,"end_character":20},"in_reply_to":"39d81233_1479eef3","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":147,"context_line":"---------------"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"dd2f5891_75a37ea7","line":150,"range":{"start_line":150,"start_character":0,"end_line":150,"end_character":7},"updated":"2020-12-04 19:44:32.000000000","message":"settings?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":147,"context_line":"---------------"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"eac5fe46_c41fac10","line":150,"range":{"start_line":150,"start_character":0,"end_line":150,"end_character":7},"in_reply_to":"dd2f5891_75a37ea7","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d50a725a_3790d51e","line":151,"range":{"start_line":151,"start_character":21,"end_line":151,"end_character":65},"updated":"2020-12-04 20:31:38.000000000","message":"Incomplete sentence? What does this mean?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e07352da_8b644510","line":151,"range":{"start_line":151,"start_character":13,"end_line":151,"end_character":19},"updated":"2020-12-04 19:44:32.000000000","message":"nit: ironic should be capitalized throughout","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"74d6f9236c430442aaa6335df282b9358cfb72bc","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"}],"source_content_type":"text/x-rst","patch_set":2,"id":"76604593_e6c92f8a","line":151,"range":{"start_line":151,"start_character":21,"end_line":151,"end_character":66},"updated":"2020-12-04 19:44:32.000000000","message":"the \"this\" is ambiguous","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"}],"source_content_type":"text/x-rst","patch_set":2,"id":"632ce44a_674c47df","line":151,"range":{"start_line":151,"start_character":21,"end_line":151,"end_character":66},"in_reply_to":"76604593_e6c92f8a","updated":"2020-12-09 15:33:39.000000000","message":"Removed sentence, seemed redundant.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9685d2f5_e093aa08","line":151,"range":{"start_line":151,"start_character":21,"end_line":151,"end_character":65},"in_reply_to":"d50a725a_3790d51e","updated":"2020-12-09 15:33:39.000000000","message":"I must have stopped/started here. :\\ Removing.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"First and foremost, the overall high level behavior of this change will be"},{"line_number":150,"context_line":"setting enforced through ``oslo_policy`` until the deprecated policies are"},{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"}],"source_content_type":"text/x-rst","patch_set":2,"id":"676a3374_749b2783","line":151,"range":{"start_line":151,"start_character":13,"end_line":151,"end_character":19},"in_reply_to":"e07352da_8b644510","updated":"2020-12-09 15:33:39.000000000","message":"Done","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."}],"source_content_type":"text/x-rst","patch_set":2,"id":"af6dc76f_a7aa9285","line":155,"range":{"start_line":155,"start_character":38,"end_line":155,"end_character":74},"updated":"2020-12-04 20:31:38.000000000","message":"\u003e can optionally be configured","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."}],"source_content_type":"text/x-rst","patch_set":2,"id":"e7dbc969_754da07c","line":155,"range":{"start_line":154,"start_character":52,"end_line":155,"end_character":9},"updated":"2020-12-04 20:31:38.000000000","message":"\u003e signal","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":true,"context_lines":[{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."}],"source_content_type":"text/x-rst","patch_set":2,"id":"552462b5_9a2c1d09","line":155,"range":{"start_line":155,"start_character":38,"end_line":155,"end_character":74},"in_reply_to":"af6dc76f_a7aa9285","updated":"2020-12-09 15:33:39.000000000","message":"oh god, what drugs was I doing when I wrote this....","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":151,"context_line":"removed from ironic. Because this governs general security policy."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."}],"source_content_type":"text/x-rst","patch_set":2,"id":"8d45bf17_8b83a4de","line":155,"range":{"start_line":154,"start_character":52,"end_line":155,"end_character":9},"in_reply_to":"e7dbc969_754da07c","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f9c2f173_585d62f7","line":156,"range":{"start_line":156,"start_character":22,"end_line":156,"end_character":35},"updated":"2020-12-04 20:31:38.000000000","message":"Delete this and insert a paragraph break.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":153,"context_line":"In accordance with API standards, even though it will not modify behavior,"},{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"8124a2e5_8c0b7095","line":156,"range":{"start_line":156,"start_character":22,"end_line":156,"end_character":35},"in_reply_to":"f9c2f173_585d62f7","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"525bcb98_c56ff874","line":157,"range":{"start_line":157,"start_character":40,"end_line":157,"end_character":54},"updated":"2020-12-04 20:31:38.000000000","message":"Delete this.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1e5d9f66_9eb1bd63","line":157,"range":{"start_line":157,"start_character":3,"end_line":157,"end_character":13},"updated":"2020-12-04 20:31:38.000000000","message":"functional","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"35cb522a_ca79b371","line":157,"range":{"start_line":157,"start_character":55,"end_line":157,"end_character":66},"updated":"2020-12-04 20:31:38.000000000","message":"perceivable","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"719a75fe_04f416f5","line":157,"range":{"start_line":157,"start_character":3,"end_line":157,"end_character":13},"in_reply_to":"1e5d9f66_9eb1bd63","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"613c73a8_a86ddb6d","line":157,"range":{"start_line":157,"start_character":55,"end_line":157,"end_character":66},"in_reply_to":"35cb522a_ca79b371","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"}],"source_content_type":"text/x-rst","patch_set":2,"id":"69358358_fad37beb","line":157,"range":{"start_line":157,"start_character":40,"end_line":157,"end_character":54},"in_reply_to":"525bcb98_c56ff874","updated":"2020-12-09 15:33:39.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"},{"line_number":161,"context_line":"~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c6aa0361_56e4ccd3","line":158,"range":{"start_line":157,"start_character":67,"end_line":158,"end_character":31},"updated":"2020-12-04 20:31:38.000000000","message":"What \"appropriate permissions\"? Do you mean \"policy defaults\"?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":false,"context_lines":[{"line_number":154,"context_line":"this change will increment the API micro-version to allow for version"},{"line_number":155,"context_line":"signaling that an upgraded deployment CAN signify be optionally configured"},{"line_number":156,"context_line":"to support Secure RBAC, however no client change is needed nor expected as"},{"line_number":157,"context_line":"no functioanl behavior change should be experienced or percievable with"},{"line_number":158,"context_line":"appropriate permissions granted."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"System Scope"},{"line_number":161,"context_line":"~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a34c1c85_6e643d5e","line":158,"range":{"start_line":157,"start_character":67,"end_line":158,"end_character":31},"in_reply_to":"c6aa0361_56e4ccd3","updated":"2020-12-09 15:33:39.000000000","message":"Existing behavior. I\u0027ve rewritten the entire paragraph, so hopefully it makes sense.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":164,"context_line":"by the chart in `Proposed Change`_. Existing Admin/Observer roles would be"},{"line_number":165,"context_line":"translated to System-Admin and System-Reader respectively."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"The addition to this scope is the \"member\" concept. The concept of the member"},{"line_number":168,"context_line":"is a user that can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":169,"context_line":"records. In other words, they can deploy a node, they can update a node, but"},{"line_number":170,"context_line":"they are unable to remove a node. They should be able to attach/detach VIFs,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f18abced_6115f23e","line":167,"updated":"2020-12-04 20:31:38.000000000","message":"Is \"member\" a role name? That should be qualified here. You may also want to use consistent casing conventions: member -\u003e Member.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"130e4be0d85eecb92ee69c2f5065342dcd6fc500","unresolved":true,"context_lines":[{"line_number":164,"context_line":"by the chart in `Proposed Change`_. Existing Admin/Observer roles would be"},{"line_number":165,"context_line":"translated to System-Admin and System-Reader respectively."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"The addition to this scope is the \"member\" concept. The concept of the member"},{"line_number":168,"context_line":"is a user that can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":169,"context_line":"records. In other words, they can deploy a node, they can update a node, but"},{"line_number":170,"context_line":"they are unable to remove a node. They should be able to attach/detach VIFs,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"537c219b_823df2c7","line":167,"in_reply_to":"f18abced_6115f23e","updated":"2020-12-09 15:33:39.000000000","message":"member, is unfortunately a role name and the literal name of it as well. Changing to bolded marking.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":164,"context_line":"by the chart in `Proposed Change`_. Existing Admin/Observer roles would be"},{"line_number":165,"context_line":"translated to System-Admin and System-Reader respectively."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"The addition to this scope is the \"member\" concept. The concept of the member"},{"line_number":168,"context_line":"is a user that can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":169,"context_line":"records. In other words, they can deploy a node, they can update a node, but"},{"line_number":170,"context_line":"they are unable to remove a node. They should be able to attach/detach VIFs,"},{"line_number":171,"context_line":"and ultimately this should be able to be the level of account a"},{"line_number":172,"context_line":"``nova-compute`` service would be configured to leverage to interact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"82603931_e7eace96","line":169,"range":{"start_line":167,"start_character":0,"end_line":169,"end_character":8},"updated":"2020-11-30 21:21:04.000000000","message":"This is totally up to the service. Keystone opted to keep all writable operations isolated to the \u0027admin\u0027 role. So, there isn\u0027t any difference between someone with the member role on the system and someone with the reader role on the system. They\u0027re effectively the same.\n\nWe decided this was the right security approach for keystone, by default. If operators decide to offload some administrative functions to system-members, they can supply the override and use the default member role, which still maintains the hierarchical relationship.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"48a78e3744383d12359901ebfee32c53d82f527c","unresolved":true,"context_lines":[{"line_number":164,"context_line":"by the chart in `Proposed Change`_. Existing Admin/Observer roles would be"},{"line_number":165,"context_line":"translated to System-Admin and System-Reader respectively."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"The addition to this scope is the \"member\" concept. The concept of the member"},{"line_number":168,"context_line":"is a user that can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":169,"context_line":"records. In other words, they can deploy a node, they can update a node, but"},{"line_number":170,"context_line":"they are unable to remove a node. They should be able to attach/detach VIFs,"},{"line_number":171,"context_line":"and ultimately this should be able to be the level of account a"},{"line_number":172,"context_line":"``nova-compute`` service would be configured to leverage to interact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2371328e_d6ac5900","line":169,"range":{"start_line":167,"start_character":0,"end_line":169,"end_character":8},"in_reply_to":"82603931_e7eace96","updated":"2020-12-01 00:28:58.000000000","message":"I think this spec should reveal some of the wants/needs on the topic.\n\nI think the ideal use would be something like nova\u0027s configuration to talk to ironic would be a member, but not an \"admin\", so in our case should nova become compromised, the attacker can\u0027t create their own nodes or delete nodes.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"95f719bc71c0404b9e7231aa7f03b2d6d94319be","unresolved":true,"context_lines":[{"line_number":168,"context_line":"is a user that can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":169,"context_line":"records. In other words, they can deploy a node, they can update a node, but"},{"line_number":170,"context_line":"they are unable to remove a node. They should be able to attach/detach VIFs,"},{"line_number":171,"context_line":"and ultimately this should be able to be the level of account a"},{"line_number":172,"context_line":"``nova-compute`` service would be configured to leverage to interact"},{"line_number":173,"context_line":"with Ironic."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Project Scope"},{"line_number":176,"context_line":"~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2fc3cec3_e79f1551","line":173,"range":{"start_line":171,"start_character":4,"end_line":173,"end_character":11},"updated":"2020-12-04 20:31:38.000000000","message":"It sounds like this is the real goal of Member. Maybe open with:\n\n\u003e Member is equivalent to the current default set of permissions the nova-compute service has. Member can do \"read\" and \"update\" operations, but can not do \"create\" and \"delete\" operations.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"d16e15d1675b856d07815b175783b5a489d4e5cd","unresolved":true,"context_lines":[{"line_number":171,"context_line":"and ultimately this should be able to be the level of account a"},{"line_number":172,"context_line":"``nova-compute`` service would be configured to leverage to interact"},{"line_number":173,"context_line":"with Ironic."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Project Scope"},{"line_number":176,"context_line":"~~~~~~~~~~~~~"},{"line_number":177,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"0d7a52b5_82c13814","line":174,"updated":"2020-12-01 02:41:14.000000000","message":"Do we need to confirm with neutron that a member can create/delete ports if/when they implement RBAC?","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5cf61697419b7de8786580758d5b554696a1e797","unresolved":true,"context_lines":[{"line_number":171,"context_line":"and ultimately this should be able to be the level of account a"},{"line_number":172,"context_line":"``nova-compute`` service would be configured to leverage to interact"},{"line_number":173,"context_line":"with Ironic."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Project Scope"},{"line_number":176,"context_line":"~~~~~~~~~~~~~"},{"line_number":177,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7727d532_d23eba2a","line":174,"in_reply_to":"0d7a52b5_82c13814","updated":"2020-12-01 14:36:46.000000000","message":"We will, same with cinder with regards to volume attachments.\n\nAt worst, I suspect we will end up in a situation where we try to use the user\u0027s credentials... if we still have them and fallback to complete the action. There is a case with Neutron where we already fire up an admin client and a user oriented client because they don\u0027t let users do one of the things we neeed to do (reset the mac address on a port).\n\nIt occurs to me this will likely become further complicated 😭","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b440e896cc544f66556db0b77dd26e1b44262bef","unresolved":true,"context_lines":[{"line_number":189,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":190,"context_line":"the ability to update fields such as ``driver_info``.``"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":193,"context_line":"   driver info as a project admin. Dtantsur thinks, and I agree that this"},{"line_number":194,"context_line":"   is likely highly deployment and operationly specific, and it may be we"},{"line_number":195,"context_line":"   need a knob to govern this behavior."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"A Project-Member would again be scoped to the appropriate database entries"},{"line_number":198,"context_line":"which apply to their user\u0027s scope. They should be enabled to update fields"}],"source_content_type":"text/x-rst","patch_set":2,"id":"adaa4eda_d4e0c551","line":195,"range":{"start_line":192,"start_character":0,"end_line":195,"end_character":39},"updated":"2020-11-30 21:21:04.000000000","message":"We\u0027ve been very careful in applying project-admin personas to various APIs and resources. Typically, we only apply it if the operation, API, or resource doesn\u0027t expose or require any information that would violate tenancy.\n\nNova has some APIs that would be great to expose to project administrators, but they\u0027re going to microversion their API first to remove any system-specific information from the API before opening it up to project administrators.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c504e163382b63517078b2809e29da920800dd2b","unresolved":true,"context_lines":[{"line_number":189,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":190,"context_line":"the ability to update fields such as ``driver_info``.``"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":193,"context_line":"   driver info as a project admin. Dtantsur thinks, and I agree that this"},{"line_number":194,"context_line":"   is likely highly deployment and operationly specific, and it may be we"},{"line_number":195,"context_line":"   need a knob to govern this behavior."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"A Project-Member would again be scoped to the appropriate database entries"},{"line_number":198,"context_line":"which apply to their user\u0027s scope. They should be enabled to update fields"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e6395d2a_c102d396","line":195,"range":{"start_line":192,"start_character":0,"end_line":195,"end_character":39},"in_reply_to":"79e4ec20_c8ee663e","updated":"2020-12-01 14:54:51.000000000","message":"Ack","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"48a78e3744383d12359901ebfee32c53d82f527c","unresolved":true,"context_lines":[{"line_number":189,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":190,"context_line":"the ability to update fields such as ``driver_info``.``"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":193,"context_line":"   driver info as a project admin. Dtantsur thinks, and I agree that this"},{"line_number":194,"context_line":"   is likely highly deployment and operationly specific, and it may be we"},{"line_number":195,"context_line":"   need a knob to govern this behavior."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"A Project-Member would again be scoped to the appropriate database entries"},{"line_number":198,"context_line":"which apply to their user\u0027s scope. They should be enabled to update fields"}],"source_content_type":"text/x-rst","patch_set":2,"id":"79e4ec20_c8ee663e","line":195,"range":{"start_line":192,"start_character":0,"end_line":195,"end_character":39},"in_reply_to":"adaa4eda_d4e0c551","updated":"2020-12-01 00:28:58.000000000","message":"I... Think we\u0027re actually in fairly good shape given the use/interaction model of an owner or lessee. I think we could get into trouble if we allowed project admins to be able to create nodes they own. The central authority would remain in the accounts with access scoped to the system.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"d16e15d1675b856d07815b175783b5a489d4e5cd","unresolved":true,"context_lines":[{"line_number":310,"context_line":"    Julia Kreger (TheJulia) \u003cjuliaashleykreger@gmail.com\u003e"},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"Other contributors:"},{"line_number":313,"context_line":"    Any volunteers?"},{"line_number":314,"context_line":""},{"line_number":315,"context_line":"Work Items"},{"line_number":316,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"faf0a9e6_c73cd99d","line":313,"updated":"2020-12-01 02:41:14.000000000","message":"I can help if required","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c17b082e5be2272245c6799cb9db50aa31fc862d","unresolved":true,"context_lines":[{"line_number":310,"context_line":"    Julia Kreger (TheJulia) \u003cjuliaashleykreger@gmail.com\u003e"},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"Other contributors:"},{"line_number":313,"context_line":"    Any volunteers?"},{"line_number":314,"context_line":""},{"line_number":315,"context_line":"Work Items"},{"line_number":316,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2d32d310_72e3f6c0","line":313,"in_reply_to":"faf0a9e6_c73cd99d","updated":"2020-12-04 23:00:05.000000000","message":"++ I\u0027ll need it.","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"d16e15d1675b856d07815b175783b5a489d4e5cd","unresolved":true,"context_lines":[{"line_number":346,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"An CI integration job is anticipated and should be created or one already"},{"line_number":349,"context_line":"leveraged which is utiling the widest configuration of integrated components"},{"line_number":350,"context_line":"to ensure that policies are enforced and this enforcement works across"},{"line_number":351,"context_line":"components. Due to the nature and scope of this effort, it may be that"},{"line_number":352,"context_line":"Ironic alone is first setup to scope limit authorizations as other projects"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b0f53af2_90416056","line":349,"range":{"start_line":349,"start_character":19,"end_line":349,"end_character":26},"updated":"2020-12-01 02:41:14.000000000","message":"utilizing","commit_id":"2a55683b66e1c2ff73851a42236d85ddd150b57b"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Role definitions:"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"* admin - This is in essence an administrative user with-in thier operating"},{"line_number":45,"context_line":"          scope. In essence these would be the accounts which. Create/Delete"},{"line_number":46,"context_line":"          $things, and in keystone default configuration, this role implies"},{"line_number":47,"context_line":"          the ``member`` role. In an Ironic context, we can think of this user"}],"source_content_type":"text/x-rst","patch_set":5,"id":"609238ba_d4ca4e32","line":44,"range":{"start_line":44,"start_character":60,"end_line":44,"end_character":65},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: the","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Role definitions:"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"* admin - This is in essence an administrative user with-in thier operating"},{"line_number":45,"context_line":"          scope. In essence these would be the accounts which. Create/Delete"},{"line_number":46,"context_line":"          $things, and in keystone default configuration, this role implies"},{"line_number":47,"context_line":"          the ``member`` role. In an Ironic context, we can think of this user"}],"source_content_type":"text/x-rst","patch_set":5,"id":"daf85c3e_a39c30c3","line":44,"range":{"start_line":44,"start_character":60,"end_line":44,"end_character":65},"in_reply_to":"609238ba_d4ca4e32","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":42,"context_line":"Role definitions:"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"* admin - This is in essence an administrative user with-in thier operating"},{"line_number":45,"context_line":"          scope. In essence these would be the accounts which. Create/Delete"},{"line_number":46,"context_line":"          $things, and in keystone default configuration, this role implies"},{"line_number":47,"context_line":"          the ``member`` role. In an Ironic context, we can think of this user"},{"line_number":48,"context_line":"          as the infrastucture administrator who is adding their baremetal"}],"source_content_type":"text/x-rst","patch_set":5,"id":"fb62b12d_08829d2b","line":45,"range":{"start_line":45,"start_character":17,"end_line":45,"end_character":27},"updated":"2020-12-09 10:34:41.000000000","message":"In essence, this is the third \u0027in essence\u0027 within 15 lines :)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":42,"context_line":"Role definitions:"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"* admin - This is in essence an administrative user with-in thier operating"},{"line_number":45,"context_line":"          scope. In essence these would be the accounts which. Create/Delete"},{"line_number":46,"context_line":"          $things, and in keystone default configuration, this role implies"},{"line_number":47,"context_line":"          the ``member`` role. In an Ironic context, we can think of this user"},{"line_number":48,"context_line":"          as the infrastucture administrator who is adding their baremetal"}],"source_content_type":"text/x-rst","patch_set":5,"id":"fb25fedc_cb3d4ab7","line":45,"range":{"start_line":45,"start_character":56,"end_line":45,"end_character":76},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: there should not be a \u0027.\u0027 as the sentence continues","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":42,"context_line":"Role definitions:"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"* admin - This is in essence an administrative user with-in thier operating"},{"line_number":45,"context_line":"          scope. In essence these would be the accounts which. Create/Delete"},{"line_number":46,"context_line":"          $things, and in keystone default configuration, this role implies"},{"line_number":47,"context_line":"          the ``member`` role. In an Ironic context, we can think of this user"},{"line_number":48,"context_line":"          as the infrastucture administrator who is adding their baremetal"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1b9b45ba_1e9e0dfb","line":45,"range":{"start_line":45,"start_character":56,"end_line":45,"end_character":76},"in_reply_to":"fb25fedc_cb3d4ab7","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":42,"context_line":"Role definitions:"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"* admin - This is in essence an administrative user with-in thier operating"},{"line_number":45,"context_line":"          scope. In essence these would be the accounts which. Create/Delete"},{"line_number":46,"context_line":"          $things, and in keystone default configuration, this role implies"},{"line_number":47,"context_line":"          the ``member`` role. In an Ironic context, we can think of this user"},{"line_number":48,"context_line":"          as the infrastucture administrator who is adding their baremetal"}],"source_content_type":"text/x-rst","patch_set":5,"id":"ad3376b6_6be3eca4","line":45,"range":{"start_line":45,"start_character":17,"end_line":45,"end_character":27},"in_reply_to":"fb62b12d_08829d2b","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":55,"context_line":"           Similar to ``admin`` implying ``member``, ``member`` implies"},{"line_number":56,"context_line":"           ``reader``."},{"line_number":57,"context_line":"* reader - This a user which needs to be able to have read-only access."},{"line_number":58,"context_line":"           In essence be able to review the status. In a ``system``"},{"line_number":59,"context_line":"           scope it may be a network operations center employee who has"},{"line_number":60,"context_line":"           a business need to be able to observe the status and details."},{"line_number":61,"context_line":"           In a ``project`` scope, this may be someone attempting to account"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0fc168db_4b718db2","line":58,"range":{"start_line":58,"start_character":11,"end_line":58,"end_character":21},"updated":"2020-12-09 10:34:41.000000000","message":":-D","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":55,"context_line":"           Similar to ``admin`` implying ``member``, ``member`` implies"},{"line_number":56,"context_line":"           ``reader``."},{"line_number":57,"context_line":"* reader - This a user which needs to be able to have read-only access."},{"line_number":58,"context_line":"           In essence be able to review the status. In a ``system``"},{"line_number":59,"context_line":"           scope it may be a network operations center employee who has"},{"line_number":60,"context_line":"           a business need to be able to observe the status and details."},{"line_number":61,"context_line":"           In a ``project`` scope, this may be someone attempting to account"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b4448f0c_40df292a","line":58,"range":{"start_line":58,"start_character":11,"end_line":58,"end_character":21},"in_reply_to":"0fc168db_4b718db2","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":67,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":68,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"},{"line_number":69,"context_line":"   role would likely allow sensitive values to be unmasked. This has not"},{"line_number":70,"context_line":"   been decided upon, and depending on service could likely be implemented"},{"line_number":71,"context_line":"   manually. That being said, this is out of scope of this specification"},{"line_number":72,"context_line":"   document at this time."},{"line_number":73,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"62f6e960_1bdb3454","line":70,"range":{"start_line":70,"start_character":26,"end_line":70,"end_character":46},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: depending on the service (?)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":67,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":68,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"},{"line_number":69,"context_line":"   role would likely allow sensitive values to be unmasked. This has not"},{"line_number":70,"context_line":"   been decided upon, and depending on service could likely be implemented"},{"line_number":71,"context_line":"   manually. That being said, this is out of scope of this specification"},{"line_number":72,"context_line":"   document at this time."},{"line_number":73,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"e5a41a1f_9d94a266","line":70,"range":{"start_line":70,"start_character":26,"end_line":70,"end_character":46},"in_reply_to":"62f6e960_1bdb3454","updated":"2020-12-09 20:26:38.000000000","message":"Clarified, I hope.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":95,"context_line":"scope delineated access, being ``Keystone`` and ``Nova`` as of the point"},{"line_number":96,"context_line":"in which this specification was authored."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Coincidently there is a desire with in from larger OpenStack operators to"},{"line_number":99,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":100,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":101,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"8241018b_b85ac9b1","line":98,"range":{"start_line":98,"start_character":31,"end_line":98,"end_character":38},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: drop?","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":95,"context_line":"scope delineated access, being ``Keystone`` and ``Nova`` as of the point"},{"line_number":96,"context_line":"in which this specification was authored."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Coincidently there is a desire with in from larger OpenStack operators to"},{"line_number":99,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":100,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":101,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a28d1dcc_f796582f","line":98,"range":{"start_line":98,"start_character":31,"end_line":98,"end_character":38},"in_reply_to":"8241018b_b85ac9b1","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":103,"context_line":"enable scope based access restriction, a risk exists that Ironic will"},{"line_number":104,"context_line":"become incompatible with the models attempting to be represented."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"And thus we must implement support for the delineate scopes, roles, and"},{"line_number":107,"context_line":"ultimately what may be a differing access model for some remote resources."},{"line_number":108,"context_line":"In particular, risk exists with existing integrations as they may grow to"},{"line_number":109,"context_line":"expect only Project scoped requests, and refuse a System scoped member"}],"source_content_type":"text/x-rst","patch_set":5,"id":"219c287e_3cc53177","line":106,"range":{"start_line":106,"start_character":35,"end_line":106,"end_character":52},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: to delineate","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":106,"context_line":"And thus we must implement support for the delineate scopes, roles, and"},{"line_number":107,"context_line":"ultimately what may be a differing access model for some remote resources."},{"line_number":108,"context_line":"In particular, risk exists with existing integrations as they may grow to"},{"line_number":109,"context_line":"expect only Project scoped requests, and refuse a System scoped member"},{"line_number":110,"context_line":"member request. These sorts of issues will need to be identified and"},{"line_number":111,"context_line":"appropriately navigated."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1cdc5f6f_e71a8fcf","line":110,"range":{"start_line":109,"start_character":64,"end_line":110,"end_character":6},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: member member","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":106,"context_line":"And thus we must implement support for the delineate scopes, roles, and"},{"line_number":107,"context_line":"ultimately what may be a differing access model for some remote resources."},{"line_number":108,"context_line":"In particular, risk exists with existing integrations as they may grow to"},{"line_number":109,"context_line":"expect only Project scoped requests, and refuse a System scoped member"},{"line_number":110,"context_line":"member request. These sorts of issues will need to be identified and"},{"line_number":111,"context_line":"appropriately navigated."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6f0bd9c1_6ce80038","line":110,"range":{"start_line":109,"start_character":64,"end_line":110,"end_character":6},"in_reply_to":"1cdc5f6f_e71a8fcf","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":126,"context_line":"2) Deprecating the previous policies in code which consist of roles"},{"line_number":127,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":128,"context_line":"   removed at a later point in time."},{"line_number":129,"context_line":"3) Implement explicit testing ensure scopes are handled as we expect."},{"line_number":130,"context_line":"4) Implement Integration testing leveraging the ``oslo.policy`` setting"},{"line_number":131,"context_line":"   to enforece scope restriction to help ensure cross-service compatability"},{"line_number":132,"context_line":"   and potentially having to alter some cross-service interactions to ensure"}],"source_content_type":"text/x-rst","patch_set":5,"id":"37224f19_96ca1d8a","line":129,"range":{"start_line":129,"start_character":3,"end_line":129,"end_character":30},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: Implementing explicit testing to ...","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":126,"context_line":"2) Deprecating the previous policies in code which consist of roles"},{"line_number":127,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":128,"context_line":"   removed at a later point in time."},{"line_number":129,"context_line":"3) Implement explicit testing ensure scopes are handled as we expect."},{"line_number":130,"context_line":"4) Implement Integration testing leveraging the ``oslo.policy`` setting"},{"line_number":131,"context_line":"   to enforece scope restriction to help ensure cross-service compatability"},{"line_number":132,"context_line":"   and potentially having to alter some cross-service interactions to ensure"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5cb2ec9f_f15aaf9b","line":129,"range":{"start_line":129,"start_character":3,"end_line":129,"end_character":30},"in_reply_to":"37224f19_96ca1d8a","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":127,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":128,"context_line":"   removed at a later point in time."},{"line_number":129,"context_line":"3) Implement explicit testing ensure scopes are handled as we expect."},{"line_number":130,"context_line":"4) Implement Integration testing leveraging the ``oslo.policy`` setting"},{"line_number":131,"context_line":"   to enforece scope restriction to help ensure cross-service compatability"},{"line_number":132,"context_line":"   and potentially having to alter some cross-service interactions to ensure"},{"line_number":133,"context_line":"   requests are appropriately modeled. It should be expected that this may"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0861afc5_34e2c312","line":130,"range":{"start_line":130,"start_character":3,"end_line":130,"end_character":32},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: Implementing integration testing ...","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":127,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":128,"context_line":"   removed at a later point in time."},{"line_number":129,"context_line":"3) Implement explicit testing ensure scopes are handled as we expect."},{"line_number":130,"context_line":"4) Implement Integration testing leveraging the ``oslo.policy`` setting"},{"line_number":131,"context_line":"   to enforece scope restriction to help ensure cross-service compatability"},{"line_number":132,"context_line":"   and potentially having to alter some cross-service interactions to ensure"},{"line_number":133,"context_line":"   requests are appropriately modeled. It should be expected that this may"}],"source_content_type":"text/x-rst","patch_set":5,"id":"40aef910_1a7f75d1","line":130,"range":{"start_line":130,"start_character":3,"end_line":130,"end_character":32},"in_reply_to":"0861afc5_34e2c312","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":128,"context_line":"   removed at a later point in time."},{"line_number":129,"context_line":"3) Implement explicit testing ensure scopes are handled as we expect."},{"line_number":130,"context_line":"4) Implement Integration testing leveraging the ``oslo.policy`` setting"},{"line_number":131,"context_line":"   to enforece scope restriction to help ensure cross-service compatability"},{"line_number":132,"context_line":"   and potentially having to alter some cross-service interactions to ensure"},{"line_number":133,"context_line":"   requests are appropriately modeled. It should be expected that this may"},{"line_number":134,"context_line":"   make visible any number of possible issues which will need to be addressed."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5d6bd489_02374022","line":131,"range":{"start_line":131,"start_character":6,"end_line":131,"end_character":14},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: enforce","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":128,"context_line":"   removed at a later point in time."},{"line_number":129,"context_line":"3) Implement explicit testing ensure scopes are handled as we expect."},{"line_number":130,"context_line":"4) Implement Integration testing leveraging the ``oslo.policy`` setting"},{"line_number":131,"context_line":"   to enforece scope restriction to help ensure cross-service compatability"},{"line_number":132,"context_line":"   and potentially having to alter some cross-service interactions to ensure"},{"line_number":133,"context_line":"   requests are appropriately modeled. It should be expected that this may"},{"line_number":134,"context_line":"   make visible any number of possible issues which will need to be addressed."}],"source_content_type":"text/x-rst","patch_set":5,"id":"03d634c0_bf169d29","line":131,"range":{"start_line":131,"start_character":6,"end_line":131,"end_character":14},"in_reply_to":"5d6bd489_02374022","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":136,"context_line":"During the deprecation period, operators will continue to be able to leverage"},{"line_number":137,"context_line":"the previous authentication model."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"These new policies would model our existing data model and use however"},{"line_number":140,"context_line":"with scope applied *and* multi-tenant access enabled. This will enable"},{"line_number":141,"context_line":"a \"friendly\" default usage path which will still be opt-in unless the node"},{"line_number":142,"context_line":"``owner`` or ``lessee`` field is populated on a node object."}],"source_content_type":"text/x-rst","patch_set":5,"id":"e914645c_f5026d42","line":139,"range":{"start_line":139,"start_character":59,"end_line":139,"end_character":62},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: use, (?)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":136,"context_line":"During the deprecation period, operators will continue to be able to leverage"},{"line_number":137,"context_line":"the previous authentication model."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"These new policies would model our existing data model and use however"},{"line_number":140,"context_line":"with scope applied *and* multi-tenant access enabled. This will enable"},{"line_number":141,"context_line":"a \"friendly\" default usage path which will still be opt-in unless the node"},{"line_number":142,"context_line":"``owner`` or ``lessee`` field is populated on a node object."}],"source_content_type":"text/x-rst","patch_set":5,"id":"be340330_16736db6","line":139,"range":{"start_line":139,"start_character":59,"end_line":139,"end_character":62},"in_reply_to":"e914645c_f5026d42","updated":"2020-12-09 20:26:38.000000000","message":"a little rewording seemed necessary.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":149,"context_line":"Please consult the `High level matrix`_ for a high level overview as to the"},{"line_number":150,"context_line":"anticipated use model."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"In order to have a consistant use pattern moving forward, the existing"},{"line_number":153,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":154,"context_line":"be deprecated and rememoved, however they will also not be effective"},{"line_number":155,"context_line":"once the ``[oslo_policy]enforce_scope`` and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f71aa6a3_5ed8864a","line":152,"range":{"start_line":152,"start_character":19,"end_line":152,"end_character":29},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: consisten","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":149,"context_line":"Please consult the `High level matrix`_ for a high level overview as to the"},{"line_number":150,"context_line":"anticipated use model."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"In order to have a consistant use pattern moving forward, the existing"},{"line_number":153,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":154,"context_line":"be deprecated and rememoved, however they will also not be effective"},{"line_number":155,"context_line":"once the ``[oslo_policy]enforce_scope`` and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"44664f6b_21db39f4","line":152,"range":{"start_line":152,"start_character":19,"end_line":152,"end_character":29},"in_reply_to":"f71aa6a3_5ed8864a","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":151,"context_line":""},{"line_number":152,"context_line":"In order to have a consistant use pattern moving forward, the existing"},{"line_number":153,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":154,"context_line":"be deprecated and rememoved, however they will also not be effective"},{"line_number":155,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":156,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":157,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"96492d3a_0c356bac","line":154,"range":{"start_line":154,"start_character":18,"end_line":154,"end_character":27},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: removed","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":151,"context_line":""},{"line_number":152,"context_line":"In order to have a consistant use pattern moving forward, the existing"},{"line_number":153,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":154,"context_line":"be deprecated and rememoved, however they will also not be effective"},{"line_number":155,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":156,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":157,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a2654e1e_e10f6e30","line":154,"range":{"start_line":154,"start_character":18,"end_line":154,"end_character":27},"in_reply_to":"96492d3a_0c356bac","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":155,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":156,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Above and beyond new policy definitions, and creation of additional tests"},{"line_number":159,"context_line":"will be needed in the ``ironic`` and ``ironic-inspector`` projects to validate"},{"line_number":160,"context_line":"enforcement or appropriate resource denial based upon the scope."},{"line_number":161,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"e2dd4005_6d7d3867","line":158,"range":{"start_line":158,"start_character":41,"end_line":158,"end_character":44},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: the","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":155,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":156,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Above and beyond new policy definitions, and creation of additional tests"},{"line_number":159,"context_line":"will be needed in the ``ironic`` and ``ironic-inspector`` projects to validate"},{"line_number":160,"context_line":"enforcement or appropriate resource denial based upon the scope."},{"line_number":161,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"01e11d76_267e763f","line":158,"range":{"start_line":158,"start_character":41,"end_line":158,"end_character":44},"in_reply_to":"e2dd4005_6d7d3867","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":163,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":164,"context_line":"enforcement."},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API. The resulting default policies"},{"line_number":167,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":168,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":169,"context_line":"an purely an admin-only and hardware data collection oriented service."}],"source_content_type":"text/x-rst","patch_set":5,"id":"c5e7b39a_073b4a3c","line":166,"range":{"start_line":166,"start_character":42,"end_line":166,"end_character":50},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: API, the ...","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":163,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":164,"context_line":"enforcement."},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API. The resulting default policies"},{"line_number":167,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":168,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":169,"context_line":"an purely an admin-only and hardware data collection oriented service."}],"source_content_type":"text/x-rst","patch_set":5,"id":"a3616557_dc3e2741","line":166,"range":{"start_line":166,"start_character":42,"end_line":166,"end_character":50},"in_reply_to":"c5e7b39a_073b4a3c","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":177,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":178,"context_line":"                    they are the authoratative"},{"line_number":179,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":180,"context_line":"                    of the baremetal node."},{"line_number":181,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"}],"source_content_type":"text/x-rst","patch_set":5,"id":"98aa4dd7_4d063453","line":178,"range":{"start_line":178,"start_character":33,"end_line":178,"end_character":46},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: authoritative","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":177,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":178,"context_line":"                    they are the authoratative"},{"line_number":179,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":180,"context_line":"                    of the baremetal node."},{"line_number":181,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9dcbf6e0_c0fb90c4","line":178,"range":{"start_line":178,"start_character":33,"end_line":178,"end_character":46},"in_reply_to":"98aa4dd7_4d063453","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":189,"context_line":"| Role        | System Scope         | Project Scope                         |"},{"line_number":190,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":191,"context_line":"| admin       | Effectively the same | Project ``admin`` able to have        |"},{"line_number":192,"context_line":"|             | as the existing      | equivlent access to the API as        |"},{"line_number":193,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":194,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":195,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"}],"source_content_type":"text/x-rst","patch_set":5,"id":"8a99eb3c_16720d2f","line":192,"range":{"start_line":192,"start_character":39,"end_line":192,"end_character":48},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: equivalent","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":189,"context_line":"| Role        | System Scope         | Project Scope                         |"},{"line_number":190,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":191,"context_line":"| admin       | Effectively the same | Project ``admin`` able to have        |"},{"line_number":192,"context_line":"|             | as the existing      | equivlent access to the API as        |"},{"line_number":193,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":194,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":195,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b8712bd5_55824ba6","line":192,"range":{"start_line":192,"start_character":39,"end_line":192,"end_character":48},"in_reply_to":"8a99eb3c_16720d2f","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":201,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"},{"line_number":202,"context_line":"|             |                      | ``lessee`` fields.                    |"},{"line_number":203,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":204,"context_line":"| reader      | Effectively the same | This is a read-only, user concept     |"},{"line_number":205,"context_line":"|             | as the existing      | where a project ``reader`` would be   |"},{"line_number":206,"context_line":"|             | \"baremetal_observer\" | able to view a node if                |"},{"line_number":207,"context_line":"|             |                      | `is_node_owner` or `is_node_lesse`    |"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d28d838f_86d90687","line":204,"range":{"start_line":204,"start_character":49,"end_line":204,"end_character":59},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: read-only (no comma)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":201,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"},{"line_number":202,"context_line":"|             |                      | ``lessee`` fields.                    |"},{"line_number":203,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":204,"context_line":"| reader      | Effectively the same | This is a read-only, user concept     |"},{"line_number":205,"context_line":"|             | as the existing      | where a project ``reader`` would be   |"},{"line_number":206,"context_line":"|             | \"baremetal_observer\" | able to view a node if                |"},{"line_number":207,"context_line":"|             |                      | `is_node_owner` or `is_node_lesse`    |"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d3082f6c_01791d04","line":204,"range":{"start_line":204,"start_character":49,"end_line":204,"end_character":59},"in_reply_to":"d28d838f_86d90687","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":204,"context_line":"| reader      | Effectively the same | This is a read-only, user concept     |"},{"line_number":205,"context_line":"|             | as the existing      | where a project ``reader`` would be   |"},{"line_number":206,"context_line":"|             | \"baremetal_observer\" | able to view a node if                |"},{"line_number":207,"context_line":"|             |                      | `is_node_owner` or `is_node_lesse`    |"},{"line_number":208,"context_line":"|             |                      | applies.                              |"},{"line_number":209,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":210,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"ee80fae5_a71e5ab0","line":207,"range":{"start_line":207,"start_character":59,"end_line":207,"end_character":72},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: is_node_lessee","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":204,"context_line":"| reader      | Effectively the same | This is a read-only, user concept     |"},{"line_number":205,"context_line":"|             | as the existing      | where a project ``reader`` would be   |"},{"line_number":206,"context_line":"|             | \"baremetal_observer\" | able to view a node if                |"},{"line_number":207,"context_line":"|             |                      | `is_node_owner` or `is_node_lesse`    |"},{"line_number":208,"context_line":"|             |                      | applies.                              |"},{"line_number":209,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":210,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"fd81c329_639c253e","line":207,"range":{"start_line":207,"start_character":59,"end_line":207,"end_character":72},"in_reply_to":"ee80fae5_a71e5ab0","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":211,"context_line":".. note:: An ``auditor`` role has not been proposed in this work, but *does*"},{"line_number":212,"context_line":"   make eventual sense in the long term, and should be logically considered as"},{"line_number":213,"context_line":"   reader does not equal an auditor in role. The concept for ``auditor`` would"},{"line_number":214,"context_line":"   expect to allow secrets such as masked fields to be, unmasked."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":".. note:: Some role/scope combinations may be combined in discussions and"},{"line_number":217,"context_line":"   communication in a {scope}-{role} format. This is effectively the persona"}],"source_content_type":"text/x-rst","patch_set":5,"id":"22ee3804_17a72b06","line":214,"range":{"start_line":214,"start_character":52,"end_line":214,"end_character":55},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: be (no comma)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":211,"context_line":".. note:: An ``auditor`` role has not been proposed in this work, but *does*"},{"line_number":212,"context_line":"   make eventual sense in the long term, and should be logically considered as"},{"line_number":213,"context_line":"   reader does not equal an auditor in role. The concept for ``auditor`` would"},{"line_number":214,"context_line":"   expect to allow secrets such as masked fields to be, unmasked."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":".. note:: Some role/scope combinations may be combined in discussions and"},{"line_number":217,"context_line":"   communication in a {scope}-{role} format. This is effectively the persona"}],"source_content_type":"text/x-rst","patch_set":5,"id":"503772c2_09261ab6","line":214,"range":{"start_line":214,"start_character":52,"end_line":214,"end_character":55},"in_reply_to":"22ee3804_17a72b06","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":246,"context_line":"around an upgrade. This is unrelated to policy enforcement specifics which"},{"line_number":247,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"End API user behavior is not anticipated to be changged, howeve with scope"},{"line_number":250,"context_line":"enforcement set in ``oslo.policy``, an appropriately scoped user will be"},{"line_number":251,"context_line":"required."},{"line_number":252,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"2651d402_621695a3","line":249,"range":{"start_line":249,"start_character":47,"end_line":249,"end_character":55},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: changed","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":246,"context_line":"around an upgrade. This is unrelated to policy enforcement specifics which"},{"line_number":247,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"End API user behavior is not anticipated to be changged, howeve with scope"},{"line_number":250,"context_line":"enforcement set in ``oslo.policy``, an appropriately scoped user will be"},{"line_number":251,"context_line":"required."},{"line_number":252,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"6295b83f_7883dfc5","line":249,"range":{"start_line":249,"start_character":57,"end_line":249,"end_character":63},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: however","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":246,"context_line":"around an upgrade. This is unrelated to policy enforcement specifics which"},{"line_number":247,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"End API user behavior is not anticipated to be changged, howeve with scope"},{"line_number":250,"context_line":"enforcement set in ``oslo.policy``, an appropriately scoped user will be"},{"line_number":251,"context_line":"required."},{"line_number":252,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a89d8120_0cf7a9f4","line":249,"range":{"start_line":249,"start_character":47,"end_line":249,"end_character":55},"in_reply_to":"2651d402_621695a3","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":246,"context_line":"around an upgrade. This is unrelated to policy enforcement specifics which"},{"line_number":247,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"End API user behavior is not anticipated to be changged, howeve with scope"},{"line_number":250,"context_line":"enforcement set in ``oslo.policy``, an appropriately scoped user will be"},{"line_number":251,"context_line":"required."},{"line_number":252,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"add575c7_b279f562","line":249,"range":{"start_line":249,"start_character":57,"end_line":249,"end_character":63},"in_reply_to":"6295b83f_7883dfc5","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":264,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":265,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":268,"context_line":"having full API surface visibility with exception of the special purpose"},{"line_number":269,"context_line":"``/v1/lookup`` and ``/v1/heartbeat`` endpoints."},{"line_number":270,"context_line":""},{"line_number":271,"context_line":".. TODO:: Follow-up with neutron regarding port attach/detach."},{"line_number":272,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"c8c634d4_7a58a1c7","line":269,"range":{"start_line":267,"start_character":0,"end_line":269,"end_character":47},"updated":"2020-12-09 10:34:41.000000000","message":"How would the use case of listing uninstantiated nodes assigned to a given project be done? FWIU, lessee should only be set once there is an instance ...","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":264,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":265,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":268,"context_line":"having full API surface visibility with exception of the special purpose"},{"line_number":269,"context_line":"``/v1/lookup`` and ``/v1/heartbeat`` endpoints."},{"line_number":270,"context_line":""},{"line_number":271,"context_line":".. TODO:: Follow-up with neutron regarding port attach/detach."},{"line_number":272,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"ff4c2c9d_30657c4f","line":269,"range":{"start_line":267,"start_character":0,"end_line":269,"end_character":47},"in_reply_to":"c8c634d4_7a58a1c7","updated":"2020-12-09 20:26:38.000000000","message":"That is covered by the project scope below. Adding a little clarification.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":277,"context_line":"Project Scope"},{"line_number":278,"context_line":"~~~~~~~~~~~~~"},{"line_number":279,"context_line":""},{"line_number":280,"context_line":"The Project scoped restrictions in the ecure RBAC model are dramatically"},{"line_number":281,"context_line":"different, however precedent already exists with the addition of the"},{"line_number":282,"context_line":"`is_node_owner` and `is_node_lessee`."},{"line_number":283,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"51d8fdc3_dc2a0184","line":280,"range":{"start_line":280,"start_character":39,"end_line":280,"end_character":44},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: secure","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":277,"context_line":"Project Scope"},{"line_number":278,"context_line":"~~~~~~~~~~~~~"},{"line_number":279,"context_line":""},{"line_number":280,"context_line":"The Project scoped restrictions in the ecure RBAC model are dramatically"},{"line_number":281,"context_line":"different, however precedent already exists with the addition of the"},{"line_number":282,"context_line":"`is_node_owner` and `is_node_lessee`."},{"line_number":283,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"fc4d86b9_bac7c98c","line":280,"range":{"start_line":280,"start_character":39,"end_line":280,"end_character":44},"in_reply_to":"51d8fdc3_dc2a0184","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":279,"context_line":""},{"line_number":280,"context_line":"The Project scoped restrictions in the ecure RBAC model are dramatically"},{"line_number":281,"context_line":"different, however precedent already exists with the addition of the"},{"line_number":282,"context_line":"`is_node_owner` and `is_node_lessee`."},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"API consumers seeking to ``GET`` resources in the project scope would only be"},{"line_number":285,"context_line":"able to view resources which match the ``is_node_owner`` and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"305102cd_5bbb7c23","line":282,"range":{"start_line":282,"start_character":36,"end_line":282,"end_character":37},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: fields (?)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":279,"context_line":""},{"line_number":280,"context_line":"The Project scoped restrictions in the ecure RBAC model are dramatically"},{"line_number":281,"context_line":"different, however precedent already exists with the addition of the"},{"line_number":282,"context_line":"`is_node_owner` and `is_node_lessee`."},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"API consumers seeking to ``GET`` resources in the project scope would only be"},{"line_number":285,"context_line":"able to view resources which match the ``is_node_owner`` and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2116e8ef_808dcced","line":282,"range":{"start_line":282,"start_character":36,"end_line":282,"end_character":37},"in_reply_to":"305102cd_5bbb7c23","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":286,"context_line":"``is_node_lessee``."},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"In this case, a Project-Admin would have similar rights to a System-Member"},{"line_number":289,"context_line":"where they would be able to Update hardware focused fields such as"},{"line_number":290,"context_line":"``driver_info``, however only if ``is_node_owner`` matches."},{"line_number":291,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":292,"context_line":"the ability to update fields such as ``driver_info``.``"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0ab4e175_0196d7e1","line":289,"range":{"start_line":289,"start_character":28,"end_line":289,"end_character":35},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: update","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":286,"context_line":"``is_node_lessee``."},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"In this case, a Project-Admin would have similar rights to a System-Member"},{"line_number":289,"context_line":"where they would be able to Update hardware focused fields such as"},{"line_number":290,"context_line":"``driver_info``, however only if ``is_node_owner`` matches."},{"line_number":291,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":292,"context_line":"the ability to update fields such as ``driver_info``.``"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d96c5fd7_01da605d","line":289,"range":{"start_line":289,"start_character":28,"end_line":289,"end_character":35},"in_reply_to":"0ab4e175_0196d7e1","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":289,"context_line":"where they would be able to Update hardware focused fields such as"},{"line_number":290,"context_line":"``driver_info``, however only if ``is_node_owner`` matches."},{"line_number":291,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":292,"context_line":"the ability to update fields such as ``driver_info``.``"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":295,"context_line":"   driver info as a project admin. Dtantsur thinks, and I agree that this"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1199de79_db96971d","line":292,"range":{"start_line":292,"start_character":53,"end_line":292,"end_character":55},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: drop (?)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":289,"context_line":"where they would be able to Update hardware focused fields such as"},{"line_number":290,"context_line":"``driver_info``, however only if ``is_node_owner`` matches."},{"line_number":291,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":292,"context_line":"the ability to update fields such as ``driver_info``.``"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":295,"context_line":"   driver info as a project admin. Dtantsur thinks, and I agree that this"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a627b63_0bcd7352","line":292,"range":{"start_line":292,"start_character":53,"end_line":292,"end_character":55},"in_reply_to":"1199de79_db96971d","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":292,"context_line":"the ability to update fields such as ``driver_info``.``"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":295,"context_line":"   driver info as a project admin. Dtantsur thinks, and I agree that this"},{"line_number":296,"context_line":"   is likely highly deployment and operationly specific, and it may be we"},{"line_number":297,"context_line":"   need a knob to govern this behavior."},{"line_number":298,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"489ea1cc_81c4c9f0","line":295,"range":{"start_line":295,"start_character":3,"end_line":295,"end_character":14},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: ``driver_info``","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":292,"context_line":"the ability to update fields such as ``driver_info``.``"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":295,"context_line":"   driver info as a project admin. Dtantsur thinks, and I agree that this"},{"line_number":296,"context_line":"   is likely highly deployment and operationly specific, and it may be we"},{"line_number":297,"context_line":"   need a knob to govern this behavior."},{"line_number":298,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"eb5b09b9_f732bc52","line":295,"range":{"start_line":295,"start_character":3,"end_line":295,"end_character":14},"in_reply_to":"489ea1cc_81c4c9f0","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":303,"context_line":""},{"line_number":304,"context_line":"VIFs being set will need to have some additional code to perform an access"},{"line_number":305,"context_line":"rights verification to ensure that a project member is attempting to bind"},{"line_number":306,"context_line":"to a vif which matches their node ownership and their user\u0027s entry, or the"},{"line_number":307,"context_line":"value of the lessee field and that requesting user\u0027s project."},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"With the physical nature of assets, project scoped users are unable to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4f433a77_7a12efd8","line":306,"range":{"start_line":306,"start_character":4,"end_line":306,"end_character":9},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: VIF","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":303,"context_line":""},{"line_number":304,"context_line":"VIFs being set will need to have some additional code to perform an access"},{"line_number":305,"context_line":"rights verification to ensure that a project member is attempting to bind"},{"line_number":306,"context_line":"to a vif which matches their node ownership and their user\u0027s entry, or the"},{"line_number":307,"context_line":"value of the lessee field and that requesting user\u0027s project."},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"With the physical nature of assets, project scoped users are unable to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"94975e99_05a6442f","line":306,"range":{"start_line":306,"start_character":4,"end_line":306,"end_character":9},"in_reply_to":"4f433a77_7a12efd8","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":310,"context_line":"create or delete any records."},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"Project scoped readers, again would only have a limited field view"},{"line_number":313,"context_line":"with the associated ``is_node_lessee`` or ``is_node_owner``"},{"line_number":314,"context_line":""},{"line_number":315,"context_line":"Endpoint Access Rights"},{"line_number":316,"context_line":"~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a188299d_1b78bad4","line":313,"range":{"start_line":313,"start_character":57,"end_line":313,"end_character":59},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: ``. (add .)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":310,"context_line":"create or delete any records."},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"Project scoped readers, again would only have a limited field view"},{"line_number":313,"context_line":"with the associated ``is_node_lessee`` or ``is_node_owner``"},{"line_number":314,"context_line":""},{"line_number":315,"context_line":"Endpoint Access Rights"},{"line_number":316,"context_line":"~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"614bf65b_672b3946","line":313,"range":{"start_line":313,"start_character":57,"end_line":313,"end_character":59},"in_reply_to":"a188299d_1b78bad4","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":381,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":382,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":383,"context_line":""},{"line_number":384,"context_line":".. TODO:: Do we want Project Admins to be able to change traits?"},{"line_number":385,"context_line":"          Resource class?"},{"line_number":386,"context_line":"          What about Project Members?"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":389,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]```"}],"source_content_type":"text/x-rst","patch_set":5,"id":"db91a746_9d61bd11","line":386,"range":{"start_line":384,"start_character":10,"end_line":386,"end_character":37},"updated":"2020-12-09 10:34:41.000000000","message":"I don\u0027t think so: do project admins change the underlying hardware config?","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":true,"context_lines":[{"line_number":381,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":382,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":383,"context_line":""},{"line_number":384,"context_line":".. TODO:: Do we want Project Admins to be able to change traits?"},{"line_number":385,"context_line":"          Resource class?"},{"line_number":386,"context_line":"          What about Project Members?"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":389,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]```"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f04724ca_2f780ed3","line":386,"range":{"start_line":384,"start_character":10,"end_line":386,"end_character":37},"in_reply_to":"db91a746_9d61bd11","updated":"2020-12-09 20:26:38.000000000","message":"If they are listed as the owners? Maybe?!?","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":386,"context_line":"          What about Project Members?"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":389,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]```"},{"line_number":390,"context_line":""},{"line_number":391,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":392,"context_line":"          Project admins or members be able to write them."}],"source_content_type":"text/x-rst","patch_set":5,"id":"9e681571_0c76dda9","line":389,"range":{"start_line":389,"start_character":59,"end_line":389,"end_character":62},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: `` (not ```)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":386,"context_line":"          What about Project Members?"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":389,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]```"},{"line_number":390,"context_line":""},{"line_number":391,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":392,"context_line":"          Project admins or members be able to write them."}],"source_content_type":"text/x-rst","patch_set":5,"id":"b01417c0_3ec73fcb","line":389,"range":{"start_line":389,"start_character":59,"end_line":389,"end_character":62},"in_reply_to":"9e681571_0c76dda9","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":390,"context_line":""},{"line_number":391,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":392,"context_line":"          Project admins or members be able to write them."},{"line_number":393,"context_line":"          Julia thinks they should remain read-only resources."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Node object field restrictions"},{"line_number":396,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4f3273fc_af3ec824","line":393,"range":{"start_line":393,"start_character":10,"end_line":393,"end_character":62},"updated":"2020-12-09 10:34:41.000000000","message":"I agree.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":390,"context_line":""},{"line_number":391,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":392,"context_line":"          Project admins or members be able to write them."},{"line_number":393,"context_line":"          Julia thinks they should remain read-only resources."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Node object field restrictions"},{"line_number":396,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":5,"id":"44355b62_72988f1c","line":393,"range":{"start_line":393,"start_character":10,"end_line":393,"end_character":62},"in_reply_to":"4f3273fc_af3ec824","updated":"2020-12-09 20:26:38.000000000","message":"Added as a note.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":406,"context_line":"fault - Read/Write"},{"line_number":407,"context_line":"last_error - ???"},{"line_number":408,"context_line":".. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":409,"context_line":"reservation - Returned as a True/False for project users. "},{"line_number":410,"context_line":"driver - Read-Only"},{"line_number":411,"context_line":"driver_info - Hidden from view???"},{"line_number":412,"context_line":"driver_internal_info - Hidden from view???"}],"source_content_type":"text/x-rst","patch_set":5,"id":"93abeaf0_4fa05f95","line":409,"range":{"start_line":409,"start_character":57,"end_line":409,"end_character":58},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: additional blank","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":406,"context_line":"fault - Read/Write"},{"line_number":407,"context_line":"last_error - ???"},{"line_number":408,"context_line":".. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":409,"context_line":"reservation - Returned as a True/False for project users. "},{"line_number":410,"context_line":"driver - Read-Only"},{"line_number":411,"context_line":"driver_info - Hidden from view???"},{"line_number":412,"context_line":"driver_internal_info - Hidden from view???"}],"source_content_type":"text/x-rst","patch_set":5,"id":"c409ab30_a01d51d9","line":409,"range":{"start_line":409,"start_character":57,"end_line":409,"end_character":58},"in_reply_to":"93abeaf0_4fa05f95","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":478,"context_line":"At this time, no impact to the RPC API is anticipated. That being said"},{"line_number":479,"context_line":"the possibility does exist, given the nature of the security changes,"},{"line_number":480,"context_line":"some changes may be required should an additional argument be required."},{"line_number":481,"context_line":"Existing patterns already exist for this and any such changes would"},{"line_number":482,"context_line":"navigated with the existing rpc version maximum and pin capability."},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Driver API impact"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9a82bded_6fdb21cf","line":481,"range":{"start_line":481,"start_character":62,"end_line":481,"end_character":67},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: would be","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":478,"context_line":"At this time, no impact to the RPC API is anticipated. That being said"},{"line_number":479,"context_line":"the possibility does exist, given the nature of the security changes,"},{"line_number":480,"context_line":"some changes may be required should an additional argument be required."},{"line_number":481,"context_line":"Existing patterns already exist for this and any such changes would"},{"line_number":482,"context_line":"navigated with the existing rpc version maximum and pin capability."},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Driver API impact"}],"source_content_type":"text/x-rst","patch_set":5,"id":"963ee5b4_8932f896","line":481,"range":{"start_line":481,"start_character":62,"end_line":481,"end_character":67},"in_reply_to":"9a82bded_6fdb21cf","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":490,"context_line":"------------------"},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"We may wish to go ahead and establish the ability for nova to store the"},{"line_number":493,"context_line":"user\u0027s project ID in the node ``lessee`` field. This would allow more"},{"line_number":494,"context_line":"\"natural\" use patterns and allow users to be able to leverage aspects"},{"line_number":495,"context_line":"like power operations or reboot or possibly even rebuild."},{"line_number":496,"context_line":""},{"line_number":497,"context_line":".. TODO:: We should discuss this further. It likely just ought to be a"},{"line_number":498,"context_line":"   knob for nova-compute with the Ironic virt driver."}],"source_content_type":"text/x-rst","patch_set":5,"id":"76453612_290e9ad6","line":495,"range":{"start_line":493,"start_character":48,"end_line":495,"end_character":57},"updated":"2020-12-09 10:34:41.000000000","message":"Allow within this new model you mean, right?","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":true,"context_lines":[{"line_number":490,"context_line":"------------------"},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"We may wish to go ahead and establish the ability for nova to store the"},{"line_number":493,"context_line":"user\u0027s project ID in the node ``lessee`` field. This would allow more"},{"line_number":494,"context_line":"\"natural\" use patterns and allow users to be able to leverage aspects"},{"line_number":495,"context_line":"like power operations or reboot or possibly even rebuild."},{"line_number":496,"context_line":""},{"line_number":497,"context_line":".. TODO:: We should discuss this further. It likely just ought to be a"},{"line_number":498,"context_line":"   knob for nova-compute with the Ironic virt driver."}],"source_content_type":"text/x-rst","patch_set":5,"id":"267684bc_a6c856a4","line":495,"range":{"start_line":493,"start_character":48,"end_line":495,"end_character":57},"in_reply_to":"76453612_290e9ad6","updated":"2020-12-09 20:26:38.000000000","message":"Provided more context, but yes.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":511,"context_line":"where greater delineation exists between roles."},{"line_number":512,"context_line":""},{"line_number":513,"context_line":"In a sense, this becomes an intentional operating mode behavior difference"},{"line_number":514,"context_line":"and thus the overall while the effort should result in ability to have far"},{"line_number":515,"context_line":"more secure environemnts, that is still dependent upon the configuration"},{"line_number":516,"context_line":"which the environment is setup with."},{"line_number":517,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"15f209df_13e2d2c7","line":514,"range":{"start_line":514,"start_character":52,"end_line":514,"end_character":62},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: in the ability (?)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":511,"context_line":"where greater delineation exists between roles."},{"line_number":512,"context_line":""},{"line_number":513,"context_line":"In a sense, this becomes an intentional operating mode behavior difference"},{"line_number":514,"context_line":"and thus the overall while the effort should result in ability to have far"},{"line_number":515,"context_line":"more secure environemnts, that is still dependent upon the configuration"},{"line_number":516,"context_line":"which the environment is setup with."},{"line_number":517,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"f2d7ab08_db63e4c0","line":514,"range":{"start_line":514,"start_character":9,"end_line":514,"end_character":37},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: while the overall effort","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":true,"context_lines":[{"line_number":511,"context_line":"where greater delineation exists between roles."},{"line_number":512,"context_line":""},{"line_number":513,"context_line":"In a sense, this becomes an intentional operating mode behavior difference"},{"line_number":514,"context_line":"and thus the overall while the effort should result in ability to have far"},{"line_number":515,"context_line":"more secure environemnts, that is still dependent upon the configuration"},{"line_number":516,"context_line":"which the environment is setup with."},{"line_number":517,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"91cc8913_c2ecefd3","line":514,"range":{"start_line":514,"start_character":52,"end_line":514,"end_character":62},"in_reply_to":"15f209df_13e2d2c7","updated":"2020-12-09 20:26:38.000000000","message":"Rewrote, it was awkward.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":true,"context_lines":[{"line_number":511,"context_line":"where greater delineation exists between roles."},{"line_number":512,"context_line":""},{"line_number":513,"context_line":"In a sense, this becomes an intentional operating mode behavior difference"},{"line_number":514,"context_line":"and thus the overall while the effort should result in ability to have far"},{"line_number":515,"context_line":"more secure environemnts, that is still dependent upon the configuration"},{"line_number":516,"context_line":"which the environment is setup with."},{"line_number":517,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a43c458e_80f7a7be","line":514,"range":{"start_line":514,"start_character":9,"end_line":514,"end_character":37},"in_reply_to":"f2d7ab08_db63e4c0","updated":"2020-12-09 20:26:38.000000000","message":"Rewrote, it was awkward.","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":537,"context_line":"pushes the list filtering down to the DBAPI level, which is ideal for"},{"line_number":538,"context_line":"overall performance handling. It is likely some additional checks will"},{"line_number":539,"context_line":"produce a slight overhead, but overall it should be minimal and confined"},{"line_number":540,"context_line":"to logic in the API services"},{"line_number":541,"context_line":""},{"line_number":542,"context_line":"Other deployer impact"},{"line_number":543,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"894fd8e5_f9cf600c","line":540,"range":{"start_line":540,"start_character":20,"end_line":540,"end_character":28},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: services. (add .)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":537,"context_line":"pushes the list filtering down to the DBAPI level, which is ideal for"},{"line_number":538,"context_line":"overall performance handling. It is likely some additional checks will"},{"line_number":539,"context_line":"produce a slight overhead, but overall it should be minimal and confined"},{"line_number":540,"context_line":"to logic in the API services"},{"line_number":541,"context_line":""},{"line_number":542,"context_line":"Other deployer impact"},{"line_number":543,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"da696957_86af8940","line":540,"range":{"start_line":540,"start_character":20,"end_line":540,"end_character":28},"in_reply_to":"894fd8e5_f9cf600c","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":587,"context_line":"Phases"},{"line_number":588,"context_line":"------"},{"line_number":589,"context_line":""},{"line_number":590,"context_line":"The initial phase for deployment is scoped for the eqiuvelent of the existing"},{"line_number":591,"context_line":"project admin scoped authentication for system scoped use."},{"line_number":592,"context_line":""},{"line_number":593,"context_line":"The next phase, persumably spanning a major release would then cover the"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6e1ef0ab_54c79c51","line":590,"range":{"start_line":590,"start_character":51,"end_line":590,"end_character":61},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: equivalent","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":587,"context_line":"Phases"},{"line_number":588,"context_line":"------"},{"line_number":589,"context_line":""},{"line_number":590,"context_line":"The initial phase for deployment is scoped for the eqiuvelent of the existing"},{"line_number":591,"context_line":"project admin scoped authentication for system scoped use."},{"line_number":592,"context_line":""},{"line_number":593,"context_line":"The next phase, persumably spanning a major release would then cover the"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9b9b8800_fcb9e67a","line":590,"range":{"start_line":590,"start_character":51,"end_line":590,"end_character":61},"in_reply_to":"6e1ef0ab_54c79c51","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":590,"context_line":"The initial phase for deployment is scoped for the eqiuvelent of the existing"},{"line_number":591,"context_line":"project admin scoped authentication for system scoped use."},{"line_number":592,"context_line":""},{"line_number":593,"context_line":"The next phase, persumably spanning a major release would then cover the"},{"line_number":594,"context_line":"project scoped access rights and changes."},{"line_number":595,"context_line":""},{"line_number":596,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b9ac3115_5f81c27f","line":593,"range":{"start_line":593,"start_character":16,"end_line":593,"end_character":26},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: presumably","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":590,"context_line":"The initial phase for deployment is scoped for the eqiuvelent of the existing"},{"line_number":591,"context_line":"project admin scoped authentication for system scoped use."},{"line_number":592,"context_line":""},{"line_number":593,"context_line":"The next phase, persumably spanning a major release would then cover the"},{"line_number":594,"context_line":"project scoped access rights and changes."},{"line_number":595,"context_line":""},{"line_number":596,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f2b63f70_f34ace57","line":593,"range":{"start_line":593,"start_character":16,"end_line":593,"end_character":26},"in_reply_to":"b9ac3115_5f81c27f","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":604,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":605,"context_line":""},{"line_number":606,"context_line":"An CI integration job is anticipated and should be created or one already"},{"line_number":607,"context_line":"leveraged which is utiling the widest configuration of integrated components"},{"line_number":608,"context_line":"to ensure that policies are enforced and this enforcement works across"},{"line_number":609,"context_line":"components. Due to the nature and scope of this effort, it may be that"},{"line_number":610,"context_line":"Ironic alone is first setup to scope limit authorizations as other projects"}],"source_content_type":"text/x-rst","patch_set":5,"id":"457e12fa_516bb6ec","line":607,"range":{"start_line":607,"start_character":19,"end_line":607,"end_character":26},"updated":"2020-12-09 10:34:41.000000000","message":"NitI utilising (?)","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":604,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":605,"context_line":""},{"line_number":606,"context_line":"An CI integration job is anticipated and should be created or one already"},{"line_number":607,"context_line":"leveraged which is utiling the widest configuration of integrated components"},{"line_number":608,"context_line":"to ensure that policies are enforced and this enforcement works across"},{"line_number":609,"context_line":"components. Due to the nature and scope of this effort, it may be that"},{"line_number":610,"context_line":"Ironic alone is first setup to scope limit authorizations as other projects"}],"source_content_type":"text/x-rst","patch_set":5,"id":"8e663e1f_7a7cc22f","line":607,"range":{"start_line":607,"start_character":19,"end_line":607,"end_character":26},"in_reply_to":"457e12fa_516bb6ec","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"1506ce4991fedacceeb10cd3acbe7e0ca4b29eb2","unresolved":true,"context_lines":[{"line_number":608,"context_line":"to ensure that policies are enforced and this enforcement works across"},{"line_number":609,"context_line":"components. Due to the nature and scope of this effort, it may be that"},{"line_number":610,"context_line":"Ironic alone is first setup to scope limit authorizations as other projects"},{"line_number":611,"context_line":"also work in this drirection."},{"line_number":612,"context_line":""},{"line_number":613,"context_line":"Upgrades and Backwards Compatibility"},{"line_number":614,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"867cebb0_7d17be43","line":611,"range":{"start_line":611,"start_character":18,"end_line":611,"end_character":28},"updated":"2020-12-09 10:34:41.000000000","message":"Nit: direction","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9c5e129f8ada48dfad72d20b4052ae99320ecccc","unresolved":false,"context_lines":[{"line_number":608,"context_line":"to ensure that policies are enforced and this enforcement works across"},{"line_number":609,"context_line":"components. Due to the nature and scope of this effort, it may be that"},{"line_number":610,"context_line":"Ironic alone is first setup to scope limit authorizations as other projects"},{"line_number":611,"context_line":"also work in this drirection."},{"line_number":612,"context_line":""},{"line_number":613,"context_line":"Upgrades and Backwards Compatibility"},{"line_number":614,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"ef21a471_fc565d11","line":611,"range":{"start_line":611,"start_character":18,"end_line":611,"end_character":28},"in_reply_to":"867cebb0_7d17be43","updated":"2020-12-09 20:26:38.000000000","message":"Done","commit_id":"0326f1c72827151843f90a8c046c1464fbc71610"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"a78e36aec4c7bb963d8ec773195c1f3301683492","unresolved":true,"context_lines":[{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Definitions:"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":178,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":179,"context_line":"                    they are the authoritative"},{"line_number":180,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":6,"id":"cb39207a_70f0ea34","line":177,"updated":"2020-12-09 21:10:08.000000000","message":"Are these the existing `is_node_owner` and `is_node_lessee` policy rules? Are those rules meant to be redefined, or to be kept as-is?","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f3cde4ce6b66e0a4a3a154c46753c927a1c246de","unresolved":true,"context_lines":[{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Definitions:"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":178,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":179,"context_line":"                    they are the authoritative"},{"line_number":180,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":6,"id":"75dbbf5e_97d3ca86","line":177,"in_reply_to":"c246a925_78e76cc0","updated":"2020-12-14 19:45:34.000000000","message":"Clarifying.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Definitions:"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":178,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":179,"context_line":"                    they are the authoritative"},{"line_number":180,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c246a925_78e76cc0","line":177,"in_reply_to":"cb39207a_70f0ea34","updated":"2020-12-10 03:45:05.000000000","message":"Not exactly, but in the same theme. Basically I\u0027ve been trying to represent the idea behind them here, but there will need to be new project scoped rules for these... I think. They may just need to be redefined with a little extra logic in the end.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":403,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"uuid - Read-Only"},{"line_number":406,"context_line":"name - Read/Write Project admin if they are the owner???"},{"line_number":407,"context_line":"power_state - Read-Only"},{"line_number":408,"context_line":"target_power_state - Read-Only"},{"line_number":409,"context_line":"provision_state - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"57e148a0_f08b3bc4","line":406,"updated":"2020-12-10 00:31:09.000000000","message":"+1","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f3cde4ce6b66e0a4a3a154c46753c927a1c246de","unresolved":false,"context_lines":[{"line_number":403,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"uuid - Read-Only"},{"line_number":406,"context_line":"name - Read/Write Project admin if they are the owner???"},{"line_number":407,"context_line":"power_state - Read-Only"},{"line_number":408,"context_line":"target_power_state - Read-Only"},{"line_number":409,"context_line":"provision_state - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"39f5ed00_9fa97784","line":406,"in_reply_to":"57e148a0_f08b3bc4","updated":"2020-12-14 19:45:34.000000000","message":"Done","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":412,"context_line":"maintenance_reason - Read/Write"},{"line_number":413,"context_line":"fault - Read/Write"},{"line_number":414,"context_line":"last_error - ???"},{"line_number":415,"context_line":".. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":416,"context_line":"reservation - Returned as a True/False for project users."},{"line_number":417,"context_line":"driver - Read-Only"},{"line_number":418,"context_line":"driver_info - Hidden from view???"}],"source_content_type":"text/x-rst","patch_set":6,"id":"74b7185c_90e1d7ae","line":415,"updated":"2020-12-10 00:31:09.000000000","message":"Counterpoint, a user would have no idea what caused a failure without this.\n\nMaybe a compromise would be to replace a last_error with configurable instructions on how to contact an admin","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":412,"context_line":"maintenance_reason - Read/Write"},{"line_number":413,"context_line":"fault - Read/Write"},{"line_number":414,"context_line":"last_error - ???"},{"line_number":415,"context_line":".. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":416,"context_line":"reservation - Returned as a True/False for project users."},{"line_number":417,"context_line":"driver - Read-Only"},{"line_number":418,"context_line":"driver_info - Hidden from view???"}],"source_content_type":"text/x-rst","patch_set":6,"id":"913f493a_572138e8","line":415,"in_reply_to":"74b7185c_90e1d7ae","updated":"2020-12-10 03:45:05.000000000","message":"That is a good point. Maybe this needs to just be admin configurable\n\n[conductor]inform_user_to_contact defaulting to None, if populated just includes details there or something if a project scoped interaction.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":415,"context_line":".. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":416,"context_line":"reservation - Returned as a True/False for project users."},{"line_number":417,"context_line":"driver - Read-Only"},{"line_number":418,"context_line":"driver_info - Hidden from view???"},{"line_number":419,"context_line":"driver_internal_info - Hidden from view???"},{"line_number":420,"context_line":"properties - Read-Only?"},{"line_number":421,"context_line":"instance_info - Project Admin/Project Member Read-Write"},{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e8bbbb34_5e1f87ee","line":419,"range":{"start_line":418,"start_character":0,"end_line":419,"end_character":42},"updated":"2020-12-10 00:31:09.000000000","message":"These are already sanitized of secrets. On the other hand its likely not useful to a project-member","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":415,"context_line":".. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":416,"context_line":"reservation - Returned as a True/False for project users."},{"line_number":417,"context_line":"driver - Read-Only"},{"line_number":418,"context_line":"driver_info - Hidden from view???"},{"line_number":419,"context_line":"driver_internal_info - Hidden from view???"},{"line_number":420,"context_line":"properties - Read-Only?"},{"line_number":421,"context_line":"instance_info - Project Admin/Project Member Read-Write"},{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"}],"source_content_type":"text/x-rst","patch_set":6,"id":"2336df8f_fdf1be08","line":419,"range":{"start_line":418,"start_character":0,"end_line":419,"end_character":42},"in_reply_to":"e8bbbb34_5e1f87ee","updated":"2020-12-10 03:45:05.000000000","message":"driver_internal_info has an IP address of the agent when its in play. Likely shouldn\u0027t be revealed because it provides insight into the infrastructure, and driver_info reveals the BMC address potentially. Of course, ideally, none of that is user accessible, but yeah.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":417,"context_line":"driver - Read-Only"},{"line_number":418,"context_line":"driver_info - Hidden from view???"},{"line_number":419,"context_line":"driver_internal_info - Hidden from view???"},{"line_number":420,"context_line":"properties - Read-Only?"},{"line_number":421,"context_line":"instance_info - Project Admin/Project Member Read-Write"},{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"}],"source_content_type":"text/x-rst","patch_set":6,"id":"f3dd8161_9e4cfb6e","line":420,"updated":"2020-12-10 00:31:09.000000000","message":"+1","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f3cde4ce6b66e0a4a3a154c46753c927a1c246de","unresolved":false,"context_lines":[{"line_number":417,"context_line":"driver - Read-Only"},{"line_number":418,"context_line":"driver_info - Hidden from view???"},{"line_number":419,"context_line":"driver_internal_info - Hidden from view???"},{"line_number":420,"context_line":"properties - Read-Only?"},{"line_number":421,"context_line":"instance_info - Project Admin/Project Member Read-Write"},{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3148d16b_eeca6074","line":420,"in_reply_to":"f3dd8161_9e4cfb6e","updated":"2020-12-14 19:45:34.000000000","message":"Done","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"a78e36aec4c7bb963d8ec773195c1f3301683492","unresolved":true,"context_lines":[{"line_number":421,"context_line":"instance_info - Project Admin/Project Member Read-Write"},{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"},{"line_number":424,"context_line":"extra - ???"},{"line_number":425,"context_line":"console_enabled - ???"},{"line_number":426,"context_line":"raid_config - Read-Only"},{"line_number":427,"context_line":"target_raid_config - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fe7c537b_25b7e9c5","line":424,"updated":"2020-12-09 21:10:08.000000000","message":"This may need to be Project Admin/Project Member Read-Write, as metalsmith uses this field when provisioning a node.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f3cde4ce6b66e0a4a3a154c46753c927a1c246de","unresolved":false,"context_lines":[{"line_number":421,"context_line":"instance_info - Project Admin/Project Member Read-Write"},{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"},{"line_number":424,"context_line":"extra - ???"},{"line_number":425,"context_line":"console_enabled - ???"},{"line_number":426,"context_line":"raid_config - Read-Only"},{"line_number":427,"context_line":"target_raid_config - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"20fd0320_6ec5d8b9","line":424,"in_reply_to":"e1db6eab_aedc0052","updated":"2020-12-14 19:45:34.000000000","message":"Done","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":421,"context_line":"instance_info - Project Admin/Project Member Read-Write"},{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"},{"line_number":424,"context_line":"extra - ???"},{"line_number":425,"context_line":"console_enabled - ???"},{"line_number":426,"context_line":"raid_config - Read-Only"},{"line_number":427,"context_line":"target_raid_config - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e1db6eab_aedc0052","line":424,"in_reply_to":"fe7c537b_25b7e9c5","updated":"2020-12-10 03:45:05.000000000","message":"Good point. Another reason to rip out the old vif logic.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"},{"line_number":424,"context_line":"extra - ???"},{"line_number":425,"context_line":"console_enabled - ???"},{"line_number":426,"context_line":"raid_config - Read-Only"},{"line_number":427,"context_line":"target_raid_config - Read-Only"},{"line_number":428,"context_line":"clean_step - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"93803041_1c573f40","line":425,"updated":"2020-12-10 00:31:09.000000000","message":"I think a project-member would have an expectation of access to the console when available.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"},{"line_number":424,"context_line":"extra - ???"},{"line_number":425,"context_line":"console_enabled - ???"},{"line_number":426,"context_line":"raid_config - Read-Only"},{"line_number":427,"context_line":"target_raid_config - Read-Only"},{"line_number":428,"context_line":"clean_step - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"a502a04e_c742cb19","line":425,"in_reply_to":"93803041_1c573f40","updated":"2020-12-10 03:45:05.000000000","message":"I think that is reasonable... maybe. I need to lookup the mechanics on this.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f3cde4ce6b66e0a4a3a154c46753c927a1c246de","unresolved":false,"context_lines":[{"line_number":422,"context_line":"instance_uuid - Read/Write for Project Admin/Project Member"},{"line_number":423,"context_line":"chassis_uuid - None"},{"line_number":424,"context_line":"extra - ???"},{"line_number":425,"context_line":"console_enabled - ???"},{"line_number":426,"context_line":"raid_config - Read-Only"},{"line_number":427,"context_line":"target_raid_config - Read-Only"},{"line_number":428,"context_line":"clean_step - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"1e0a70b8_27e27608","line":425,"in_reply_to":"a502a04e_c742cb19","updated":"2020-12-14 19:45:34.000000000","message":"Done","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f3cde4ce6b66e0a4a3a154c46753c927a1c246de","unresolved":true,"context_lines":[{"line_number":442,"context_line":"rescue_interface - Read-Only"},{"line_number":443,"context_line":"storage_interface - Read-Only"},{"line_number":444,"context_line":"traits - Read-Only"},{"line_number":445,"context_line":"vendor_interface - Project admin read/write only."},{"line_number":446,"context_line":"conductor_group - Hidden from project view?"},{"line_number":447,"context_line":"protected - Read/Write"},{"line_number":448,"context_line":"protected_reason - Read/Write"}],"source_content_type":"text/x-rst","patch_set":6,"id":"b0524738_028202e1","line":445,"updated":"2020-12-14 19:45:34.000000000","message":"I\u0027m not sure about this.... I feel uneasy about it since the vendor interfaces are open-ended. I\u0027m going to change it to mark it read/only.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":443,"context_line":"storage_interface - Read-Only"},{"line_number":444,"context_line":"traits - Read-Only"},{"line_number":445,"context_line":"vendor_interface - Project admin read/write only."},{"line_number":446,"context_line":"conductor_group - Hidden from project view?"},{"line_number":447,"context_line":"protected - Read/Write"},{"line_number":448,"context_line":"protected_reason - Read/Write"},{"line_number":449,"context_line":"owner - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e6ed178c_1dd2efc9","line":446,"updated":"2020-12-10 00:31:09.000000000","message":"+1","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":443,"context_line":"storage_interface - Read-Only"},{"line_number":444,"context_line":"traits - Read-Only"},{"line_number":445,"context_line":"vendor_interface - Project admin read/write only."},{"line_number":446,"context_line":"conductor_group - Hidden from project view?"},{"line_number":447,"context_line":"protected - Read/Write"},{"line_number":448,"context_line":"protected_reason - Read/Write"},{"line_number":449,"context_line":"owner - Read-Only"}],"source_content_type":"text/x-rst","patch_set":6,"id":"76e679c0_5134fa91","line":446,"in_reply_to":"e6ed178c_1dd2efc9","updated":"2020-12-10 03:45:05.000000000","message":"You raised a good point in IRC, we should likely just reply with None in the field.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":447,"context_line":"protected - Read/Write"},{"line_number":448,"context_line":"protected_reason - Read/Write"},{"line_number":449,"context_line":"owner - Read-Only"},{"line_number":450,"context_line":".. TODO:: Is it okay for a lessee to see who the owner is?"},{"line_number":451,"context_line":"lessee - Read-Only"},{"line_number":452,"context_line":"description - Read-Write?"},{"line_number":453,"context_line":"conductor - Hidden from project view?"}],"source_content_type":"text/x-rst","patch_set":6,"id":"d03a819a_b9626f45","line":450,"updated":"2020-12-10 00:31:09.000000000","message":"IMO, yes","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":449,"context_line":"owner - Read-Only"},{"line_number":450,"context_line":".. TODO:: Is it okay for a lessee to see who the owner is?"},{"line_number":451,"context_line":"lessee - Read-Only"},{"line_number":452,"context_line":"description - Read-Write?"},{"line_number":453,"context_line":"conductor - Hidden from project view?"},{"line_number":454,"context_line":"allocation_uuid - Read Only"},{"line_number":455,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"6e01ff86_8d7030c4","line":452,"updated":"2020-12-10 00:31:09.000000000","message":"How about same policy as name?","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":449,"context_line":"owner - Read-Only"},{"line_number":450,"context_line":".. TODO:: Is it okay for a lessee to see who the owner is?"},{"line_number":451,"context_line":"lessee - Read-Only"},{"line_number":452,"context_line":"description - Read-Write?"},{"line_number":453,"context_line":"conductor - Hidden from project view?"},{"line_number":454,"context_line":"allocation_uuid - Read Only"},{"line_number":455,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3748f146_5211a2a5","line":452,"in_reply_to":"6e01ff86_8d7030c4","updated":"2020-12-10 03:45:05.000000000","message":"Sounds good to me.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"92fd5c5b24b1731ce721e74742ee9caa23bbeaa2","unresolved":true,"context_lines":[{"line_number":452,"context_line":"description - Read-Write?"},{"line_number":453,"context_line":"conductor - Hidden from project view?"},{"line_number":454,"context_line":"allocation_uuid - Read Only"},{"line_number":455,"context_line":""},{"line_number":456,"context_line":"Special areas:"},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"volume - This represents volume targets and connectors. All values"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5271ce20_facab1ad","line":455,"updated":"2020-12-10 00:31:09.000000000","message":"It might be worth stating explicitly that hidden fields which are normally mandatory should be set to an empty value (None, \u0027\u0027, {}) instead of deleting the field entirely.\n\nThis would avoid breaking clients which expect the field to exist.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4605a575d6b23cda32397f25603c52804b36dcb","unresolved":true,"context_lines":[{"line_number":452,"context_line":"description - Read-Write?"},{"line_number":453,"context_line":"conductor - Hidden from project view?"},{"line_number":454,"context_line":"allocation_uuid - Read Only"},{"line_number":455,"context_line":""},{"line_number":456,"context_line":"Special areas:"},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"volume - This represents volume targets and connectors. All values"}],"source_content_type":"text/x-rst","patch_set":6,"id":"6e02a8a6_a64192e4","line":455,"in_reply_to":"5271ce20_facab1ad","updated":"2020-12-10 03:45:05.000000000","message":"++ I think this makes sense to do.","commit_id":"91fc8dee4a10a10ce2131f342476405c33c28e10"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":23,"context_line":"However there is a growing desire to delineate scopes in which user accounts"},{"line_number":24,"context_line":"have acess to the API. This effort is sometimes referred to as \"Secure RBAC\""},{"line_number":25,"context_line":"in the OpenStack community, which is an initiative to have scope restricted"},{"line_number":26,"context_line":"authentication across OpenStack services, where the scoping and and modeling"},{"line_number":27,"context_line":"is consistent to provide a consistent \"authorization experience\". This is"},{"line_number":28,"context_line":"achieved via `system scoped role \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_"},{"line_number":29,"context_line":"assignments."}],"source_content_type":"text/x-rst","patch_set":8,"id":"f7bb67a3_12780d3e","line":26,"range":{"start_line":26,"start_character":64,"end_line":26,"end_character":67},"updated":"2021-01-13 18:05:14.000000000","message":"nit: extra \u0027and\u0027","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":false,"context_lines":[{"line_number":23,"context_line":"However there is a growing desire to delineate scopes in which user accounts"},{"line_number":24,"context_line":"have acess to the API. This effort is sometimes referred to as \"Secure RBAC\""},{"line_number":25,"context_line":"in the OpenStack community, which is an initiative to have scope restricted"},{"line_number":26,"context_line":"authentication across OpenStack services, where the scoping and and modeling"},{"line_number":27,"context_line":"is consistent to provide a consistent \"authorization experience\". This is"},{"line_number":28,"context_line":"achieved via `system scoped role \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_"},{"line_number":29,"context_line":"assignments."}],"source_content_type":"text/x-rst","patch_set":8,"id":"859828e2_523e630c","line":26,"range":{"start_line":26,"start_character":64,"end_line":26,"end_character":67},"in_reply_to":"f7bb67a3_12780d3e","updated":"2021-01-26 22:54:45.000000000","message":"Done","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":24,"context_line":"have acess to the API. This effort is sometimes referred to as \"Secure RBAC\""},{"line_number":25,"context_line":"in the OpenStack community, which is an initiative to have scope restricted"},{"line_number":26,"context_line":"authentication across OpenStack services, where the scoping and and modeling"},{"line_number":27,"context_line":"is consistent to provide a consistent \"authorization experience\". This is"},{"line_number":28,"context_line":"achieved via `system scoped role \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_"},{"line_number":29,"context_line":"assignments."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"In essence this effort is to group the access and actions behind personas"},{"line_number":32,"context_line":"which are granted to users and then ensuring that the invoked access rights"}],"source_content_type":"text/x-rst","patch_set":8,"id":"5a365444_6202213a","line":29,"range":{"start_line":27,"start_character":66,"end_line":29,"end_character":12},"updated":"2021-01-13 18:05:14.000000000","message":"nit: IMO, system-scope is one piece of the puzzle that provides a consistent experience. I think the consistency comes from service developers understanding the various scopes (e.g., project-scope, domain-scope, system-scope) and how their APIs should interact with each scope and role permutation.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":24,"context_line":"have acess to the API. This effort is sometimes referred to as \"Secure RBAC\""},{"line_number":25,"context_line":"in the OpenStack community, which is an initiative to have scope restricted"},{"line_number":26,"context_line":"authentication across OpenStack services, where the scoping and and modeling"},{"line_number":27,"context_line":"is consistent to provide a consistent \"authorization experience\". This is"},{"line_number":28,"context_line":"achieved via `system scoped role \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_"},{"line_number":29,"context_line":"assignments."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"In essence this effort is to group the access and actions behind personas"},{"line_number":32,"context_line":"which are granted to users and then ensuring that the invoked access rights"}],"source_content_type":"text/x-rst","patch_set":8,"id":"01b5359e_0576baff","line":29,"range":{"start_line":27,"start_character":66,"end_line":29,"end_character":12},"in_reply_to":"5a365444_6202213a","updated":"2021-01-26 22:54:45.000000000","message":"I guess that was my attempt with the next paragraph. I\u0027m revising this to try and paint more of the picture.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":29,"context_line":"assignments."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"In essence this effort is to group the access and actions behind personas"},{"line_number":32,"context_line":"which are granted to users and then ensuring that the invoked access rights"},{"line_number":33,"context_line":"do not permit inappropriate access such as edit fields as a reader only"},{"line_number":34,"context_line":"role on the system scope. At a high level, this is conceptually modeled into"},{"line_number":35,"context_line":"``admin``, ``member``, and ``reader`` roles. During the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"9f8c1fd2_b694f3cc","line":32,"range":{"start_line":32,"start_character":10,"end_line":32,"end_character":17},"updated":"2021-01-13 18:05:14.000000000","message":"nit: System administrators can\u0027t grant personas, but they can grant roles to actors, users and groups, on authorization targets like projects, domains, and system.\n\nI think using the term personas is great because it encapsulates common authorization use-cases, but I want to be mindful of phrasing such that we don\u0027t lead deployers to keystone and they try to do something like:\n\n  $ openstack persona add --user alice --system-admin\n\nMaybe we can rephrase:\n\n  In essence this effort is to group access and actions behind\n  personas, which are role and scope permutations, that can be\n  applied to a user via role assignments in keystone.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":29,"context_line":"assignments."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"In essence this effort is to group the access and actions behind personas"},{"line_number":32,"context_line":"which are granted to users and then ensuring that the invoked access rights"},{"line_number":33,"context_line":"do not permit inappropriate access such as edit fields as a reader only"},{"line_number":34,"context_line":"role on the system scope. At a high level, this is conceptually modeled into"},{"line_number":35,"context_line":"``admin``, ``member``, and ``reader`` roles. During the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"bc64f02f_b5ee3689","line":32,"range":{"start_line":32,"start_character":10,"end_line":32,"end_character":17},"in_reply_to":"9f8c1fd2_b694f3cc","updated":"2021-01-26 22:54:45.000000000","message":"Revising, but I think it is important to note that the audience of this document is ironic developers. Not deployers nor keystone developers who would use it.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":44,"context_line":"* admin - This is in essence an administrative user with-in the operating"},{"line_number":45,"context_line":"          scope. These are accounts which Create/Delete $things,"},{"line_number":46,"context_line":"          and in keystone default configuration, this role implies"},{"line_number":47,"context_line":"          the ``member`` role. In an Ironic context, we can think of this user"},{"line_number":48,"context_line":"          as the infrastucture administrator who is adding their baremetal"},{"line_number":49,"context_line":"          machines into Ironic."},{"line_number":50,"context_line":"* member - This is a user which can act upon things. They may be able to read"},{"line_number":51,"context_line":"           and write with-in objects, but cannot create/delete new objects"},{"line_number":52,"context_line":"           unless it is an explicitly permitted action. An Ironic example"}],"source_content_type":"text/x-rst","patch_set":8,"id":"4b878773_ff4fd4cc","line":49,"range":{"start_line":47,"start_character":30,"end_line":49,"end_character":31},"updated":"2021-01-13 18:05:14.000000000","message":"++ Thanks for adding ironic-specific examples. I find them really helpful.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":54,"context_line":"           request allocations, or change a node\u0027s provision state."},{"line_number":55,"context_line":"           Similar to ``admin`` implying ``member``, ``member`` implies"},{"line_number":56,"context_line":"           ``reader``."},{"line_number":57,"context_line":"* reader - This a user which needs to be able to have read-only access."},{"line_number":58,"context_line":"           They can read objects but not change, modify, or delete objects."},{"line_number":59,"context_line":"           In a ``system`` scope it may be a network operations center"},{"line_number":60,"context_line":"           employee who has a business need to be able to observe the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"38aeb41c_f1396fe5","line":57,"range":{"start_line":57,"start_character":11,"end_line":57,"end_character":15},"updated":"2021-01-13 18:05:14.000000000","message":"nit: This is*?","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":54,"context_line":"           request allocations, or change a node\u0027s provision state."},{"line_number":55,"context_line":"           Similar to ``admin`` implying ``member``, ``member`` implies"},{"line_number":56,"context_line":"           ``reader``."},{"line_number":57,"context_line":"* reader - This a user which needs to be able to have read-only access."},{"line_number":58,"context_line":"           They can read objects but not change, modify, or delete objects."},{"line_number":59,"context_line":"           In a ``system`` scope it may be a network operations center"},{"line_number":60,"context_line":"           employee who has a business need to be able to observe the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"e5d693be_c9b06129","line":57,"range":{"start_line":57,"start_character":11,"end_line":57,"end_character":15},"in_reply_to":"38aeb41c_f1396fe5","updated":"2021-01-26 22:54:45.000000000","message":"Thanks, it is easy for my brain to miss things like this because it auto-fills in. :\\","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":58,"context_line":"           They can read objects but not change, modify, or delete objects."},{"line_number":59,"context_line":"           In a ``system`` scope it may be a network operations center"},{"line_number":60,"context_line":"           employee who has a business need to be able to observe the"},{"line_number":61,"context_line":"           status and details. In a ``project`` scope, this may be"},{"line_number":62,"context_line":"           someone attempting to account for resources, or accounts"},{"line_number":63,"context_line":"           for automated processes/reporting."},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"b725be4b_89dae8a3","line":61,"range":{"start_line":61,"start_character":11,"end_line":61,"end_character":29},"updated":"2021-01-13 18:05:14.000000000","message":"The status and details of a baremetal machine?","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":false,"context_lines":[{"line_number":58,"context_line":"           They can read objects but not change, modify, or delete objects."},{"line_number":59,"context_line":"           In a ``system`` scope it may be a network operations center"},{"line_number":60,"context_line":"           employee who has a business need to be able to observe the"},{"line_number":61,"context_line":"           status and details. In a ``project`` scope, this may be"},{"line_number":62,"context_line":"           someone attempting to account for resources, or accounts"},{"line_number":63,"context_line":"           for automated processes/reporting."},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"5b485aff_308881cc","line":61,"range":{"start_line":61,"start_character":11,"end_line":61,"end_character":29},"in_reply_to":"b725be4b_89dae8a3","updated":"2021-01-26 22:54:45.000000000","message":"Yes.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":62,"context_line":"           someone attempting to account for resources, or accounts"},{"line_number":63,"context_line":"           for automated processes/reporting."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":".. note:: Additional details on default role definitions is covered in the"},{"line_number":66,"context_line":"   `Keystone speification \"define default roles\" \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html\u003e`_."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":69,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"}],"source_content_type":"text/x-rst","patch_set":8,"id":"abd1dd99_f3b028a2","line":66,"range":{"start_line":65,"start_character":3,"end_line":66,"end_character":153},"updated":"2021-01-13 18:05:14.000000000","message":"++\n\nWe actually have documentation for this in keystone\u0027s administrator guide [0], which we consider more formal and up-to-date than a specification.\n\n[0] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":false,"context_lines":[{"line_number":62,"context_line":"           someone attempting to account for resources, or accounts"},{"line_number":63,"context_line":"           for automated processes/reporting."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":".. note:: Additional details on default role definitions is covered in the"},{"line_number":66,"context_line":"   `Keystone speification \"define default roles\" \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html\u003e`_."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":69,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"}],"source_content_type":"text/x-rst","patch_set":8,"id":"fce5f9d8_d1262291","line":66,"range":{"start_line":65,"start_character":3,"end_line":66,"end_character":153},"in_reply_to":"abd1dd99_f3b028a2","updated":"2021-01-26 22:54:45.000000000","message":"Ack","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":84,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":85,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":86,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":87,"context_line":"            and have some level of implied member rights with-in that project."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Problem description"},{"line_number":90,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"c9f15cbf_2785ed5e","line":87,"updated":"2021-01-13 18:05:14.000000000","message":"We have additional documentation about authorization scopes in keystone\u0027s administrator guide [0]. Since this is a specification is it safe to assume the audience is primarily developers? If so, the documentation in the contributor guide might be even more appropriate [1].\n\nFeel free to use that if it helps reduce duplicate terminology.\n\n[0] https://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes\n[1] https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":false,"context_lines":[{"line_number":84,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":85,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":86,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":87,"context_line":"            and have some level of implied member rights with-in that project."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Problem description"},{"line_number":90,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"260d6d72_744057cd","line":87,"in_reply_to":"c9f15cbf_2785ed5e","updated":"2021-01-26 22:54:45.000000000","message":"Ack","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":100,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":101,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"As projects within OpenStack implement Scope and Role delineation, and"},{"line_number":104,"context_line":"enable scope based access restriction, a risk exists that Ironic will"}],"source_content_type":"text/x-rst","patch_set":8,"id":"2aa076b8_8c086101","line":101,"updated":"2021-01-13 18:05:14.000000000","message":"++\n\nYes, this is imperative to providing a multi-tenant system.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":false,"context_lines":[{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":100,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":101,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"As projects within OpenStack implement Scope and Role delineation, and"},{"line_number":104,"context_line":"enable scope based access restriction, a risk exists that Ironic will"}],"source_content_type":"text/x-rst","patch_set":8,"id":"4bb05d4f_ae064a28","line":101,"in_reply_to":"2aa076b8_8c086101","updated":"2021-01-26 22:54:45.000000000","message":"Ack","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":104,"context_line":"enable scope based access restriction, a risk exists that Ironic will"},{"line_number":105,"context_line":"become incompatible with the models attempting to be represented."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"And thus we must implement support for to delineate scopes, roles, and"},{"line_number":108,"context_line":"ultimately what may be a differing access model for some remote resources."},{"line_number":109,"context_line":"In particular, risk exists with existing integrations as they may grow to"},{"line_number":110,"context_line":"expect only Project scoped requests, and refuse a System scoped member"}],"source_content_type":"text/x-rst","patch_set":8,"id":"ef84240b_b1192f8b","line":107,"range":{"start_line":107,"start_character":35,"end_line":107,"end_character":38},"updated":"2021-01-13 18:05:14.000000000","message":"nit: \n\nsupport for delineated scopes*? \n\nsupport to delineate scopes*?","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":false,"context_lines":[{"line_number":104,"context_line":"enable scope based access restriction, a risk exists that Ironic will"},{"line_number":105,"context_line":"become incompatible with the models attempting to be represented."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"And thus we must implement support for to delineate scopes, roles, and"},{"line_number":108,"context_line":"ultimately what may be a differing access model for some remote resources."},{"line_number":109,"context_line":"In particular, risk exists with existing integrations as they may grow to"},{"line_number":110,"context_line":"expect only Project scoped requests, and refuse a System scoped member"}],"source_content_type":"text/x-rst","patch_set":8,"id":"b85d8745_bea987b0","line":107,"range":{"start_line":107,"start_character":35,"end_line":107,"end_character":38},"in_reply_to":"ef84240b_b1192f8b","updated":"2021-01-26 22:54:45.000000000","message":"Revised, Thanks!","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"12da667bae3c7027ed30dc829c4aa76fc78a3785","unresolved":true,"context_lines":[{"line_number":215,"context_line":"|             |                      | `is_node_owner` or `is_node_lessee`   |"},{"line_number":216,"context_line":"|             |                      | applies.                              |"},{"line_number":217,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":".. note:: An ``auditor`` role has not been proposed in this work, but *does*"},{"line_number":220,"context_line":"   make eventual sense in the long term, and should be logically considered as"},{"line_number":221,"context_line":"   reader does not equal an auditor in role. The concept for ``auditor`` would"}],"source_content_type":"text/x-rst","patch_set":8,"id":"d2bccfe0_27d495a0","line":218,"updated":"2021-01-12 22:57:14.000000000","message":"I think using both roles and a node\u0027s owner/lesseee at the same time may be a mistake. They both try and do the same thing - define a role - and they each solve a different use case, so combining the two may result in something strange.\n\nWould the following work?\n\n* define a PROJECT_ADMIN as someone matching owner_id and having the admin role\n* defining a PROJECT_MEMBER as *one* of the following:\n   * matching the owner_id and having the member role\n   * matching the lessee_id\n\nWe default to one of the definitions of PROJECT_MEMBER,and include documentation explaining that each definition of PROJECT_MEMBER fits a separate use case, and explaining how to switch from one to the other.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":215,"context_line":"|             |                      | `is_node_owner` or `is_node_lessee`   |"},{"line_number":216,"context_line":"|             |                      | applies.                              |"},{"line_number":217,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":".. note:: An ``auditor`` role has not been proposed in this work, but *does*"},{"line_number":220,"context_line":"   make eventual sense in the long term, and should be logically considered as"},{"line_number":221,"context_line":"   reader does not equal an auditor in role. The concept for ``auditor`` would"}],"source_content_type":"text/x-rst","patch_set":8,"id":"38352c3f_5cba6e3a","line":218,"in_reply_to":"d2bccfe0_27d495a0","updated":"2021-01-26 22:54:45.000000000","message":"I\u0027m not sure I entirely agree that matching the lessee_id will automatically grant \"unfettered\" access to the node. At least that is how I\u0027m kind of perceiving the suggestion. That being said, I do like the idea of how your conveying it and I don\u0027t think either should be matching... I just suspect it is easy to perceive it as such. Neither should get used at the same and the rules get or-ed together.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":255,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"End API user behavior is not anticipated to be changed, however with scope"},{"line_number":258,"context_line":"enforcement set in ``oslo.policy``, an appropriately scoped user will be"},{"line_number":259,"context_line":"required."},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"System Scope"},{"line_number":262,"context_line":"~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"b310c22e_ad9193af","line":259,"range":{"start_line":258,"start_character":36,"end_line":259,"end_character":9},"updated":"2021-01-13 18:05:14.000000000","message":"In case it helps, keystone accounts for this when you run ``keystone-manage bootstrap``, which ensures a user exists and they have the admin role on a project and the system.\n\nI checked our documentation and we actually don\u0027t mention this, but we should [0]. I proposed a patch to fix this [1].\n\n[0] https://docs.openstack.org/keystone/latest/admin/bootstrap.html\n[1] https://review.opendev.org/c/openstack/keystone/+/770651","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":255,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"End API user behavior is not anticipated to be changed, however with scope"},{"line_number":258,"context_line":"enforcement set in ``oslo.policy``, an appropriately scoped user will be"},{"line_number":259,"context_line":"required."},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"System Scope"},{"line_number":262,"context_line":"~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"86a85a6f_fcc4b939","line":259,"range":{"start_line":258,"start_character":36,"end_line":259,"end_character":9},"in_reply_to":"b310c22e_ad9193af","updated":"2021-01-26 22:54:45.000000000","message":"Okay, Thanks for updating the keystone doc. I\u0027m not sure it really matters to mention much more what has been stated though since actual details like that are implementation details of the cloud authentication infrastructure, we just need something to be valid and matching the rules. I hope.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":267,"context_line":""},{"line_number":268,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"},{"line_number":269,"context_line":"who can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":270,"context_line":"records. In other words, the API consumer can deploy a node, they can update"},{"line_number":271,"context_line":"a node, but they are unable to remove a node. They should be able to"},{"line_number":272,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":273,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":276,"context_line":"having full API surface visibility with exception of the special purpose"}],"source_content_type":"text/x-rst","patch_set":8,"id":"1cd39812_5eb43239","line":273,"range":{"start_line":270,"start_character":9,"end_line":273,"end_character":68},"updated":"2021-01-13 18:05:14.000000000","message":"Is ironic going to implement this behavior by default?","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":267,"context_line":""},{"line_number":268,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"},{"line_number":269,"context_line":"who can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":270,"context_line":"records. In other words, the API consumer can deploy a node, they can update"},{"line_number":271,"context_line":"a node, but they are unable to remove a node. They should be able to"},{"line_number":272,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":273,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":276,"context_line":"having full API surface visibility with exception of the special purpose"}],"source_content_type":"text/x-rst","patch_set":8,"id":"914f931a_0cbef47a","line":273,"range":{"start_line":270,"start_character":9,"end_line":273,"end_character":68},"in_reply_to":"1cd39812_5eb43239","updated":"2021-01-26 22:54:45.000000000","message":"Ultimately if nova can toggle a vif attachment using say a member account, it should be possible basically immediately as soon as system scope is implemented.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"e1fbcde4b15bcbe6975b1f13ce93490f19ce7398","unresolved":true,"context_lines":[{"line_number":322,"context_line":"create or delete any records."},{"line_number":323,"context_line":""},{"line_number":324,"context_line":"Project scoped readers, again would only have a limited field view"},{"line_number":325,"context_line":"with the associated ``is_node_lessee`` or ``is_node_owner``."},{"line_number":326,"context_line":""},{"line_number":327,"context_line":"Endpoint Access Rights"},{"line_number":328,"context_line":"~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"6c498517_b5efe8b0","line":325,"updated":"2021-01-11 23:11:34.000000000","message":"For my understanding, how do we handle this use case?\n\n* Project A is the owner of Node 1; they have the `admin` role for project A\n* Project B is the owner of Node 2; they have the `admin` role for project B\n* Project A becomes the lessee of Node 2\n\nWhat combination of permissions gives A Project-Admin access to Node 1, and Project-Member access to Node 2?","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":322,"context_line":"create or delete any records."},{"line_number":323,"context_line":""},{"line_number":324,"context_line":"Project scoped readers, again would only have a limited field view"},{"line_number":325,"context_line":"with the associated ``is_node_lessee`` or ``is_node_owner``."},{"line_number":326,"context_line":""},{"line_number":327,"context_line":"Endpoint Access Rights"},{"line_number":328,"context_line":"~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"cee8e504_0f5ee1e4","line":325,"in_reply_to":"6c498517_b5efe8b0","updated":"2021-01-13 18:05:14.000000000","message":"I\u0027m going to make up some values here for the sake of an example.\n\nLet\u0027s assume Alice is an administrator of Project A she should have owner rights on Node 1 and lessee rights on Node 2.\n\nLet\u0027s also assume ironic has a policy, called `ironic:foo`, that protects an API intended for system users and baremetal owners. Ironic also has a policy, called `ironic:bar`, that protects an API that should be exposed to system users, baremetal owners, and lessees.\n\nWe could write policy checks in the following way:\n\n  \"ironic:foo\": \"(role:admin and system_scope:all) or (role:admin and project_id:%(owner)s)\"\n\nThe above policy will:\n\n* allow Alice to call the API protected by `ironic:foo` on Node 1 because her token is scoped to Project A, which is the owning project of Node 1\n* prevent Alice from calling the API protected by `ironic:foo` on Node 2 because her token is scoped to Project A, which is the lessee of Node 2\n\nWe can write a policy for `ironic:bar` to expose functionality for Node 2:\n\n  \"ironic:bar\": \"(role:admin and system_scope:all) or (role:admin and project_id:%(owner)s) or (role:member and project_id:%(lessee)s))\"\n\nThe above policy will:\n\n* allow Alice to call the API protected by `ironic:bar` on Node 2 because her token is scoped to Project A, which is the lessee of Node 2","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":346,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":347,"context_line":"| /v1/nodes/{uuid}                   | Filtered view and access rights        |"},{"line_number":348,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":349,"context_line":"| /v1/nodes/{uuid}/vendor_passthru   | No, Will not be permitted as this is a |"},{"line_number":350,"context_line":"|                                    | open-ended vendor mechanism interface. |"},{"line_number":351,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":352,"context_line":"| /v1/nodes/{uuid}/traits            | Yes, Read-only                         |"}],"source_content_type":"text/x-rst","patch_set":8,"id":"2355c115_5b026a95","line":349,"range":{"start_line":349,"start_character":2,"end_line":349,"end_character":34},"updated":"2021-01-13 18:05:14.000000000","message":"So this is going to be restricted to system users?","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":346,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":347,"context_line":"| /v1/nodes/{uuid}                   | Filtered view and access rights        |"},{"line_number":348,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":349,"context_line":"| /v1/nodes/{uuid}/vendor_passthru   | No, Will not be permitted as this is a |"},{"line_number":350,"context_line":"|                                    | open-ended vendor mechanism interface. |"},{"line_number":351,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":352,"context_line":"| /v1/nodes/{uuid}/traits            | Yes, Read-only                         |"}],"source_content_type":"text/x-rst","patch_set":8,"id":"377b72c9_18b65703","line":349,"range":{"start_line":349,"start_character":2,"end_line":349,"end_character":34},"in_reply_to":"2355c115_5b026a95","updated":"2021-01-26 22:54:45.000000000","message":"system scope, admin users only.","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":484,"context_line":"                  scoped users in the RBAC model."},{"line_number":485,"context_line":""},{"line_number":486,"context_line":".. note:: All fields that are scrubed, i.e. set to None or {} are expected"},{"line_number":487,"context_line":"          to be read-only fields to proejct scoped accounts in the new"},{"line_number":488,"context_line":"          RBAC model."},{"line_number":489,"context_line":""},{"line_number":490,"context_line":"Client (CLI) impact"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7670d82a_a8739c7f","line":487,"range":{"start_line":487,"start_character":36,"end_line":487,"end_character":43},"updated":"2021-01-13 18:05:14.000000000","message":"nit: project*","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":false,"context_lines":[{"line_number":484,"context_line":"                  scoped users in the RBAC model."},{"line_number":485,"context_line":""},{"line_number":486,"context_line":".. note:: All fields that are scrubed, i.e. set to None or {} are expected"},{"line_number":487,"context_line":"          to be read-only fields to proejct scoped accounts in the new"},{"line_number":488,"context_line":"          RBAC model."},{"line_number":489,"context_line":""},{"line_number":490,"context_line":"Client (CLI) impact"}],"source_content_type":"text/x-rst","patch_set":8,"id":"dfaeef9b_02c27a4e","line":487,"range":{"start_line":487,"start_character":36,"end_line":487,"end_character":43},"in_reply_to":"7670d82a_a8739c7f","updated":"2021-01-26 22:54:45.000000000","message":"Done","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cec0a666d2833c726314bd8bc46226dd4211b0e3","unresolved":true,"context_lines":[{"line_number":518,"context_line":"------------------"},{"line_number":519,"context_line":""},{"line_number":520,"context_line":"We may wish to go ahead and establish the ability for nova to store the"},{"line_number":521,"context_line":"user\u0027s project ID in the node ``lessee`` field. In the new use model,"},{"line_number":522,"context_line":"this would allow a more \"natural\" use pattern and allow users to be able"},{"line_number":523,"context_line":"to leverage aspects like power operations or reboot or possibly even rebuild"},{"line_number":524,"context_line":"of their deployed instances."},{"line_number":525,"context_line":""},{"line_number":526,"context_line":".. TODO:: We should discuss this further. It likely just ought to be a"},{"line_number":527,"context_line":"   knob for nova-compute with the Ironic virt driver."}],"source_content_type":"text/x-rst","patch_set":8,"id":"847ce2f0_5e0956a6","line":524,"range":{"start_line":521,"start_character":48,"end_line":524,"end_character":28},"updated":"2021-01-13 18:05:14.000000000","message":"Nice","commit_id":"8b2f0a66a1a9bfec5f90a26d0682abaa363f02e9"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":68,"context_line":"           for automated processes/reporting."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":".. note:: Additional details on default role definitions is covered in the"},{"line_number":71,"context_line":"   `Keystone speification \"define default roles\" \u003chttps://specs.openstack.org/openstack/keystonesspecs/specs/keystone/rocky/define-default-roles.html\u003e`_ or"},{"line_number":72,"context_line":"   the `Keystone administrator\u0027s guide \u003chttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html\u003e`_."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"}],"source_content_type":"text/x-rst","patch_set":9,"id":"b9032bdc_1332ab41","line":71,"updated":"2021-01-26 19:45:31.000000000","message":"nit s/speification/specification/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":68,"context_line":"           for automated processes/reporting."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":".. note:: Additional details on default role definitions is covered in the"},{"line_number":71,"context_line":"   `Keystone speification \"define default roles\" \u003chttps://specs.openstack.org/openstack/keystonesspecs/specs/keystone/rocky/define-default-roles.html\u003e`_ or"},{"line_number":72,"context_line":"   the `Keystone administrator\u0027s guide \u003chttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html\u003e`_."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"}],"source_content_type":"text/x-rst","patch_set":9,"id":"a89d64a7_23fbc9f3","line":71,"in_reply_to":"b9032bdc_1332ab41","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":75,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"},{"line_number":76,"context_line":"   role would likely allow sensitive values to be unmasked. This has not"},{"line_number":77,"context_line":"   been decided upon, and depending on service configuration could likely be"},{"line_number":78,"context_line":"   implemented manually with a custom policy file. That being said,"},{"line_number":79,"context_line":"   this is out of scope of this specification document at this time."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3553633a_b4253efc","line":76,"updated":"2021-01-26 19:45:31.000000000","message":"this is a good point. We might want to mention this, that reader, member and admin? cannot see sensitive values (although I think ironic has some configs to allow/disallow, can\u0027t recall now).","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"51778496aa628cffd86e397641ec0825e76cfe99","unresolved":true,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":75,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"},{"line_number":76,"context_line":"   role would likely allow sensitive values to be unmasked. This has not"},{"line_number":77,"context_line":"   been decided upon, and depending on service configuration could likely be"},{"line_number":78,"context_line":"   implemented manually with a custom policy file. That being said,"},{"line_number":79,"context_line":"   this is out of scope of this specification document at this time."}],"source_content_type":"text/x-rst","patch_set":9,"id":"2e1a5928_af270403","line":76,"in_reply_to":"206969f6_9b150a8b","updated":"2021-01-27 17:44:13.000000000","message":"Perfect, Thanks","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":75,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"},{"line_number":76,"context_line":"   role would likely allow sensitive values to be unmasked. This has not"},{"line_number":77,"context_line":"   been decided upon, and depending on service configuration could likely be"},{"line_number":78,"context_line":"   implemented manually with a custom policy file. That being said,"},{"line_number":79,"context_line":"   this is out of scope of this specification document at this time."}],"source_content_type":"text/x-rst","patch_set":9,"id":"f378e6e3_e3c0bbb6","line":76,"in_reply_to":"2e1a5928_af270403","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":75,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"},{"line_number":76,"context_line":"   role would likely allow sensitive values to be unmasked. This has not"},{"line_number":77,"context_line":"   been decided upon, and depending on service configuration could likely be"},{"line_number":78,"context_line":"   implemented manually with a custom policy file. That being said,"},{"line_number":79,"context_line":"   this is out of scope of this specification document at this time."}],"source_content_type":"text/x-rst","patch_set":9,"id":"97ddd51e_6ed6396e","line":76,"in_reply_to":"3553633a_b4253efc","updated":"2021-01-26 22:54:45.000000000","message":"We do, it is an older style policy rule that can be passed in through a policy definition, if memory serves.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d714caa78cba200b4200b634db800988f931684","unresolved":true,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":".. note:: A future potential is that an ``auditor`` role may exist, but it"},{"line_number":75,"context_line":"   would *not* match readers. Auditors would be read-only in nature, but their"},{"line_number":76,"context_line":"   role would likely allow sensitive values to be unmasked. This has not"},{"line_number":77,"context_line":"   been decided upon, and depending on service configuration could likely be"},{"line_number":78,"context_line":"   implemented manually with a custom policy file. That being said,"},{"line_number":79,"context_line":"   this is out of scope of this specification document at this time."}],"source_content_type":"text/x-rst","patch_set":9,"id":"206969f6_9b150a8b","line":76,"in_reply_to":"97ddd51e_6ed6396e","updated":"2021-01-27 13:34:23.000000000","message":"We attempted to clarify this in keystone documentation directly - in case it\u0027s helpful:\n\nhttps://review.opendev.org/c/openstack/keystone/+/771509","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":107,"context_line":"scope delineated access, being ``Keystone`` and ``Nova`` as of the point"},{"line_number":108,"context_line":"in which this specification was authored."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":111,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":112,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":113,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"245afc4a_186ed7ab","line":110,"updated":"2021-01-26 19:45:31.000000000","message":"s/Coincidently/Coincidentally/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":107,"context_line":"scope delineated access, being ``Keystone`` and ``Nova`` as of the point"},{"line_number":108,"context_line":"in which this specification was authored."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":111,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":112,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":113,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bc620996_2342972e","line":110,"in_reply_to":"245afc4a_186ed7ab","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":111,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":112,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"As projects within OpenStack implement Scope and Role delineation, and"},{"line_number":115,"context_line":"enable scope based access restriction, a risk exists that Ironic will"}],"source_content_type":"text/x-rst","patch_set":9,"id":"9097778e_628edae2","line":112,"updated":"2021-01-26 19:45:31.000000000","message":"so \u0027reader\u0027 role in a scope beyond \u0027project\u0027? Isn\u0027t that \u0027domain\u0027 or \u0027global\u0027 (the \u0027global scope vs system scope\u0027 in https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html#problem-description).","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d714caa78cba200b4200b634db800988f931684","unresolved":true,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":111,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":112,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"As projects within OpenStack implement Scope and Role delineation, and"},{"line_number":115,"context_line":"enable scope based access restriction, a risk exists that Ironic will"}],"source_content_type":"text/x-rst","patch_set":9,"id":"c019e017_2a3fc23b","line":112,"in_reply_to":"076f35fe_da5bba4d","updated":"2021-01-27 13:34:23.000000000","message":"\u003e So I think one could use global and system scope almost interchangably. At least reading the text I\u0027m kind of groking that as \"we couldn\u0027t decide on a name, we were originally going to call it global and then decided that was the root of all things so settled on system\".\n\nIn a way, yeah. We leaned toward system since it helps us break it apart into services eventually. Keystone never formalized global roles assignments like we did with system role assignments.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de2898e02d73bcb01f96367f8cbb2f96b93cfd4d","unresolved":true,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":111,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":112,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"As projects within OpenStack implement Scope and Role delineation, and"},{"line_number":115,"context_line":"enable scope based access restriction, a risk exists that Ironic will"}],"source_content_type":"text/x-rst","patch_set":9,"id":"076f35fe_da5bba4d","line":112,"in_reply_to":"9097778e_628edae2","updated":"2021-01-26 22:54:45.000000000","message":"So I think one could use global and system scope almost interchangably. At least reading the text I\u0027m kind of groking that as \"we couldn\u0027t decide on a name, we were originally going to call it global and then decided that was the root of all things so settled on system\".","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Coincidently there is a desire from larger OpenStack operators to"},{"line_number":111,"context_line":"have the ability to delineate access. In other words permit operations"},{"line_number":112,"context_line":"centers to be able to view status, but not be able to act upon nodes."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"As projects within OpenStack implement Scope and Role delineation, and"},{"line_number":115,"context_line":"enable scope based access restriction, a risk exists that Ironic will"}],"source_content_type":"text/x-rst","patch_set":9,"id":"0e62381f_1b73aad5","line":112,"in_reply_to":"c019e017_2a3fc23b","updated":"2021-01-27 23:15:13.000000000","message":"Revised this text some for clarity.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":163,"context_line":""},{"line_number":164,"context_line":"In order to have a consistent use pattern moving forward, the existing"},{"line_number":165,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":166,"context_line":"be deprecated and removed, however they will also not be effective"},{"line_number":167,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":168,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":169,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"face03fa_13783bed","line":166,"updated":"2021-01-26 19:45:31.000000000","message":"s/be deprecated/deprecated/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":163,"context_line":""},{"line_number":164,"context_line":"In order to have a consistent use pattern moving forward, the existing"},{"line_number":165,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":166,"context_line":"be deprecated and removed, however they will also not be effective"},{"line_number":167,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":168,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":169,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"68831df3_289a7ec5","line":166,"in_reply_to":"face03fa_13783bed","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":175,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":176,"context_line":"enforcement."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API, the resulting default policies"},{"line_number":179,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":180,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":181,"context_line":"an purely an admin-only and hardware data collection oriented service."}],"source_content_type":"text/x-rst","patch_set":9,"id":"681ad331_1db4f28b","line":178,"updated":"2021-01-26 19:45:31.000000000","message":"s/it\u0027s/its/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":175,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":176,"context_line":"enforcement."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API, the resulting default policies"},{"line_number":179,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":180,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":181,"context_line":"an purely an admin-only and hardware data collection oriented service."}],"source_content_type":"text/x-rst","patch_set":9,"id":"7464ff69_5d23329d","line":178,"in_reply_to":"681ad331_1db4f28b","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":177,"context_line":""},{"line_number":178,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API, the resulting default policies"},{"line_number":179,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":180,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":181,"context_line":"an purely an admin-only and hardware data collection oriented service."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"High level matrix"}],"source_content_type":"text/x-rst","patch_set":9,"id":"6f5b03f3_9633f81d","line":180,"updated":"2021-01-26 19:45:31.000000000","message":"I wonder if there is some use case where someone might want to use ironic-inspector to inspect \u0027their\u0027 nodes. I think that as long as we leave the door open so that we COULD add non-system scope later, we\u0027re good.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":177,"context_line":""},{"line_number":178,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API, the resulting default policies"},{"line_number":179,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":180,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":181,"context_line":"an purely an admin-only and hardware data collection oriented service."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"High level matrix"}],"source_content_type":"text/x-rst","patch_set":9,"id":"414ebd24_ed5e6cbe","line":180,"in_reply_to":"0260276d_afd663e4","updated":"2021-01-27 23:15:13.000000000","message":"Adding a note to this effect, I love a lot of the ideas and discussion coming forth. I think some may forever be masked as todo items, but notes kind of make sense for this specific case.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"51778496aa628cffd86e397641ec0825e76cfe99","unresolved":true,"context_lines":[{"line_number":177,"context_line":""},{"line_number":178,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API, the resulting default policies"},{"line_number":179,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":180,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":181,"context_line":"an purely an admin-only and hardware data collection oriented service."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"High level matrix"}],"source_content_type":"text/x-rst","patch_set":9,"id":"0260276d_afd663e4","line":180,"in_reply_to":"6f5b03f3_9633f81d","updated":"2021-01-27 17:44:13.000000000","message":"That is a good point, but I think a distinct feature in the grand scheme of the universe.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":178,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API, the resulting default policies"},{"line_number":179,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":180,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":181,"context_line":"an purely an admin-only and hardware data collection oriented service."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"High level matrix"},{"line_number":184,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"c7beb618_b3cdd3b0","line":181,"updated":"2021-01-26 19:45:31.000000000","message":"s/an purely/purely/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":178,"context_line":"In terms of ``ironic-inspector`` and it\u0027s API, the resulting default policies"},{"line_number":179,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":180,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":181,"context_line":"an purely an admin-only and hardware data collection oriented service."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"High level matrix"},{"line_number":184,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"fc517daa_68c6b7ec","line":181,"in_reply_to":"c7beb618_b3cdd3b0","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":186,"context_line":"The table below utilizes two definitions which hail back to the existing"},{"line_number":187,"context_line":"multitenancy work that is present in ironic. They are not the proposed new"},{"line_number":188,"context_line":"name, but used to provide conceptual understanding of what the alignment"},{"line_number":189,"context_line":"of the policy rule reprsents since there are technically several different"},{"line_number":190,"context_line":"access matrixies based upon the variation and ultimately the agreement"},{"line_number":191,"context_line":"reached within the community. The end name may be something similar, but"},{"line_number":192,"context_line":"that is an implementation naming decision, not higher level design"}],"source_content_type":"text/x-rst","patch_set":9,"id":"0f3d5773_74fcd9b3","line":189,"updated":"2021-01-26 19:45:31.000000000","message":"s/reprsents/represents/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":186,"context_line":"The table below utilizes two definitions which hail back to the existing"},{"line_number":187,"context_line":"multitenancy work that is present in ironic. They are not the proposed new"},{"line_number":188,"context_line":"name, but used to provide conceptual understanding of what the alignment"},{"line_number":189,"context_line":"of the policy rule reprsents since there are technically several different"},{"line_number":190,"context_line":"access matrixies based upon the variation and ultimately the agreement"},{"line_number":191,"context_line":"reached within the community. The end name may be something similar, but"},{"line_number":192,"context_line":"that is an implementation naming decision, not higher level design"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1b17fbf1_fc2d1895","line":189,"in_reply_to":"0f3d5773_74fcd9b3","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":187,"context_line":"multitenancy work that is present in ironic. They are not the proposed new"},{"line_number":188,"context_line":"name, but used to provide conceptual understanding of what the alignment"},{"line_number":189,"context_line":"of the policy rule reprsents since there are technically several different"},{"line_number":190,"context_line":"access matrixies based upon the variation and ultimately the agreement"},{"line_number":191,"context_line":"reached within the community. The end name may be something similar, but"},{"line_number":192,"context_line":"that is an implementation naming decision, not higher level design"},{"line_number":193,"context_line":"decision."}],"source_content_type":"text/x-rst","patch_set":9,"id":"ffb2c5b6_cf6c9d9f","line":190,"updated":"2021-01-26 19:45:31.000000000","message":"s/matrixies/matrices/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":187,"context_line":"multitenancy work that is present in ironic. They are not the proposed new"},{"line_number":188,"context_line":"name, but used to provide conceptual understanding of what the alignment"},{"line_number":189,"context_line":"of the policy rule reprsents since there are technically several different"},{"line_number":190,"context_line":"access matrixies based upon the variation and ultimately the agreement"},{"line_number":191,"context_line":"reached within the community. The end name may be something similar, but"},{"line_number":192,"context_line":"that is an implementation naming decision, not higher level design"},{"line_number":193,"context_line":"decision."}],"source_content_type":"text/x-rst","patch_set":9,"id":"03802d9f_c9b3f402","line":190,"in_reply_to":"ffb2c5b6_cf6c9d9f","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d62358b8990088b08432f4b93014129737fbc4a8","unresolved":true,"context_lines":[{"line_number":194,"context_line":""},{"line_number":195,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":196,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":197,"context_line":"                    they are the authoritative"},{"line_number":198,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":199,"context_line":"                    of the baremetal node."},{"line_number":200,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"}],"source_content_type":"text/x-rst","patch_set":9,"id":"a4c23d8e_d74110b5","line":197,"updated":"2021-01-26 19:45:31.000000000","message":"s/they/that they/","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":194,"context_line":""},{"line_number":195,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":196,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":197,"context_line":"                    they are the authoritative"},{"line_number":198,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":199,"context_line":"                    of the baremetal node."},{"line_number":200,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7a34e067_4106e5fb","line":197,"in_reply_to":"a4c23d8e_d74110b5","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"51778496aa628cffd86e397641ec0825e76cfe99","unresolved":true,"context_lines":[{"line_number":294,"context_line":"`Project Scope`_ based access where nodes will only be visible if owner"},{"line_number":295,"context_line":"or lessee are populated."},{"line_number":296,"context_line":""},{"line_number":297,"context_line":".. TODO:: Follow-up with neutron regarding port attach/detach."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":".. TODO:: Follow-up with Cinder regarding volume attach/detach."},{"line_number":300,"context_line":""},{"line_number":301,"context_line":".. TODO:: Follow-up with Nova regarding rights passed through on context."},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"Project Scope"},{"line_number":304,"context_line":"~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"2d5addd1_31be692f","line":301,"range":{"start_line":297,"start_character":0,"end_line":301,"end_character":73},"updated":"2021-01-27 17:44:13.000000000","message":"In a couple follow-up discussions, it became clear that these may not be answered question out of the gate, that the initial focus is largely to move current admin scope to system scope, project scope will fall into play and transmission of user context between services needs to be carefully handled. We\u0027ve had to revisit that twice before, and it all comes down to the originator if memory serves, but again, thought, discussion, follow-up will be required after what we can get at least system scope moved over.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":294,"context_line":"`Project Scope`_ based access where nodes will only be visible if owner"},{"line_number":295,"context_line":"or lessee are populated."},{"line_number":296,"context_line":""},{"line_number":297,"context_line":".. TODO:: Follow-up with neutron regarding port attach/detach."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":".. TODO:: Follow-up with Cinder regarding volume attach/detach."},{"line_number":300,"context_line":""},{"line_number":301,"context_line":".. TODO:: Follow-up with Nova regarding rights passed through on context."},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"Project Scope"},{"line_number":304,"context_line":"~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"239e8c55_03ae5611","line":301,"range":{"start_line":297,"start_character":0,"end_line":301,"end_character":73},"in_reply_to":"2d5addd1_31be692f","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":32177,"name":"Jacob Anders","email":"jacob-anders-dev@proton.me","username":"janders"},"change_message_id":"0f1af3a127082fdb2bbe6e08d70929b54997f4b3","unresolved":true,"context_lines":[{"line_number":409,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":410,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":411,"context_line":""},{"line_number":412,"context_line":".. TODO:: Do we want Project Admins to be able to change traits?"},{"line_number":413,"context_line":"          Resource class?"},{"line_number":414,"context_line":"          What about Project Members?"},{"line_number":415,"context_line":"          Would this not vary between ``is_node_owner`` and"},{"line_number":416,"context_line":"          ``is_node_lessee``?"},{"line_number":417,"context_line":""},{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"}],"source_content_type":"text/x-rst","patch_set":9,"id":"26c2a626_a3cc137c","line":416,"range":{"start_line":412,"start_character":0,"end_line":416,"end_character":29},"updated":"2021-01-27 01:18:54.000000000","message":"It feels to me like project:members should not need this. Those fields are related to scheduling, which belongs to global:admin. Perhaps there may be cases for project:admin (I can\u0027t think of any right now).","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"51778496aa628cffd86e397641ec0825e76cfe99","unresolved":true,"context_lines":[{"line_number":409,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":410,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":411,"context_line":""},{"line_number":412,"context_line":".. TODO:: Do we want Project Admins to be able to change traits?"},{"line_number":413,"context_line":"          Resource class?"},{"line_number":414,"context_line":"          What about Project Members?"},{"line_number":415,"context_line":"          Would this not vary between ``is_node_owner`` and"},{"line_number":416,"context_line":"          ``is_node_lessee``?"},{"line_number":417,"context_line":""},{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"}],"source_content_type":"text/x-rst","patch_set":9,"id":"624c603c_4c026179","line":416,"range":{"start_line":412,"start_character":0,"end_line":416,"end_character":29},"in_reply_to":"26c2a626_a3cc137c","updated":"2021-01-27 17:44:13.000000000","message":"I could see owner admins, but not owner members. I\u0027ve asked in IRC to try and see if there are any risks of concern and if there are we can just focus on system-admin.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":409,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":410,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":411,"context_line":""},{"line_number":412,"context_line":".. TODO:: Do we want Project Admins to be able to change traits?"},{"line_number":413,"context_line":"          Resource class?"},{"line_number":414,"context_line":"          What about Project Members?"},{"line_number":415,"context_line":"          Would this not vary between ``is_node_owner`` and"},{"line_number":416,"context_line":"          ``is_node_lessee``?"},{"line_number":417,"context_line":""},{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"}],"source_content_type":"text/x-rst","patch_set":9,"id":"b16f591b_75efe492","line":416,"range":{"start_line":412,"start_character":0,"end_line":416,"end_character":29},"in_reply_to":"624c603c_4c026179","updated":"2021-01-27 23:15:13.000000000","message":"Consensus from IRC seems to lead towards keeping resource_class and traits system scoped for now. An owner with good intentions, could potentially break their ability to schedule a node with an incorrect trait change, because they are not the system operators and don\u0027t necessarily know the mechanics at play there.\n\nIt seems reasonable for an owner or lessee to rely on communications to the admin should they see or observe a specific need for these to change.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":32177,"name":"Jacob Anders","email":"jacob-anders-dev@proton.me","username":"janders"},"change_message_id":"0f1af3a127082fdb2bbe6e08d70929b54997f4b3","unresolved":true,"context_lines":[{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"},{"line_number":420,"context_line":""},{"line_number":421,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":422,"context_line":"          Project admins or members be able to write them."},{"line_number":423,"context_line":"          Julia and Arne thinks they should remain read-only resources."},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Node object field restrictions"},{"line_number":426,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"c65f3534_35083830","line":423,"range":{"start_line":421,"start_character":0,"end_line":423,"end_character":71},"updated":"2021-01-27 01:18:54.000000000","message":"I agree with Julia and Arne these should be read-only. I\u0027m not sure what would be a use case for project:[member|admin] updating portgroups/ports. At the same time, incorrect port settings could cause issues that global:admin needs to attend to (e.g. breaking cleaning when the project is done with the node and decides to release it).","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"5f66bb84b39792a29e406665554a31223d29e162","unresolved":false,"context_lines":[{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"},{"line_number":420,"context_line":""},{"line_number":421,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":422,"context_line":"          Project admins or members be able to write them."},{"line_number":423,"context_line":"          Julia and Arne thinks they should remain read-only resources."},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Node object field restrictions"},{"line_number":426,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"8ec06814_d08675ee","line":423,"range":{"start_line":421,"start_character":0,"end_line":423,"end_character":71},"in_reply_to":"5aa4f6d9_ff32089c","updated":"2021-01-27 18:10:39.000000000","message":"Ah, you\u0027re right - thanks for the clarification!","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"},{"line_number":420,"context_line":""},{"line_number":421,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":422,"context_line":"          Project admins or members be able to write them."},{"line_number":423,"context_line":"          Julia and Arne thinks they should remain read-only resources."},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Node object field restrictions"},{"line_number":426,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"d7c4fbf6_54baf575","line":423,"range":{"start_line":421,"start_character":0,"end_line":423,"end_character":71},"in_reply_to":"8ec06814_d08675ee","updated":"2021-01-27 23:15:13.000000000","message":"FWIW, I\u0027m putting some notes with tenative language in. I think it is kind of obvious that this is a huge lift, and may evolve some well into the next development cycle, but obviously I want to get as much as possible done this cycle.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"2c5cf914dd6a79856c1014b24831e87a003078f4","unresolved":true,"context_lines":[{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"},{"line_number":420,"context_line":""},{"line_number":421,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":422,"context_line":"          Project admins or members be able to write them."},{"line_number":423,"context_line":"          Julia and Arne thinks they should remain read-only resources."},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Node object field restrictions"},{"line_number":426,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"d929a6ef_5a5a513d","line":423,"range":{"start_line":421,"start_character":0,"end_line":423,"end_character":71},"in_reply_to":"c65f3534_35083830","updated":"2021-01-27 02:26:52.000000000","message":"I think there may be a use case for both project members and admins to be able to update these; I remember playing with metalsmith to provision a node with standalone Ironic, and one of the needed operations was updating a port\u0027s internal_info to include information about the VIF.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"51778496aa628cffd86e397641ec0825e76cfe99","unresolved":true,"context_lines":[{"line_number":418,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":419,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"},{"line_number":420,"context_line":""},{"line_number":421,"context_line":".. TODO:: Portgroups and ports, should they be read-only? Should project"},{"line_number":422,"context_line":"          Project admins or members be able to write them."},{"line_number":423,"context_line":"          Julia and Arne thinks they should remain read-only resources."},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Node object field restrictions"},{"line_number":426,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5aa4f6d9_ff32089c","line":423,"range":{"start_line":421,"start_character":0,"end_line":423,"end_character":71},"in_reply_to":"d929a6ef_5a5a513d","updated":"2021-01-27 17:44:13.000000000","message":"The internal info update takes place through vif attach/detach, so it wouldn\u0027t be direct editing of the port controller in the rest api.","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"51778496aa628cffd86e397641ec0825e76cfe99","unresolved":true,"context_lines":[{"line_number":452,"context_line":"* extra - Project Admin/Project Member Read-Write"},{"line_number":453,"context_line":"  .. TODO:: another reason to remove old vif handling logic is the extra field."},{"line_number":454,"context_line":"* console_enabled - Project Admin/Project Member Read/Write"},{"line_number":455,"context_line":"* raid_config - Read-Only"},{"line_number":456,"context_line":"* target_raid_config - Read-Only"},{"line_number":457,"context_line":"* clean_step - Read-Only"},{"line_number":458,"context_line":"* deploy_step - Read-Only"}],"source_content_type":"text/x-rst","patch_set":9,"id":"898e643d_ee277e83","line":455,"updated":"2021-01-27 17:44:13.000000000","message":"So this is confusing, the api says to post /states/raid under a node, but this field... eeeeehhhh :\\","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":452,"context_line":"* extra - Project Admin/Project Member Read-Write"},{"line_number":453,"context_line":"  .. TODO:: another reason to remove old vif handling logic is the extra field."},{"line_number":454,"context_line":"* console_enabled - Project Admin/Project Member Read/Write"},{"line_number":455,"context_line":"* raid_config - Read-Only"},{"line_number":456,"context_line":"* target_raid_config - Read-Only"},{"line_number":457,"context_line":"* clean_step - Read-Only"},{"line_number":458,"context_line":"* deploy_step - Read-Only"}],"source_content_type":"text/x-rst","patch_set":9,"id":"0fe166c2_7c43b786","line":455,"in_reply_to":"898e643d_ee277e83","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"c95006d4787782359f345f077432d3930600b0fc","unresolved":true,"context_lines":[{"line_number":499,"context_line":"vendor_passthru - Vendor passthrough will not be available to project"},{"line_number":500,"context_line":"                  scoped users in the RBAC model."},{"line_number":501,"context_line":""},{"line_number":502,"context_line":".. note:: All fields that are scrubed, i.e. set to None or {} are expected"},{"line_number":503,"context_line":"          to be read-only fields to project scoped accounts in the new"},{"line_number":504,"context_line":"          RBAC model."},{"line_number":505,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"107ebf7b_9f4c6f80","line":502,"range":{"start_line":502,"start_character":30,"end_line":502,"end_character":37},"updated":"2021-01-27 02:02:11.000000000","message":"s/scrubed/scrubbed","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09040ce20ba0f9a664aee68b5932ee63e7606d58","unresolved":false,"context_lines":[{"line_number":499,"context_line":"vendor_passthru - Vendor passthrough will not be available to project"},{"line_number":500,"context_line":"                  scoped users in the RBAC model."},{"line_number":501,"context_line":""},{"line_number":502,"context_line":".. note:: All fields that are scrubed, i.e. set to None or {} are expected"},{"line_number":503,"context_line":"          to be read-only fields to project scoped accounts in the new"},{"line_number":504,"context_line":"          RBAC model."},{"line_number":505,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"c111f836_0ccd79a8","line":502,"range":{"start_line":502,"start_character":30,"end_line":502,"end_character":37},"in_reply_to":"107ebf7b_9f4c6f80","updated":"2021-01-27 23:15:13.000000000","message":"Done","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":537,"context_line":"user\u0027s project ID in the node ``lessee`` field. In the new use model,"},{"line_number":538,"context_line":"this would allow a more \"natural\" use pattern and allow users to be able"},{"line_number":539,"context_line":"to leverage aspects like power operations or reboot or possibly even rebuild"},{"line_number":540,"context_line":"of their deployed instances."},{"line_number":541,"context_line":""},{"line_number":542,"context_line":".. TODO:: We should discuss this further. It likely just ought to be a"},{"line_number":543,"context_line":"   knob for nova-compute with the Ironic virt driver."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1a646eef_89ec9b29","line":540,"updated":"2021-02-01 17:54:58.000000000","message":"I don\u0027t have a mental model of how nova \u0026 ironic interact wrt ironic node\u0027s owner \u0026 lessee fields, so this doesn\u0027t make sense to me. I thought only the owner (or some ironic admin) could set the lessee...","commit_id":"f1f1b8042c7fac25f5b1e36bdec66b8b64490cd6"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"aab02f52814ed2848f4eaddbf0b0bd944d7b0f2b","unresolved":true,"context_lines":[{"line_number":321,"context_line":"   related to ``volume`` or ``port`` attachments, or possibly even"},{"line_number":322,"context_line":"   tighter integration of this functionality in ``nova-compute``."},{"line_number":323,"context_line":"   All of these things will evolve over time, and we cannot answer"},{"line_number":324,"context_line":"   them until we reach that point in time."},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"Project Scope"},{"line_number":327,"context_line":"~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"d913528b_80cd76a2","line":324,"updated":"2021-01-28 02:57:45.000000000","message":"I think this is a reasonable approach to take for delivering something useful in this cycle and not be constrained by other project\u0027s progress in their implementation","commit_id":"a6ff963ba242ae62e2cdca92dbc4094f4c48cea1"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"aab02f52814ed2848f4eaddbf0b0bd944d7b0f2b","unresolved":true,"context_lines":[{"line_number":490,"context_line":"  .. TODO:: another reason to remove old vif handling logic is the extra field."},{"line_number":491,"context_line":"* console_enabled - Project Admin/Project Member Read/Write"},{"line_number":492,"context_line":"* raid_config - Read-Only"},{"line_number":493,"context_line":"  .. TODO:: API docs indicate there is a /states/raid endpoint under the node."},{"line_number":494,"context_line":"* target_raid_config - Read-Only"},{"line_number":495,"context_line":"* clean_step - Read-Only"},{"line_number":496,"context_line":"* deploy_step - Read-Only"}],"source_content_type":"text/x-rst","patch_set":10,"id":"9784e0ca_3425bb36","line":493,"updated":"2021-01-28 02:57:45.000000000","message":"/states/raid is only for PUT which sets target_raid_config. raid_config and target_raid_config cannot be patched directly","commit_id":"a6ff963ba242ae62e2cdca92dbc4094f4c48cea1"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9690fb2f8c92dc04df62e84530c4001daf173539","unresolved":true,"context_lines":[{"line_number":490,"context_line":"  .. TODO:: another reason to remove old vif handling logic is the extra field."},{"line_number":491,"context_line":"* console_enabled - Project Admin/Project Member Read/Write"},{"line_number":492,"context_line":"* raid_config - Read-Only"},{"line_number":493,"context_line":"  .. TODO:: API docs indicate there is a /states/raid endpoint under the node."},{"line_number":494,"context_line":"* target_raid_config - Read-Only"},{"line_number":495,"context_line":"* clean_step - Read-Only"},{"line_number":496,"context_line":"* deploy_step - Read-Only"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e086b233_762eec8f","line":493,"in_reply_to":"9784e0ca_3425bb36","updated":"2021-01-28 22:06:12.000000000","message":"Oh! Good to know. Wow that is overly confusing. Why did we do that to ourselves?!?","commit_id":"a6ff963ba242ae62e2cdca92dbc4094f4c48cea1"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":90,"context_line":"Scope definitions:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":93,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":94,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":95,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":96,"context_line":"            and have some level of implied member rights with-in that project."}],"source_content_type":"text/x-rst","patch_set":11,"id":"b161af77_d0bcc5b9","line":93,"updated":"2021-02-01 17:54:58.000000000","message":"because ironic doesn\u0027t have the concept of a \u0027domain\u0027 associated with each ironic node, right?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":90,"context_line":"Scope definitions:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":93,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":94,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":95,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":96,"context_line":"            and have some level of implied member rights with-in that project."}],"source_content_type":"text/x-rst","patch_set":11,"id":"3b09e3af_5894973e","line":93,"in_reply_to":"433f14b7_969c26f3","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":90,"context_line":"Scope definitions:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":93,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":94,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":95,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":96,"context_line":"            and have some level of implied member rights with-in that project."}],"source_content_type":"text/x-rst","patch_set":11,"id":"433f14b7_969c26f3","line":93,"in_reply_to":"b161af77_d0bcc5b9","updated":"2021-02-03 00:33:56.000000000","message":"No, only keystone has the scope or capability of a domain, and with keystone\u0027s use to associate groupigns of projects there seems no need to support it or even support it at this time in this effort.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":93,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":94,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":95,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":96,"context_line":"            and have some level of implied member rights with-in that project."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Additional information can be found in the"},{"line_number":99,"context_line":"`Keystone administration - tokens \u003chttps://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes\u003e`"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6ecb98bd_6c7ebc84","line":96,"updated":"2021-02-01 17:54:58.000000000","message":"and in ironic, this is the \u0027owner\u0027 field of an ironic node?\n\n(or can the \u0027owner\u0027 field be a keystone user, and ironic can go from user to their project via the context?)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":false,"context_lines":[{"line_number":93,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":94,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":95,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":96,"context_line":"            and have some level of implied member rights with-in that project."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Additional information can be found in the"},{"line_number":99,"context_line":"`Keystone administration - tokens \u003chttps://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes\u003e`"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7ffd3da6_5cbc3a93","line":96,"in_reply_to":"6ecb98bd_6c7ebc84","updated":"2021-02-03 00:33:56.000000000","message":"Owner, or Lessee. We have two fields for slightly different uses.\n\nThe usage is for project_id association, not specific user association. Oslo.context + keystoneauth basically take the auth token, and collect the project_id associated with the token from keystone. This gets stored in the context, and then oslo_policy rules can apply to the context based upon rule mapping.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":false,"context_lines":[{"line_number":93,"context_line":"* domain - We do not anticipate this to apply, and the primitives do not exist"},{"line_number":94,"context_line":"           in Ironic. This scope is only used with-in Keystone."},{"line_number":95,"context_line":"* project - This is the logical grouping in which users are members of projects"},{"line_number":96,"context_line":"            and have some level of implied member rights with-in that project."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Additional information can be found in the"},{"line_number":99,"context_line":"`Keystone administration - tokens \u003chttps://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes\u003e`"}],"source_content_type":"text/x-rst","patch_set":11,"id":"70315f14_e5e966ce","line":96,"in_reply_to":"7ffd3da6_5cbc3a93","updated":"2021-02-03 15:41:53.000000000","message":"this project_id association is useful, if nothing else, as a reminder as to how this will be connected with the keystone stuff. Thx!","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":126,"context_line":"expect only Project scoped requests, and refuse a System scoped member"},{"line_number":127,"context_line":"request. These sorts of issues will need to be identified and"},{"line_number":128,"context_line":"appropriately navigated."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Proposed change"},{"line_number":131,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"b1e257ee_52eb3314","line":129,"updated":"2021-02-01 17:54:58.000000000","message":"from a high level, I see two things that this spec is about:\n- do the community thing, and support RBAC in a fashion that is consistent with \u0027the rest of OpenStack\u0027\n-this will consist of changes to ironic policies, so that by default, they are configured to support RBAC. Individuals (whatever) can then choose to change the policies to support their own needs.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":126,"context_line":"expect only Project scoped requests, and refuse a System scoped member"},{"line_number":127,"context_line":"request. These sorts of issues will need to be identified and"},{"line_number":128,"context_line":"appropriately navigated."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Proposed change"},{"line_number":131,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"df144dd1_944d2f55","line":129,"in_reply_to":"0749d57f_fba1838b","updated":"2021-02-03 15:41:53.000000000","message":"Right. For those folks who aren\u0027t always in the community or forget or miss context, useful to throw in the word \u0027default\u0027 somewhere.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":126,"context_line":"expect only Project scoped requests, and refuse a System scoped member"},{"line_number":127,"context_line":"request. These sorts of issues will need to be identified and"},{"line_number":128,"context_line":"appropriately navigated."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Proposed change"},{"line_number":131,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"0749d57f_fba1838b","line":129,"in_reply_to":"b1e257ee_52eb3314","updated":"2021-02-03 00:33:56.000000000","message":"Basically yes, however changing policies has long been supported. The big difference is the huge delineation from having concepts like \"an admin project\" to \"an system scope in which administrators exist\"","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":126,"context_line":"expect only Project scoped requests, and refuse a System scoped member"},{"line_number":127,"context_line":"request. These sorts of issues will need to be identified and"},{"line_number":128,"context_line":"appropriately navigated."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Proposed change"},{"line_number":131,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"2f27c079_4ee20049","line":129,"in_reply_to":"df144dd1_944d2f55","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":133,"context_line":"At a high level, the desire is to:"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"a) Have greater consistency through the adoption of standard roles, and"},{"line_number":136,"context_line":"b) Implement the ability to move to scope based restriction where the"},{"line_number":137,"context_line":"   new standardized roles would apply."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"We will do this by:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a97c6f3f_fead514e","line":136,"updated":"2021-02-01 17:54:58.000000000","message":"scope is also standardized right? system \u0026 project?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":133,"context_line":"At a high level, the desire is to:"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"a) Have greater consistency through the adoption of standard roles, and"},{"line_number":136,"context_line":"b) Implement the ability to move to scope based restriction where the"},{"line_number":137,"context_line":"   new standardized roles would apply."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"We will do this by:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"44cd3087_755f23d4","line":136,"in_reply_to":"37665c96_170e0d41","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":133,"context_line":"At a high level, the desire is to:"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"a) Have greater consistency through the adoption of standard roles, and"},{"line_number":136,"context_line":"b) Implement the ability to move to scope based restriction where the"},{"line_number":137,"context_line":"   new standardized roles would apply."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"We will do this by:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"37665c96_170e0d41","line":136,"in_reply_to":"a97c6f3f_fead514e","updated":"2021-02-03 00:33:56.000000000","message":"Yes, System, and Project are the two scopes which exist and are standardized.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Additional issues and rights validation logic may need to be applied, however"},{"line_number":180,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":181,"context_line":"enforcement."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"In terms of ``ironic-inspector`` and its API, the resulting default policies"},{"line_number":184,"context_line":"for this effort would be entirely system scoped and no other scope is"}],"source_content_type":"text/x-rst","patch_set":11,"id":"106b3a27_054d4237","line":181,"updated":"2021-02-01 17:54:58.000000000","message":"I don\u0027t know what this means. What is an adjacent/integrated project? Is this a keystone project? Or does it refer to other services such as nova?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Additional issues and rights validation logic may need to be applied, however"},{"line_number":180,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":181,"context_line":"enforcement."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"In terms of ``ironic-inspector`` and its API, the resulting default policies"},{"line_number":184,"context_line":"for this effort would be entirely system scoped and no other scope is"}],"source_content_type":"text/x-rst","patch_set":11,"id":"d050a43c_fb2914b2","line":181,"in_reply_to":"106b3a27_054d4237","updated":"2021-02-03 00:33:56.000000000","message":"Possibly, it is really noted as a risk and item that may require additional work.\n\nIn essence what happens today:\n\nUser foo in project banana: Hi nova, give me a ham sandwich, with neutron network kiwi and cinder volume tokyo.\n\nNova calls cinder and says: Hi cinder, I\u0027m cinder with a request from user foo in the banana project. They want tokyo attached.\n\nCinder authenticates the request and *should* act for the user in the project.\n\nNeutron essentially does the same thing. Or at least should. Cinder has a bit more strict schema, anyway that is an aside.\n\nBut the risk is more in that what if a service doesn\u0027t do these sorts of validations upfront. We don\u0027t really do it in ironic\u0027s case. We expect nova to have done pre-flight validation checking. Where this becomes problematic is when we have a stored vif or volume. We only pass-through context on the original acts/requests, but not on follow-up items. The risk for us is largely granting users access to vif plugigng or volume attachment without that validation. We might be in fairly good shape, but we need to be cognizant that something a little more may or likely will be needed.\n\nSo at the same time, because say if all services are changed to system admin or member tokens, instead of admin project tokens on behalf of other project still bearing the original user context, services like cinder/neutron may need additional checks or logic updated that we can only kind of maybe foresee on the outside as a possible risk until we get to that point of starting to switch everything over.\n\nSo in this context, the integrated or coupled projects are those that call ironic\u0027s APIs and those that call other project\u0027s APIs such as Ironic. We\u0027re all kind of in the same boat and just have to be careful to make sure we appropriately guard things we do with other services on behalf of the user request.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Additional issues and rights validation logic may need to be applied, however"},{"line_number":180,"context_line":"that will likely require adjacent/integrated projects to change their policy"},{"line_number":181,"context_line":"enforcement."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"In terms of ``ironic-inspector`` and its API, the resulting default policies"},{"line_number":184,"context_line":"for this effort would be entirely system scoped and no other scope is"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ac9b5079_1aaf4c33","line":181,"in_reply_to":"d050a43c_fb2914b2","updated":"2021-02-03 15:41:53.000000000","message":"This is a great example/explanation. Is the spec too long if this is added? (Wondering if it could be added at the end of the spec in a misc section or something. Anyway, it is documented in this PR :)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":189,"context_line":"   In review of this specification document, it has been highlighted that"},{"line_number":190,"context_line":"   a tenant may find it useful to have the ability to trigger inspection"},{"line_number":191,"context_line":"   of a node, and have it report to *their* own ``ironic-inspector``"},{"line_number":192,"context_line":"   instance. This is an intruiging possibility, but would be a distinct"},{"line_number":193,"context_line":"   feature above and beyond the scope of this specific work."},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"High level matrix"}],"source_content_type":"text/x-rst","patch_set":11,"id":"dece43b1_b15ed4dd","line":192,"updated":"2021-02-01 17:54:58.000000000","message":"s/intruiging/intriguing/","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":189,"context_line":"   In review of this specification document, it has been highlighted that"},{"line_number":190,"context_line":"   a tenant may find it useful to have the ability to trigger inspection"},{"line_number":191,"context_line":"   of a node, and have it report to *their* own ``ironic-inspector``"},{"line_number":192,"context_line":"   instance. This is an intruiging possibility, but would be a distinct"},{"line_number":193,"context_line":"   feature above and beyond the scope of this specific work."},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"High level matrix"}],"source_content_type":"text/x-rst","patch_set":11,"id":"22055773_96e8f4b9","line":192,"in_reply_to":"dece43b1_b15ed4dd","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":190,"context_line":"   a tenant may find it useful to have the ability to trigger inspection"},{"line_number":191,"context_line":"   of a node, and have it report to *their* own ``ironic-inspector``"},{"line_number":192,"context_line":"   instance. This is an intruiging possibility, but would be a distinct"},{"line_number":193,"context_line":"   feature above and beyond the scope of this specific work."},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"High level matrix"},{"line_number":196,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"67842b5a_1384a8bb","line":193,"updated":"2021-02-01 17:54:58.000000000","message":"As long as the door is left open so that these new policies, etc could be added later, it should be fine.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":190,"context_line":"   a tenant may find it useful to have the ability to trigger inspection"},{"line_number":191,"context_line":"   of a node, and have it report to *their* own ``ironic-inspector``"},{"line_number":192,"context_line":"   instance. This is an intruiging possibility, but would be a distinct"},{"line_number":193,"context_line":"   feature above and beyond the scope of this specific work."},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"High level matrix"},{"line_number":196,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"de38d29b_db4a1ece","line":193,"in_reply_to":"67842b5a_1384a8bb","updated":"2021-02-03 00:33:56.000000000","message":"++ Yeah, none of this should block that from being a case, it is only noted since it came up in review discussion.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":190,"context_line":"   a tenant may find it useful to have the ability to trigger inspection"},{"line_number":191,"context_line":"   of a node, and have it report to *their* own ``ironic-inspector``"},{"line_number":192,"context_line":"   instance. This is an intruiging possibility, but would be a distinct"},{"line_number":193,"context_line":"   feature above and beyond the scope of this specific work."},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"High level matrix"},{"line_number":196,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bbbd5aa0_f215ffc2","line":193,"in_reply_to":"de38d29b_db4a1ece","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":201,"context_line":"of the policy rule represents since there are technically several different"},{"line_number":202,"context_line":"access matrices based upon the variation and ultimately the agreement"},{"line_number":203,"context_line":"reached within the community. The end name may be something similar, but"},{"line_number":204,"context_line":"that is an implementation naming decision, not higher level design"},{"line_number":205,"context_line":"decision."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a4c72f2f_9c105f0d","line":204,"updated":"2021-02-01 17:54:58.000000000","message":"i\u0027m a bit lost. what \u0027name\u0027 are we talking about here? (Oh, maybe is_node_owner and is_node_lessee?)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":201,"context_line":"of the policy rule represents since there are technically several different"},{"line_number":202,"context_line":"access matrices based upon the variation and ultimately the agreement"},{"line_number":203,"context_line":"reached within the community. The end name may be something similar, but"},{"line_number":204,"context_line":"that is an implementation naming decision, not higher level design"},{"line_number":205,"context_line":"decision."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4c66c368_388a34e6","line":204,"in_reply_to":"2315f044_8f45db10","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":201,"context_line":"of the policy rule represents since there are technically several different"},{"line_number":202,"context_line":"access matrices based upon the variation and ultimately the agreement"},{"line_number":203,"context_line":"reached within the community. The end name may be something similar, but"},{"line_number":204,"context_line":"that is an implementation naming decision, not higher level design"},{"line_number":205,"context_line":"decision."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2315f044_8f45db10","line":204,"in_reply_to":"a4c72f2f_9c105f0d","updated":"2021-02-03 00:33:56.000000000","message":"s/name/definition name/\n\nTruthfully we may not even do that, but I\u0027m just starting to touch project scoped $things.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":222,"context_line":"| admin       | Effectively the same | Project ``admin`` able to have        |"},{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4c45e595_3f43f3c7","line":225,"range":{"start_line":225,"start_character":62,"end_line":225,"end_character":77},"updated":"2021-02-01 17:54:58.000000000","message":"missing period after this.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":222,"context_line":"| admin       | Effectively the same | Project ``admin`` able to have        |"},{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"cdda8921_e3075812","line":225,"range":{"start_line":225,"start_character":62,"end_line":225,"end_character":77},"in_reply_to":"4c45e595_3f43f3c7","updated":"2021-02-03 00:33:56.000000000","message":"I think that is at 79 chars, but maybe not. :)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":222,"context_line":"| admin       | Effectively the same | Project ``admin`` able to have        |"},{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"397ee222_2a0a9c38","line":225,"range":{"start_line":225,"start_character":62,"end_line":225,"end_character":77},"in_reply_to":"cdda8921_e3075812","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"93e8058d_68158f81","line":226,"updated":"2021-02-01 17:54:58.000000000","message":"it might have been mentioned above. Can project admin delete nodes (with is_node_owner) from ironic?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"c505c241_f1096eb6","line":226,"in_reply_to":"92702dbe_13914f4e","updated":"2021-02-03 15:41:53.000000000","message":"I see a symmetry in create (enroll) \u0026 delete. (It\u0027d be easier to grok/remember, too, if someone can do both, or none.) If someone can enroll, they know something about HW that isn\u0027t in ironic. Allowing someone to delete from ironic, seems to imply that the person knows what to do with the HW after it is removed from ironic. I\u0027d (maybe being too cautious) disallow enroll \u0026 delete. That seems to me to be \u0027system\u0027 stuff.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"92702dbe_13914f4e","line":226,"in_reply_to":"93e8058d_68158f81","updated":"2021-02-03 00:33:56.000000000","message":"So I\u0027m still in a bit of a TBD phase on this one. It makes sense for project scoped owner\u0027s with admin role privileges to be able to. Although for lessees, they should not be able to.\n\nThen the question shifts to owner-admins and creating nodes. I can make the case that it could be a good idea, but I can also make the case that it can be problematic, so I\u0027m just not sure. Right now the initial pass of the tests are proposing they can\u0027t create but can delete, but maybe ironic should be kind of like the roach motel where you can check in, but can\u0027t check out.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"c4a6d930d2bdd665db78abfd02da44844feeb19d","unresolved":false,"context_lines":[{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"87941b6d_4e1aa817","line":226,"in_reply_to":"b312a08b_b47b1916","updated":"2021-02-05 15:37:34.000000000","message":"Ack","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a90ace7efacacf35f0faa59b0706e947fddba980","unresolved":true,"context_lines":[{"line_number":223,"context_line":"|             | as the existing      | equivalent access to the API as       |"},{"line_number":224,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":225,"context_line":"|             | role.                | filtered view matching `is_node_owner`|"},{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b312a08b_b47b1916","line":226,"in_reply_to":"c505c241_f1096eb6","updated":"2021-02-05 14:29:40.000000000","message":"The consensus seems to be to deny project admins the rights to create nodes/delete nodes. And the current WIP represents that state.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":230,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":231,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":232,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4e260138_2ba5d31e","line":229,"updated":"2021-02-01 17:54:58.000000000","message":"why not also \u0027is_node_owner\u0027 ? (since reader applies if is_node_owner or is_node_lessee). Presumably, one would default to having the is_node_owner an admin, but who knows, there might be some reason for is_node_owner being a member.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":230,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":231,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":232,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7564a99a_c3784008","line":229,"in_reply_to":"4e260138_2ba5d31e","updated":"2021-02-03 00:33:56.000000000","message":"So this should also be owners as well, I\u0027ll need to fix/clarify that. Thanks!","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":226,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":227,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":230,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":231,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":232,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fdc92905_dded3aa0","line":229,"in_reply_to":"7564a99a_c3784008","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":230,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":231,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":232,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"},{"line_number":233,"context_line":"|             |                      | ``lessee`` fields.                    |"},{"line_number":234,"context_line":"+-------------+----------------------+---------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b13c2cdf_c3d012d2","line":231,"range":{"start_line":231,"start_character":39,"end_line":231,"end_character":66},"updated":"2021-02-01 17:54:58.000000000","message":"Do we allow members to see/update eg node\u0027s driver_info, \u0027ipmi_password\u0027?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":230,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":231,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":232,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"},{"line_number":233,"context_line":"|             |                      | ``lessee`` fields.                    |"},{"line_number":234,"context_line":"+-------------+----------------------+---------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"8dc1651f_46a76d12","line":231,"range":{"start_line":231,"start_character":39,"end_line":231,"end_character":66},"in_reply_to":"41a7c6b4_d0bf4cf3","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":228,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":229,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":230,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":231,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":232,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"},{"line_number":233,"context_line":"|             |                      | ``lessee`` fields.                    |"},{"line_number":234,"context_line":"+-------------+----------------------+---------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"41a7c6b4_d0bf4cf3","line":231,"range":{"start_line":231,"start_character":39,"end_line":231,"end_character":66},"in_reply_to":"b13c2cdf_c3d012d2","updated":"2021-02-03 00:33:56.000000000","message":"To see, no. I\u0027m thinking owners may be permitted to patch the driver_info, but it is somewhat TBD. I think the dividing line is that lessees should not be able to see/use/update driver info. In fact, I think I floated returning an empty dictionary later on.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":249,"context_line":"   being defined. Such as `system-admin` for a system wide scope or"},{"line_number":250,"context_line":"   `project-admin` for a user who is a project administrator."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"In effect, a ``PROJECT_ADMIN``, if in defined in the terms of a rule, would"},{"line_number":253,"context_line":"match upon a ``project_id`` matching the ``owner`` and the user having an"},{"line_number":254,"context_line":"admin role. A ``PROJECT_MEMBER`` includes ``PROJECT_ADMIN`` *or* where"},{"line_number":255,"context_line":"``project_id`` matches ``lessee`` and the role is ``member``."}],"source_content_type":"text/x-rst","patch_set":11,"id":"a69f00bd_9e93f194","line":252,"range":{"start_line":252,"start_character":35,"end_line":252,"end_character":37},"updated":"2021-02-01 17:54:58.000000000","message":"not needed","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":249,"context_line":"   being defined. Such as `system-admin` for a system wide scope or"},{"line_number":250,"context_line":"   `project-admin` for a user who is a project administrator."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"In effect, a ``PROJECT_ADMIN``, if in defined in the terms of a rule, would"},{"line_number":253,"context_line":"match upon a ``project_id`` matching the ``owner`` and the user having an"},{"line_number":254,"context_line":"admin role. A ``PROJECT_MEMBER`` includes ``PROJECT_ADMIN`` *or* where"},{"line_number":255,"context_line":"``project_id`` matches ``lessee`` and the role is ``member``."}],"source_content_type":"text/x-rst","patch_set":11,"id":"1363abdd_10ea5354","line":252,"range":{"start_line":252,"start_character":35,"end_line":252,"end_character":37},"in_reply_to":"a69f00bd_9e93f194","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":257,"context_line":"Alternatives"},{"line_number":258,"context_line":"------------"},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"No alternative is available as the model implementation."},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"Data model impact"},{"line_number":263,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"11d3eb63_7472f481","line":260,"updated":"2021-02-01 17:54:58.000000000","message":"heh. do nothing? (Not an option!)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":290,"context_line":"~~~~~~~~~~~~"},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The transition for System scoped roles is fairly straight forward as described"},{"line_number":293,"context_line":"by the chart in `Proposed Change`_. Existing Admin/Observer roles would be"},{"line_number":294,"context_line":"translated to System-Admin and System-Reader respectively."},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4a3df589_7d0dd274","line":293,"range":{"start_line":293,"start_character":7,"end_line":293,"end_character":12},"updated":"2021-02-01 17:54:58.000000000","message":"Is this the \u0027High-level matrix\u0027 above?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":290,"context_line":"~~~~~~~~~~~~"},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The transition for System scoped roles is fairly straight forward as described"},{"line_number":293,"context_line":"by the chart in `Proposed Change`_. Existing Admin/Observer roles would be"},{"line_number":294,"context_line":"translated to System-Admin and System-Reader respectively."},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a499dae_2bbb994d","line":293,"range":{"start_line":293,"start_character":7,"end_line":293,"end_character":12},"in_reply_to":"4a3df589_7d0dd274","updated":"2021-02-03 00:33:56.000000000","message":"Yes, it is the high level matrix.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":290,"context_line":"~~~~~~~~~~~~"},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The transition for System scoped roles is fairly straight forward as described"},{"line_number":293,"context_line":"by the chart in `Proposed Change`_. Existing Admin/Observer roles would be"},{"line_number":294,"context_line":"translated to System-Admin and System-Reader respectively."},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ab484379_c56561a8","line":293,"range":{"start_line":293,"start_character":7,"end_line":293,"end_character":12},"in_reply_to":"5a499dae_2bbb994d","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":321,"context_line":"   related to ``volume`` or ``port`` attachments, or possibly even"},{"line_number":322,"context_line":"   tighter integration of this functionality in ``nova-compute``."},{"line_number":323,"context_line":"   All of these things will evolve over time, and we cannot answer"},{"line_number":324,"context_line":"   them until we reach that point in time."},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"Project Scope"},{"line_number":327,"context_line":"~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fa7ddd9c_29142a1e","line":324,"updated":"2021-02-01 17:54:58.000000000","message":"or we just limit this spec to handling system-scope only :)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":321,"context_line":"   related to ``volume`` or ``port`` attachments, or possibly even"},{"line_number":322,"context_line":"   tighter integration of this functionality in ``nova-compute``."},{"line_number":323,"context_line":"   All of these things will evolve over time, and we cannot answer"},{"line_number":324,"context_line":"   them until we reach that point in time."},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"Project Scope"},{"line_number":327,"context_line":"~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":11,"id":"abd35de2_8a9073a3","line":324,"in_reply_to":"6fcf7e91_b515386f","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":321,"context_line":"   related to ``volume`` or ``port`` attachments, or possibly even"},{"line_number":322,"context_line":"   tighter integration of this functionality in ``nova-compute``."},{"line_number":323,"context_line":"   All of these things will evolve over time, and we cannot answer"},{"line_number":324,"context_line":"   them until we reach that point in time."},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"Project Scope"},{"line_number":327,"context_line":"~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6fcf7e91_b515386f","line":324,"in_reply_to":"fa7ddd9c_29142a1e","updated":"2021-02-03 00:33:56.000000000","message":"I will cry if that is the case. 😊 Besides, our specs almost never land entirely in one cycle.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":332,"context_line":"scoped interactions."},{"line_number":333,"context_line":""},{"line_number":334,"context_line":"API consumers seeking to ``GET`` resources in the project scope would only be"},{"line_number":335,"context_line":"able to view resources which match the ``is_node_owner`` and"},{"line_number":336,"context_line":"``is_node_lessee`` which are associated to the ``owner`` and ``lessee``"},{"line_number":337,"context_line":"fields."},{"line_number":338,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"33e20105_fae89366","line":335,"range":{"start_line":335,"start_character":57,"end_line":335,"end_character":60},"updated":"2021-02-01 17:54:58.000000000","message":"\"or\" (they don\u0027t have to match both, just one of them).","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":332,"context_line":"scoped interactions."},{"line_number":333,"context_line":""},{"line_number":334,"context_line":"API consumers seeking to ``GET`` resources in the project scope would only be"},{"line_number":335,"context_line":"able to view resources which match the ``is_node_owner`` and"},{"line_number":336,"context_line":"``is_node_lessee`` which are associated to the ``owner`` and ``lessee``"},{"line_number":337,"context_line":"fields."},{"line_number":338,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"d6b4573f_3d6cdf1f","line":335,"range":{"start_line":335,"start_character":57,"end_line":335,"end_character":60},"in_reply_to":"33e20105_fae89366","updated":"2021-02-03 00:33:56.000000000","message":"++ Good catch!","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":332,"context_line":"scoped interactions."},{"line_number":333,"context_line":""},{"line_number":334,"context_line":"API consumers seeking to ``GET`` resources in the project scope would only be"},{"line_number":335,"context_line":"able to view resources which match the ``is_node_owner`` and"},{"line_number":336,"context_line":"``is_node_lessee`` which are associated to the ``owner`` and ``lessee``"},{"line_number":337,"context_line":"fields."},{"line_number":338,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"4d0c8b5b_0b573e2b","line":335,"range":{"start_line":335,"start_character":57,"end_line":335,"end_character":60},"in_reply_to":"d6b4573f_3d6cdf1f","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":340,"context_line":"where they would be able to update hardware focused fields such as"},{"line_number":341,"context_line":"``driver_info``, however only if ``is_node_owner`` matches."},{"line_number":342,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":343,"context_line":"the ability to update fields such as ``driver_info``."},{"line_number":344,"context_line":""},{"line_number":345,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":346,"context_line":"   ``driver_info`` as a project admin. Dtantsur thinks, and I agree that this"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9040c51e_c18069f4","line":343,"updated":"2021-02-01 17:54:58.000000000","message":"I\u0027m curious to know which scope-roles have deltas based on is_node_owner vs is_node_lessee. I\u0027m worried about complexity, having to remember/think (or have a more detailed matrix of scope-role vs is_node_owner vs is_node_lessee).\n\nUgh. I just looked at the matrix above -- project-admin only maps to is_node_owner, not is_node_lessee.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":340,"context_line":"where they would be able to update hardware focused fields such as"},{"line_number":341,"context_line":"``driver_info``, however only if ``is_node_owner`` matches."},{"line_number":342,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":343,"context_line":"the ability to update fields such as ``driver_info``."},{"line_number":344,"context_line":""},{"line_number":345,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":346,"context_line":"   ``driver_info`` as a project admin. Dtantsur thinks, and I agree that this"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5714d3e5_49a81420","line":343,"in_reply_to":"47479e2d_26494e6f","updated":"2021-02-03 15:41:53.000000000","message":"Yeah, I mentioned it above. IF we start with a triple-column, it\u0027ll be more obvious what is different between owner/lessee. There are a lot of details to \u0027get right\u0027. Or leave the above matrix as a high level one, eg \u0027general guidelines\u0027, and that more details will be in the endpoints stuff below -- which is really a more detailed description of what \u0027project scope\u0027 means, can have three columns there.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":340,"context_line":"where they would be able to update hardware focused fields such as"},{"line_number":341,"context_line":"``driver_info``, however only if ``is_node_owner`` matches."},{"line_number":342,"context_line":"Project admins who match ``is_node_lessee`` should not be permitted"},{"line_number":343,"context_line":"the ability to update fields such as ``driver_info``."},{"line_number":344,"context_line":""},{"line_number":345,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":346,"context_line":"   ``driver_info`` as a project admin. Dtantsur thinks, and I agree that this"}],"source_content_type":"text/x-rst","patch_set":11,"id":"47479e2d_26494e6f","line":343,"in_reply_to":"9040c51e_c18069f4","updated":"2021-02-03 00:33:56.000000000","message":"Would a triple-column table make sense?\n\nHonestly, in doing the code and thinking through it on that layer, I\u0027ve had to change some positions a little, and I\u0027m also trying not to box ourselves in to defining precise exact behavior in the specifiation when we\u0027re likely going to run into fine details in the implementation and ensuing discussion on that which would have been completely missed because we were trying to design and designate every specific without full context of being deep in it.\n\nFWIW: See https://review.opendev.org/c/openstack/ironic/+/772451/6/ironic/tests/unit/api/test_rbac_project_scoped.yaml#1","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":345,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":346,"context_line":"   ``driver_info`` as a project admin. Dtantsur thinks, and I agree that this"},{"line_number":347,"context_line":"   is likely highly deployment and operationly specific, and it may be we"},{"line_number":348,"context_line":"   need a knob to govern this behavior."},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"A Project-Member would again be scoped to the appropriate database entries"},{"line_number":351,"context_line":"which apply to their user\u0027s scope. They should be enabled to update fields"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b82c183a_99b9b246","line":348,"updated":"2021-02-01 17:54:58.000000000","message":"you mean, add a policy for specifically updating driver_info, and default so that project admins can do it?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a90ace7efacacf35f0faa59b0706e947fddba980","unresolved":true,"context_lines":[{"line_number":345,"context_line":".. TODO:: We may wish to evaluate if it is useful to permit updating"},{"line_number":346,"context_line":"   ``driver_info`` as a project admin. Dtantsur thinks, and I agree that this"},{"line_number":347,"context_line":"   is likely highly deployment and operationly specific, and it may be we"},{"line_number":348,"context_line":"   need a knob to govern this behavior."},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"A Project-Member would again be scoped to the appropriate database entries"},{"line_number":351,"context_line":"which apply to their user\u0027s scope. They should be enabled to update fields"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3e459b41_87838e60","line":348,"in_reply_to":"b82c183a_99b9b246","updated":"2021-02-05 14:29:40.000000000","message":"I suspect that is what we\u0027ll do. We have a similar thing for instance_info and extra today. I\u0027ve got a note to work on that once I get past getting the nodes controller basically sorted at a higher level.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":348,"context_line":"   need a knob to govern this behavior."},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"A Project-Member would again be scoped to the appropriate database entries"},{"line_number":351,"context_line":"which apply to their user\u0027s scope. They should be enabled to update fields"},{"line_number":352,"context_line":"such as ``instance_info``, and provision, unprovision, and potentially update"},{"line_number":353,"context_line":"VIFs."},{"line_number":354,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"b99b0692_eee1e313","line":351,"updated":"2021-02-01 17:54:58.000000000","message":"In the matrix above, project-member is only valid if is_node_lessee (not is_node_owner).","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":348,"context_line":"   need a knob to govern this behavior."},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"A Project-Member would again be scoped to the appropriate database entries"},{"line_number":351,"context_line":"which apply to their user\u0027s scope. They should be enabled to update fields"},{"line_number":352,"context_line":"such as ``instance_info``, and provision, unprovision, and potentially update"},{"line_number":353,"context_line":"VIFs."},{"line_number":354,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"9d79212e_26f2aabd","line":351,"in_reply_to":"b99b0692_eee1e313","updated":"2021-02-03 00:33:56.000000000","message":"project member would be any project scoped token receive with member rights. What presently occurs is we get the request, and we then do a database query get what project_id\u0027s match the requestor\u0027s project_id and return only those objects. That way we push that match. The huge difference will be, of course depending on overall site policy, that instead of someone getting 403 if they are not a member of the \"baremetal\" project a custom policy is in place that permits them to access the API, they would get a 404 on an entry or an emtpy list of nodes because they have rights to see nothing. Or well, Authorization to see nothing even though they an authenticated user, and just don\u0027t happen to have anything match them.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0ce19b84809d16c64d2f59c4a394ab782f4fcd7e","unresolved":true,"context_lines":[{"line_number":375,"context_line":"   at this time."},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":378,"context_line":"| Endpoint                           | Project Scope Accessible               |"},{"line_number":379,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":380,"context_line":"| /                                  | Yes, Public endpoint                   |"},{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"26a6f31a_96b3011b","line":378,"range":{"start_line":378,"start_character":39,"end_line":378,"end_character":52},"updated":"2021-02-01 17:54:58.000000000","message":"Do we want a column for System scope too?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":375,"context_line":"   at this time."},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":378,"context_line":"| Endpoint                           | Project Scope Accessible               |"},{"line_number":379,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":380,"context_line":"| /                                  | Yes, Public endpoint                   |"},{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"93ef0e11_7cc65dc3","line":378,"range":{"start_line":378,"start_character":39,"end_line":378,"end_character":52},"in_reply_to":"1f0aeb5e_c1585f32","updated":"2021-02-06 00:05:23.000000000","message":"Done","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c0297d786d0bcd17975db96b9b4109c1b76944aa","unresolved":true,"context_lines":[{"line_number":375,"context_line":"   at this time."},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":378,"context_line":"| Endpoint                           | Project Scope Accessible               |"},{"line_number":379,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":380,"context_line":"| /                                  | Yes, Public endpoint                   |"},{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9deacc12_34a9195a","line":378,"range":{"start_line":378,"start_character":39,"end_line":378,"end_character":52},"in_reply_to":"26a6f31a_96b3011b","updated":"2021-02-03 00:33:56.000000000","message":"https://tenor.com/view/please-no-no-super-troopers-gif-16103463\n\nOn a serious non gif response level, line 326 scopes this all as project scope, so talking about system scope here would just confuse things I think.\n\nConceptually thinking about system scope, I don\u0027t think it is really going to change that much. Admins who have the appropriate roles won\u0027t see a difference. Readers won\u0027t see a difference as long as their role is updated. The only addition really is member and kind of fitting it into that \"can\u0027t create/delete, but can change/modify\" sort of setting.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a90ace7efacacf35f0faa59b0706e947fddba980","unresolved":true,"context_lines":[{"line_number":375,"context_line":"   at this time."},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":378,"context_line":"| Endpoint                           | Project Scope Accessible               |"},{"line_number":379,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":380,"context_line":"| /                                  | Yes, Public endpoint                   |"},{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f0aeb5e_c1585f32","line":378,"range":{"start_line":378,"start_character":39,"end_line":378,"end_character":52},"in_reply_to":"6d0a663d_11f01b9a","updated":"2021-02-05 14:29:40.000000000","message":"Ahh, I see what is going on, I ended up on the same level of indenting. I\u0027ll fix that because it definitely is part of project scoping and the section. At least, that is what was intended.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":375,"context_line":"   at this time."},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":378,"context_line":"| Endpoint                           | Project Scope Accessible               |"},{"line_number":379,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":380,"context_line":"| /                                  | Yes, Public endpoint                   |"},{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6d0a663d_11f01b9a","line":378,"range":{"start_line":378,"start_character":39,"end_line":378,"end_character":52},"in_reply_to":"9deacc12_34a9195a","updated":"2021-02-03 15:41:53.000000000","message":"Ah. Might I suggest that above this table, add some words (again) about system scope and that this table below provides more detail about policies for roles in the project scope. ..\u0027 \n\nOR move this section so it is under the \u0027Project Scope\u0027 section.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":382,"context_line":"| /v1                                | Yes, Public endpoint                   |"},{"line_number":383,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":384,"context_line":"| /v1/nodes                          | Filtered View and access rights        |"},{"line_number":385,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":386,"context_line":"| /v1/nodes/{uuid}                   | Filtered view and access rights        |"},{"line_number":387,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"e4884454_2d6bd125","line":384,"updated":"2021-02-03 15:41:53.000000000","message":"I\u0027m not sure I understand the goal of this table. Or maybe I\u0027m making things more confusing. We have 3 roles (reader, member, admin) in project scope. And we\u0027ve said that it might mean something different, depending on whether it is the node-owner or the node-lessee. (and if neither, no rights at all).\n\nSo that means 6 diff possibilities for each of these endpoints?","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":false,"context_lines":[{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":382,"context_line":"| /v1                                | Yes, Public endpoint                   |"},{"line_number":383,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":384,"context_line":"| /v1/nodes                          | Filtered View and access rights        |"},{"line_number":385,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":386,"context_line":"| /v1/nodes/{uuid}                   | Filtered view and access rights        |"},{"line_number":387,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9fbef954_2f6a176f","line":384,"in_reply_to":"5a940a3c_ee2274bd","updated":"2021-02-06 00:05:23.000000000","message":"Ack","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"c4a6d930d2bdd665db78abfd02da44844feeb19d","unresolved":true,"context_lines":[{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":382,"context_line":"| /v1                                | Yes, Public endpoint                   |"},{"line_number":383,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":384,"context_line":"| /v1/nodes                          | Filtered View and access rights        |"},{"line_number":385,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":386,"context_line":"| /v1/nodes/{uuid}                   | Filtered view and access rights        |"},{"line_number":387,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a940a3c_ee2274bd","line":384,"in_reply_to":"9d7614a0_46f77941","updated":"2021-02-05 15:37:34.000000000","message":"hmm. I think I\u0027ll just gloss over this table then. Since the devil is in the details, I\u0027ll look at the actual PRs with the policy changes :)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a90ace7efacacf35f0faa59b0706e947fddba980","unresolved":true,"context_lines":[{"line_number":381,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":382,"context_line":"| /v1                                | Yes, Public endpoint                   |"},{"line_number":383,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":384,"context_line":"| /v1/nodes                          | Filtered View and access rights        |"},{"line_number":385,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":386,"context_line":"| /v1/nodes/{uuid}                   | Filtered view and access rights        |"},{"line_number":387,"context_line":"+------------------------------------+----------------------------------------+"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9d7614a0_46f77941","line":384,"in_reply_to":"e4884454_2d6bd125","updated":"2021-02-05 14:29:40.000000000","message":"The goal is basically to try and consolidate thoughts on the behavior of the endpoint controllers and data for project scoped requests. Every project has 3 default roles: owner, reader, member. Since a node owner is when the owner project id matches the request project ID, we\u0027re able to match and filter from there.\n\nUnfortunately I don\u0027t think a table really does it justice since depending on the item there may only be two rights, or one right. I think the most complex check rule I have right now boils down to (system scope with member rights or owner matching with member rights, or lessee matching with admin rights.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"821ae745bb3e355aa291098862b6151ccfbcde4a","unresolved":true,"context_lines":[{"line_number":420,"context_line":"| /v1/conductors                     | No, `system` scope only.               |"},{"line_number":421,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":422,"context_line":"| /v1/allocations                    | No, `system` scope initially. May be   |"},{"line_number":423,"context_line":"|                                    | able to be expanded to `project` scope |"},{"line_number":424,"context_line":"|                                    | at a later point in time.              |"},{"line_number":425,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":426,"context_line":"| /v1/deploy_templates               | No, `system` scope only at this time.  |"}],"source_content_type":"text/x-rst","patch_set":11,"id":"06183e07_f9c1e946","line":423,"updated":"2021-02-01 16:34:43.000000000","message":"In discussion with dtantsur, the owner field is *who* created it by project id, so it is not a node owner, but as long as we store and match on the project id for allocations we should be fine. Which means this can be project scoped. Maybe not in the very first pass of the controller","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":432,"context_line":"| /v1/lookup                         | No, Agent reserved endpoint.           |"},{"line_number":433,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":434,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":435,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":436,"context_line":""},{"line_number":437,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":438,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6e3ea173_ead2c317","line":435,"updated":"2021-02-03 15:41:53.000000000","message":"I took a look at https://review.opendev.org/c/openstack/ironic/+/763257. The idea is to keep the existing policy names, but deprecate the current settings, and add new settings that are RBAC-consistent.\n\nSo during deprecation period, there is a config option or something? (Should be mentioned in the spec) that deployers can turn on to use the new settings.\n\nAfter deprecation period (which is when, use community deprecations of 1 cycle or 3 months or whatever, i\u0027ve already forgotten?) we\u0027ll delete the current settings and permanently set ironic to use the new settings. -- at which time, if folks like the old settings, instead of using the new defaults, they can override/change them explicitly to be set like it was before.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a90ace7efacacf35f0faa59b0706e947fddba980","unresolved":true,"context_lines":[{"line_number":432,"context_line":"| /v1/lookup                         | No, Agent reserved endpoint.           |"},{"line_number":433,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":434,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":435,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":436,"context_line":""},{"line_number":437,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":438,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fc857666_40668303","line":435,"in_reply_to":"6e3ea173_ead2c317","updated":"2021-02-05 14:29:40.000000000","message":"It is oslo_policy\u0027s configuration option, and they addded a second option since I actually started this spec so I\u0027m avoiding documenting their settings because this is more design, not end user docs.\n\nSo basically yes, operators should be able to generate a policy file, and scope limit it\u0027s operation and override all of the rules, or really make it what they feel it needs to be or what they want. We just need to have reasonable and secure defaults.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"db414b0c0a1e128710547e96ffc32053a2e17b1d","unresolved":true,"context_lines":[{"line_number":432,"context_line":"| /v1/lookup                         | No, Agent reserved endpoint.           |"},{"line_number":433,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":434,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":435,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":436,"context_line":""},{"line_number":437,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":438,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2ddf2f1d_08d71efe","line":435,"in_reply_to":"abfda773_6dba1e83","updated":"2021-02-06 00:05:23.000000000","message":"At least noted it in other deployer impact. End docs will need the settings though. 😊","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"c4a6d930d2bdd665db78abfd02da44844feeb19d","unresolved":true,"context_lines":[{"line_number":432,"context_line":"| /v1/lookup                         | No, Agent reserved endpoint.           |"},{"line_number":433,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":434,"context_line":"| /v1/heartbeat                      | No, Agent reserved endpoint.           |"},{"line_number":435,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":436,"context_line":""},{"line_number":437,"context_line":".. WARNING:: Port support will require removal of legacy neutron port"},{"line_number":438,"context_line":"             attachment through ``port.extra[\u0027vif_port_id\u0027]``"}],"source_content_type":"text/x-rst","patch_set":11,"id":"abfda773_6dba1e83","line":435,"in_reply_to":"fc857666_40668303","updated":"2021-02-05 15:37:34.000000000","message":"as long as it is documented somewhere (oslo_policy?) how this affects our users during the deprecation and removal period. Since to me, that is part of the design of replacing something :) Hmm. Maybe this question/info fits into the \u0027Other deployer impact\u0027 (L626 below.)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"fce3198724b40bf67e1edd2ad8b1755e9c53df46","unresolved":true,"context_lines":[{"line_number":577,"context_line":"of their deployed instances."},{"line_number":578,"context_line":""},{"line_number":579,"context_line":".. TODO:: We should discuss this further. It likely just ought to be a"},{"line_number":580,"context_line":"   knob for nova-compute with the Ironic virt driver."},{"line_number":581,"context_line":""},{"line_number":582,"context_line":"Ramdisk impact"},{"line_number":583,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b76fb33d_e9c13478","line":580,"updated":"2021-02-03 15:41:53.000000000","message":"We assume (I think reasonably since we\u0027re trying to do RBAC consistently across services) that user U1 in \u0027admin\u0027 role in project P1 is creating a nova instance. Nova sets the ironic node\u0027s lessee field to P1 so UI has project-admin rights in ironic. I think that makes sense.\n\n(hey, does ironic allow lessee to be set without owner being set? I don\u0027t see why not, but not sure what that means...)","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a90ace7efacacf35f0faa59b0706e947fddba980","unresolved":true,"context_lines":[{"line_number":577,"context_line":"of their deployed instances."},{"line_number":578,"context_line":""},{"line_number":579,"context_line":".. TODO:: We should discuss this further. It likely just ought to be a"},{"line_number":580,"context_line":"   knob for nova-compute with the Ironic virt driver."},{"line_number":581,"context_line":""},{"line_number":582,"context_line":"Ramdisk impact"},{"line_number":583,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"30301987_6f853c71","line":580,"in_reply_to":"b76fb33d_e9c13478","updated":"2021-02-05 14:29:40.000000000","message":"so we do allow it, I think we only restrict changing owner on a deployed node.\n\nAnyway, It is possible, and it would just mean the project users would end up with equivalent rights in owner admin, but If we head down that path with nova, I want to make it a default false option.\n\nIn such a case with an option like that enabled, the system is leasing the node out to the user and upon unprovisioning they loose access to the node. Obviously, some mechanics would need to be verified there, but that is the general idea.","commit_id":"4f4e80d11be2e405a2128cfc436e84cb5908be31"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e56c16f6b101dac21cbefaeda82ab198d4bca9e3","unresolved":true,"context_lines":[{"line_number":21,"context_line":"an ``owner`` and ``lessee`` field."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"However there is a growing desire to delineate scopes in which user accounts"},{"line_number":24,"context_line":"have acess to the API. This effort is sometimes referred to as \"Secure RBAC\""},{"line_number":25,"context_line":"in the OpenStack community, which is an initiative to have scope restricted"},{"line_number":26,"context_line":"authentication across OpenStack services, where the scoping and modeling"},{"line_number":27,"context_line":"is consistent to provide a consistent \"authorization experience\". This is"}],"source_content_type":"text/x-rst","patch_set":12,"id":"e44a9a84_43317240","line":24,"updated":"2021-02-08 18:58:58.000000000","message":"nit: access","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":21,"context_line":"an ``owner`` and ``lessee`` field."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"However there is a growing desire to delineate scopes in which user accounts"},{"line_number":24,"context_line":"have acess to the API. This effort is sometimes referred to as \"Secure RBAC\""},{"line_number":25,"context_line":"in the OpenStack community, which is an initiative to have scope restricted"},{"line_number":26,"context_line":"authentication across OpenStack services, where the scoping and modeling"},{"line_number":27,"context_line":"is consistent to provide a consistent \"authorization experience\". This is"}],"source_content_type":"text/x-rst","patch_set":12,"id":"2e9636aa_2e9460d6","line":24,"in_reply_to":"e44a9a84_43317240","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e56c16f6b101dac21cbefaeda82ab198d4bca9e3","unresolved":true,"context_lines":[{"line_number":56,"context_line":"           and write with-in objects, but cannot create/delete new objects"},{"line_number":57,"context_line":"           unless it is an explicitly permitted action. An Ironic example"},{"line_number":58,"context_line":"           may be that we might want to permit members to be able to"},{"line_number":59,"context_line":"           request allocations, or change a node\u0027s provision state."},{"line_number":60,"context_line":"           Similar to ``admin`` implying ``member``, ``member`` implies"},{"line_number":61,"context_line":"           ``reader``."},{"line_number":62,"context_line":"* reader - This is a user which needs to be able to have read-only access."}],"source_content_type":"text/x-rst","patch_set":12,"id":"ee5fc0a1_e03be526","line":59,"range":{"start_line":59,"start_character":32,"end_line":59,"end_character":66},"updated":"2021-02-08 18:58:58.000000000","message":"This is where we really need the deployment API, otherwise it permits all actions (unless you split policies?)","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":56,"context_line":"           and write with-in objects, but cannot create/delete new objects"},{"line_number":57,"context_line":"           unless it is an explicitly permitted action. An Ironic example"},{"line_number":58,"context_line":"           may be that we might want to permit members to be able to"},{"line_number":59,"context_line":"           request allocations, or change a node\u0027s provision state."},{"line_number":60,"context_line":"           Similar to ``admin`` implying ``member``, ``member`` implies"},{"line_number":61,"context_line":"           ``reader``."},{"line_number":62,"context_line":"* reader - This is a user which needs to be able to have read-only access."}],"source_content_type":"text/x-rst","patch_set":12,"id":"e9a9d8e5_697f6367","line":59,"range":{"start_line":59,"start_character":32,"end_line":59,"end_character":66},"in_reply_to":"338c872c_62644751","updated":"2021-02-10 14:25:09.000000000","message":"Ack","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dc32db54daf0a2d9d0dd595c9f7f5a290866e325","unresolved":true,"context_lines":[{"line_number":56,"context_line":"           and write with-in objects, but cannot create/delete new objects"},{"line_number":57,"context_line":"           unless it is an explicitly permitted action. An Ironic example"},{"line_number":58,"context_line":"           may be that we might want to permit members to be able to"},{"line_number":59,"context_line":"           request allocations, or change a node\u0027s provision state."},{"line_number":60,"context_line":"           Similar to ``admin`` implying ``member``, ``member`` implies"},{"line_number":61,"context_line":"           ``reader``."},{"line_number":62,"context_line":"* reader - This is a user which needs to be able to have read-only access."}],"source_content_type":"text/x-rst","patch_set":12,"id":"338c872c_62644751","line":59,"range":{"start_line":59,"start_character":32,"end_line":59,"end_character":66},"in_reply_to":"ee5fc0a1_e03be526","updated":"2021-02-08 20:29:09.000000000","message":"I actually think it may be okay, at least as long as we have one policy knob. Presently in my current patch it is SYSTEM_OR_OWNER_MEMBER_AND_LESSEE_ADMIN. Hopefully that makes sense.\n\nWe could likely add more, but with the one basic control we should be good. \n\nMaybe we can make it fine grained sometime in Xena.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"cc32f6bc799e2ac9243c6776771eb01c4398f0ba","unresolved":true,"context_lines":[{"line_number":90,"context_line":"Scope definitions:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":93,"context_line":"* domain - This scope, is presently only used in Keystone for assications."},{"line_number":94,"context_line":"           We do not anticipate this to apply, and the primitives do not exist"},{"line_number":95,"context_line":"           in Ironic."},{"line_number":96,"context_line":"* project - This is the logical grouping in which users are members of projects"}],"source_content_type":"text/x-rst","patch_set":12,"id":"e6b5a033_41f06ddf","line":93,"range":{"start_line":93,"start_character":62,"end_line":93,"end_character":73},"updated":"2021-02-08 14:55:27.000000000","message":"associations?","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":90,"context_line":"Scope definitions:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"* system - This is similar to the existing scope of the cloud deployment today."},{"line_number":93,"context_line":"* domain - This scope, is presently only used in Keystone for assications."},{"line_number":94,"context_line":"           We do not anticipate this to apply, and the primitives do not exist"},{"line_number":95,"context_line":"           in Ironic."},{"line_number":96,"context_line":"* project - This is the logical grouping in which users are members of projects"}],"source_content_type":"text/x-rst","patch_set":12,"id":"e909221c_a9533789","line":93,"range":{"start_line":93,"start_character":62,"end_line":93,"end_character":73},"in_reply_to":"e6b5a033_41f06ddf","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"cc32f6bc799e2ac9243c6776771eb01c4398f0ba","unresolved":true,"context_lines":[{"line_number":145,"context_line":"b) Implement the ability to move to the standard scope based"},{"line_number":146,"context_line":"   restriction where the new standardized roles would apply."},{"line_number":147,"context_line":"c) Move services, such as ironic from the concept of `admin projects`"},{"line_number":148,"context_line":"   to an `system scope`."},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We will do this by:"},{"line_number":151,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"4f4f8033_925ab8fb","line":148,"range":{"start_line":148,"start_character":6,"end_line":148,"end_character":8},"updated":"2021-02-08 14:55:27.000000000","message":"a","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":145,"context_line":"b) Implement the ability to move to the standard scope based"},{"line_number":146,"context_line":"   restriction where the new standardized roles would apply."},{"line_number":147,"context_line":"c) Move services, such as ironic from the concept of `admin projects`"},{"line_number":148,"context_line":"   to an `system scope`."},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We will do this by:"},{"line_number":151,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"a8aa130d_1360cce5","line":148,"range":{"start_line":148,"start_character":6,"end_line":148,"end_character":8},"in_reply_to":"4f4f8033_925ab8fb","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"6c6ac328c1490ab90269fbf72195be26c38a489e","unresolved":true,"context_lines":[{"line_number":154,"context_line":"2) Deprecating the previous policies in code which consist of roles"},{"line_number":155,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":156,"context_line":"   removed at a later point in time."},{"line_number":157,"context_line":"3) Implement explicit testing to ensure scopes are handled as we expect."},{"line_number":158,"context_line":"4) Create an integration test job leveraging the ``oslo.policy`` setting"},{"line_number":159,"context_line":"   to enforce scope restriction to help ensure cross-service compatability"},{"line_number":160,"context_line":"   and potentially having to alter some cross-service interactions to ensure"}],"source_content_type":"text/x-rst","patch_set":12,"id":"8a5734e4_2734a573","line":157,"range":{"start_line":157,"start_character":3,"end_line":157,"end_character":12},"updated":"2021-02-08 17:20:49.000000000","message":"nit: just for the sake of consistency with the other points, \"Implementing\"","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":154,"context_line":"2) Deprecating the previous policies in code which consist of roles"},{"line_number":155,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":156,"context_line":"   removed at a later point in time."},{"line_number":157,"context_line":"3) Implement explicit testing to ensure scopes are handled as we expect."},{"line_number":158,"context_line":"4) Create an integration test job leveraging the ``oslo.policy`` setting"},{"line_number":159,"context_line":"   to enforce scope restriction to help ensure cross-service compatability"},{"line_number":160,"context_line":"   and potentially having to alter some cross-service interactions to ensure"}],"source_content_type":"text/x-rst","patch_set":12,"id":"8907fe9c_8a1a69c3","line":157,"range":{"start_line":157,"start_character":3,"end_line":157,"end_character":12},"in_reply_to":"8a5734e4_2734a573","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"6c6ac328c1490ab90269fbf72195be26c38a489e","unresolved":true,"context_lines":[{"line_number":155,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":156,"context_line":"   removed at a later point in time."},{"line_number":157,"context_line":"3) Implement explicit testing to ensure scopes are handled as we expect."},{"line_number":158,"context_line":"4) Create an integration test job leveraging the ``oslo.policy`` setting"},{"line_number":159,"context_line":"   to enforce scope restriction to help ensure cross-service compatability"},{"line_number":160,"context_line":"   and potentially having to alter some cross-service interactions to ensure"},{"line_number":161,"context_line":"   requests are appropriately modeled. It should be expected that this may"}],"source_content_type":"text/x-rst","patch_set":12,"id":"5eb12f81_af8bf61f","line":158,"range":{"start_line":158,"start_character":3,"end_line":158,"end_character":9},"updated":"2021-02-08 17:20:49.000000000","message":"nit: as above, \"Creating\"","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":155,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":156,"context_line":"   removed at a later point in time."},{"line_number":157,"context_line":"3) Implement explicit testing to ensure scopes are handled as we expect."},{"line_number":158,"context_line":"4) Create an integration test job leveraging the ``oslo.policy`` setting"},{"line_number":159,"context_line":"   to enforce scope restriction to help ensure cross-service compatability"},{"line_number":160,"context_line":"   and potentially having to alter some cross-service interactions to ensure"},{"line_number":161,"context_line":"   requests are appropriately modeled. It should be expected that this may"}],"source_content_type":"text/x-rst","patch_set":12,"id":"24f05619_b14afdea","line":158,"range":{"start_line":158,"start_character":3,"end_line":158,"end_character":9},"in_reply_to":"5eb12f81_af8bf61f","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":178,"context_line":"anticipated use model."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"In order to have a consistent use pattern moving forward, the existing"},{"line_number":181,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":182,"context_line":"deprecated and removed, however they will also not be effective"},{"line_number":183,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":184,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"Above and beyond new policy definitions, the creation of additional tests"},{"line_number":187,"context_line":"will be needed in the ``ironic`` and ``ironic-inspector`` projects to validate"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3e71e4ec_420565cc","line":184,"range":{"start_line":181,"start_character":0,"end_line":184,"end_character":69},"updated":"2021-02-08 16:21:02.000000000","message":"why not transition these 2 roles into system\u0026admin and system\u0026reader respectively?","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":178,"context_line":"anticipated use model."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"In order to have a consistent use pattern moving forward, the existing"},{"line_number":181,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":182,"context_line":"deprecated and removed, however they will also not be effective"},{"line_number":183,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":184,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"Above and beyond new policy definitions, the creation of additional tests"},{"line_number":187,"context_line":"will be needed in the ``ironic`` and ``ironic-inspector`` projects to validate"}],"source_content_type":"text/x-rst","patch_set":12,"id":"72427198_cf492097","line":184,"range":{"start_line":181,"start_character":0,"end_line":184,"end_character":69},"in_reply_to":"3e71e4ec_420565cc","updated":"2021-02-08 17:15:45.000000000","message":"That is basically what is being proposed, but you really can\u0027t just do two.  It also made a lot of sense to include member for purposes to delineate rights/responsibilities. That being said, we are not breaking the old role names immediately, they are just becoming deprecated in this work since every policy rule needs to be updated to be comes project or scope aware.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"0883c16135f1f93c7982f640b55bf8580979a310","unresolved":false,"context_lines":[{"line_number":178,"context_line":"anticipated use model."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"In order to have a consistent use pattern moving forward, the existing"},{"line_number":181,"context_line":"role definitions of ``baremetal_admin`` and ``baremetal_reader`` will be"},{"line_number":182,"context_line":"deprecated and removed, however they will also not be effective"},{"line_number":183,"context_line":"once the ``[oslo_policy]enforce_scope`` and"},{"line_number":184,"context_line":"``[oslo_policy]enforce_new_defaults`` parameters are set to ``True``."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"Above and beyond new policy definitions, the creation of additional tests"},{"line_number":187,"context_line":"will be needed in the ``ironic`` and ``ironic-inspector`` projects to validate"}],"source_content_type":"text/x-rst","patch_set":12,"id":"7b3eed68_26cec139","line":184,"range":{"start_line":181,"start_character":0,"end_line":184,"end_character":69},"in_reply_to":"72427198_cf492097","updated":"2021-02-08 21:05:26.000000000","message":"Ack","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"cc32f6bc799e2ac9243c6776771eb01c4398f0ba","unresolved":true,"context_lines":[{"line_number":196,"context_line":"   between Nova, Neutron, Cinder, Glance, Swift, and Ironic. Services do"},{"line_number":197,"context_line":"   convey context on behalf of the original requestor for a period of time,"},{"line_number":198,"context_line":"   and can make access control decisions based up on this. Ironic has"},{"line_number":199,"context_line":"   previously had to address these sorts of issues issues in the Neutron"},{"line_number":200,"context_line":"   and Cinder integrations."},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"In terms of ``ironic-inspector`` and its API, the resulting default policies"}],"source_content_type":"text/x-rst","patch_set":12,"id":"0044e909_38afa2d5","line":199,"range":{"start_line":199,"start_character":44,"end_line":199,"end_character":57},"updated":"2021-02-08 14:55:27.000000000","message":"s/issues issues/issues/","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":196,"context_line":"   between Nova, Neutron, Cinder, Glance, Swift, and Ironic. Services do"},{"line_number":197,"context_line":"   convey context on behalf of the original requestor for a period of time,"},{"line_number":198,"context_line":"   and can make access control decisions based up on this. Ironic has"},{"line_number":199,"context_line":"   previously had to address these sorts of issues issues in the Neutron"},{"line_number":200,"context_line":"   and Cinder integrations."},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"In terms of ``ironic-inspector`` and its API, the resulting default policies"}],"source_content_type":"text/x-rst","patch_set":12,"id":"df6a3a64_22faaa35","line":199,"range":{"start_line":199,"start_character":44,"end_line":199,"end_character":57},"in_reply_to":"0044e909_38afa2d5","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":205,"context_line":"purely an admin-only and hardware data collection oriented service."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":".. NOTE::"},{"line_number":208,"context_line":"   In review of this specification document, it has been highlighted that"},{"line_number":209,"context_line":"   a tenant may find it useful to have the ability to trigger inspection"},{"line_number":210,"context_line":"   of a node, and have it report to *their* own ``ironic-inspector``"},{"line_number":211,"context_line":"   instance. This is an intriguing possibility, but would be a distinct"},{"line_number":212,"context_line":"   feature above and beyond the scope of this specific work. The benefit"},{"line_number":213,"context_line":"   of the previous \"policy in code\" effort, is operators should be able"},{"line_number":214,"context_line":"   to simply update the policy in this case."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"High level matrix"}],"source_content_type":"text/x-rst","patch_set":12,"id":"4ca4b65a_8a7217f1","line":214,"range":{"start_line":208,"start_character":0,"end_line":214,"end_character":44},"updated":"2021-02-08 16:21:02.000000000","message":"I think it is worth brining up the baremetalaaService model. Thus transitioning ownership and control of a node to tenant/project admin to manage. Upon completion of node usage it is returned to system admin to general pool of nodes.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":205,"context_line":"purely an admin-only and hardware data collection oriented service."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":".. NOTE::"},{"line_number":208,"context_line":"   In review of this specification document, it has been highlighted that"},{"line_number":209,"context_line":"   a tenant may find it useful to have the ability to trigger inspection"},{"line_number":210,"context_line":"   of a node, and have it report to *their* own ``ironic-inspector``"},{"line_number":211,"context_line":"   instance. This is an intriguing possibility, but would be a distinct"},{"line_number":212,"context_line":"   feature above and beyond the scope of this specific work. The benefit"},{"line_number":213,"context_line":"   of the previous \"policy in code\" effort, is operators should be able"},{"line_number":214,"context_line":"   to simply update the policy in this case."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"High level matrix"}],"source_content_type":"text/x-rst","patch_set":12,"id":"0ab9b464_bdc9c929","line":214,"range":{"start_line":208,"start_character":0,"end_line":214,"end_character":44},"in_reply_to":"4ca4b65a_8a7217f1","updated":"2021-02-08 17:15:45.000000000","message":"I\u0027m a little confused by this comment. We bring up compute resource usage and possibly supporting auto-association and rights granting as part of a lessee use model below, but also note that is out of scope for this work as it this work stops at making project scope and system scoped access a realtiy. The project scoped access through nova would simply be about 30 lines of code added to nova with a release note to populate and de-populate the field","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":225,"context_line":"reached within the community. The end name definition may be something"},{"line_number":226,"context_line":"similar, but that is an implementation naming decision,"},{"line_number":227,"context_line":"not higher level design decision."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":230,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":231,"context_line":"                    that they are the authoritative"},{"line_number":232,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":233,"context_line":"                    of the baremetal node."},{"line_number":234,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"},{"line_number":235,"context_line":"                     the Ironic node object\u0027s ``lessee`` field. This is"},{"line_number":236,"context_line":"                     considered the current or assigned user of the node."},{"line_number":237,"context_line":"                     See the"},{"line_number":238,"context_line":"                     `Allow Leasable Nodes \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/15.0/node-lessee.html\u003e`_"},{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."}],"source_content_type":"text/x-rst","patch_set":12,"id":"3a2bc65b_baa6fc46","line":239,"range":{"start_line":228,"start_character":0,"end_line":239,"end_character":58},"updated":"2021-02-08 16:21:02.000000000","message":"Are these definitions form a hierarchy? Similar to quota one.\nDepending if the model is 2 level hierarchy or multi-level one implementation will be different.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"0883c16135f1f93c7982f640b55bf8580979a310","unresolved":true,"context_lines":[{"line_number":225,"context_line":"reached within the community. The end name definition may be something"},{"line_number":226,"context_line":"similar, but that is an implementation naming decision,"},{"line_number":227,"context_line":"not higher level design decision."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":230,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":231,"context_line":"                    that they are the authoritative"},{"line_number":232,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":233,"context_line":"                    of the baremetal node."},{"line_number":234,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"},{"line_number":235,"context_line":"                     the Ironic node object\u0027s ``lessee`` field. This is"},{"line_number":236,"context_line":"                     considered the current or assigned user of the node."},{"line_number":237,"context_line":"                     See the"},{"line_number":238,"context_line":"                     `Allow Leasable Nodes \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/15.0/node-lessee.html\u003e`_"},{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."}],"source_content_type":"text/x-rst","patch_set":12,"id":"3cece5cf_150fa154","line":239,"range":{"start_line":228,"start_character":0,"end_line":239,"end_character":58},"in_reply_to":"0bc58b8e_9658669f","updated":"2021-02-08 21:05:26.000000000","message":"OK with that. But want to explicitly state that Ironic only support 2 layer hierarchy. No sublease.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":225,"context_line":"reached within the community. The end name definition may be something"},{"line_number":226,"context_line":"similar, but that is an implementation naming decision,"},{"line_number":227,"context_line":"not higher level design decision."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":230,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":231,"context_line":"                    that they are the authoritative"},{"line_number":232,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":233,"context_line":"                    of the baremetal node."},{"line_number":234,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"},{"line_number":235,"context_line":"                     the Ironic node object\u0027s ``lessee`` field. This is"},{"line_number":236,"context_line":"                     considered the current or assigned user of the node."},{"line_number":237,"context_line":"                     See the"},{"line_number":238,"context_line":"                     `Allow Leasable Nodes \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/15.0/node-lessee.html\u003e`_"},{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."}],"source_content_type":"text/x-rst","patch_set":12,"id":"0bc58b8e_9658669f","line":239,"range":{"start_line":228,"start_character":0,"end_line":239,"end_character":58},"in_reply_to":"3a2bc65b_baa6fc46","updated":"2021-02-08 17:15:45.000000000","message":"They are disjointed. Separate fields, could be entirely different groups. The general idea is an owner is either the legal owner or \"end manager\" of the hardware, and the lessee is the person who has been granted that hardware for a limited purpose or time. This was to enable the resource trading for Mass Open Cloud efforts, whilst also enabling the owner to be able to clawback the physical resources. A node can, or may not have any combination of the two fields populated, thus really forming a bit of a matrix.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":true,"context_lines":[{"line_number":225,"context_line":"reached within the community. The end name definition may be something"},{"line_number":226,"context_line":"similar, but that is an implementation naming decision,"},{"line_number":227,"context_line":"not higher level design decision."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"* `is_node_owner` - When the API consumer\u0027s project ID value is populated in"},{"line_number":230,"context_line":"                    the Ironic node object\u0027s ``owner`` field. This represents"},{"line_number":231,"context_line":"                    that they are the authoritative"},{"line_number":232,"context_line":"                    `owner \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/approved/node-owner-policy.html\u003e`_"},{"line_number":233,"context_line":"                    of the baremetal node."},{"line_number":234,"context_line":"* `is_node_lessee` - When the API consumer\u0027s project ID value is populated in"},{"line_number":235,"context_line":"                     the Ironic node object\u0027s ``lessee`` field. This is"},{"line_number":236,"context_line":"                     considered the current or assigned user of the node."},{"line_number":237,"context_line":"                     See the"},{"line_number":238,"context_line":"                     `Allow Leasable Nodes \u003chttps://specs.openstack.org/openstack/ironic-specs/specs/15.0/node-lessee.html\u003e`_"},{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."}],"source_content_type":"text/x-rst","patch_set":12,"id":"3dfe8f72_e50ff7b6","line":239,"range":{"start_line":228,"start_character":0,"end_line":239,"end_character":58},"in_reply_to":"3cece5cf_150fa154","updated":"2021-02-10 14:25:09.000000000","message":"That is unrelated to this though, and the next table says the fields are blocked in project scope with the exception of project-admins who should be able to edit lessee.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"cc32f6bc799e2ac9243c6776771eb01c4398f0ba","unresolved":true,"context_lines":[{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."},{"line_number":243,"context_line":"   A higher level of detail is available below in `Project Scope`_"},{"line_number":244,"context_line":"   and `Endpoint Access Rights`_."},{"line_number":245,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"1115fb72_eaf08621","line":242,"range":{"start_line":242,"start_character":22,"end_line":242,"end_character":27},"updated":"2021-02-08 14:55:27.000000000","message":"stress","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."},{"line_number":243,"context_line":"   A higher level of detail is available below in `Project Scope`_"},{"line_number":244,"context_line":"   and `Endpoint Access Rights`_."},{"line_number":245,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"847f46b3_11a6bf80","line":242,"range":{"start_line":242,"start_character":22,"end_line":242,"end_character":27},"updated":"2021-02-08 16:21:02.000000000","message":"stress","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."},{"line_number":243,"context_line":"   A higher level of detail is available below in `Project Scope`_"},{"line_number":244,"context_line":"   and `Endpoint Access Rights`_."},{"line_number":245,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"b218616b_86b0ed9e","line":242,"range":{"start_line":242,"start_character":22,"end_line":242,"end_character":27},"in_reply_to":"1115fb72_eaf08621","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":239,"context_line":"                     specification for additional details."},{"line_number":240,"context_line":""},{"line_number":241,"context_line":".. NOTE::"},{"line_number":242,"context_line":"   It is important to stres, that the table below are general guidelines."},{"line_number":243,"context_line":"   A higher level of detail is available below in `Project Scope`_"},{"line_number":244,"context_line":"   and `Endpoint Access Rights`_."},{"line_number":245,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"e0f5b71b_15a4896f","line":242,"range":{"start_line":242,"start_character":22,"end_line":242,"end_character":27},"in_reply_to":"847f46b3_11a6bf80","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":251,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":252,"context_line":"|             | role.                | filtered view matching                |"},{"line_number":253,"context_line":"|             |                      | `is_node_owner`.                      |"},{"line_number":254,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":255,"context_line":"|             |                      | Some sensitive fields may be redacted |"},{"line_number":256,"context_line":"|             |                      | or be restricted from update.         |"},{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1954c343_cec4d36d","line":256,"range":{"start_line":254,"start_character":39,"end_line":256,"end_character":69},"updated":"2021-02-08 16:21:02.000000000","message":"does system admin still have access to node management if it is under project admin?","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":251,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":252,"context_line":"|             | role.                | filtered view matching                |"},{"line_number":253,"context_line":"|             |                      | `is_node_owner`.                      |"},{"line_number":254,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":255,"context_line":"|             |                      | Some sensitive fields may be redacted |"},{"line_number":256,"context_line":"|             |                      | or be restricted from update.         |"},{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bbab543a_6a148c4c","line":256,"range":{"start_line":254,"start_character":39,"end_line":256,"end_character":69},"in_reply_to":"1954c343_cec4d36d","updated":"2021-02-08 17:15:45.000000000","message":"Always. System admins can see everything across the entire system. This is part of the RBAC model being adopted by the rest of OpenStack.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":true,"context_lines":[{"line_number":251,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":252,"context_line":"|             | role.                | filtered view matching                |"},{"line_number":253,"context_line":"|             |                      | `is_node_owner`.                      |"},{"line_number":254,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":255,"context_line":"|             |                      | Some sensitive fields may be redacted |"},{"line_number":256,"context_line":"|             |                      | or be restricted from update.         |"},{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"9ca23cbb_8aebd606","line":256,"range":{"start_line":254,"start_character":39,"end_line":256,"end_character":69},"in_reply_to":"9fb4cd72_f837c540","updated":"2021-02-10 14:25:09.000000000","message":"To quote something the lessee spec author said to me recently \"owners are the real admins of the systems, the system is just the entity they add the nodes to\"  And it is possible today in that context.\n\nAlso, system admins will have access to everything in the entire API. Individual node access is not revoked when delegated because in the layering of roles and access controls, the lessee or even owner cannot do some things and they may need to call up or file a ticket in some cases with the system admin. things that come with extreme risk or confusion, like actually deleting the node entirely. Hope that makes sense and provides clarity.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"0883c16135f1f93c7982f640b55bf8580979a310","unresolved":true,"context_lines":[{"line_number":251,"context_line":"|             | \"baremetal_admin\"    | ``system`` scoped ``member`` with a   |"},{"line_number":252,"context_line":"|             | role.                | filtered view matching                |"},{"line_number":253,"context_line":"|             |                      | `is_node_owner`.                      |"},{"line_number":254,"context_line":"|             |                      | ``owner`` field updates are blocked.  |"},{"line_number":255,"context_line":"|             |                      | Some sensitive fields may be redacted |"},{"line_number":256,"context_line":"|             |                      | or be restricted from update.         |"},{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"9fb4cd72_f837c540","line":256,"range":{"start_line":254,"start_character":39,"end_line":256,"end_character":69},"in_reply_to":"bbab543a_6a148c4c","updated":"2021-02-08 21:05:26.000000000","message":"Let\u0027s double check if that is the only model we want. I had heard that for security reason system admin will not have access to a node except to revoke lease. But system admin have no visibility what project admin is doing.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":255,"context_line":"|             |                      | Some sensitive fields may be redacted |"},{"line_number":256,"context_line":"|             |                      | or be restricted from update.         |"},{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":260,"context_line":"|             |                      | or `is_node_owner`                    |"},{"line_number":261,"context_line":"|             | service account.     | is matched and perform field/state    |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ef9d4f44_ef604dbc","line":258,"range":{"start_line":258,"start_character":16,"end_line":258,"end_character":33},"updated":"2021-02-08 16:21:02.000000000","message":"what does the system member can do and what he/she cannot do operation-wise.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":255,"context_line":"|             |                      | Some sensitive fields may be redacted |"},{"line_number":256,"context_line":"|             |                      | or be restricted from update.         |"},{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":260,"context_line":"|             |                      | or `is_node_owner`                    |"},{"line_number":261,"context_line":"|             | service account.     | is matched and perform field/state    |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"263746fc_ff5ca444","line":258,"range":{"start_line":258,"start_character":16,"end_line":258,"end_character":33},"in_reply_to":"ef9d4f44_ef604dbc","updated":"2021-02-08 17:15:45.000000000","message":"This chart is basically a guideline, but basically *do-er* actions. provision state changes, property updates. Things of those nature.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":260,"context_line":"|             |                      | or `is_node_owner`                    |"},{"line_number":261,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":262,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":263,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"c01073a5_a778d9cb","line":260,"range":{"start_line":260,"start_character":38,"end_line":260,"end_character":59},"updated":"2021-02-08 16:21:02.000000000","message":"need more details on what project member can and cannot do.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"0883c16135f1f93c7982f640b55bf8580979a310","unresolved":false,"context_lines":[{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":260,"context_line":"|             |                      | or `is_node_owner`                    |"},{"line_number":261,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":262,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":263,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"9c932082_c7e41466","line":260,"range":{"start_line":260,"start_character":38,"end_line":260,"end_character":59},"in_reply_to":"860307f7_5e079497","updated":"2021-02-08 21:05:26.000000000","message":"Ack","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":257,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":258,"context_line":"| member      | New concept for a    | Project members will be able to use   |"},{"line_number":259,"context_line":"|             | *do-er* user or      | a baremetal node if `is_node_lessee`  |"},{"line_number":260,"context_line":"|             |                      | or `is_node_owner`                    |"},{"line_number":261,"context_line":"|             | service account.     | is matched and perform field/state    |"},{"line_number":262,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":263,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"860307f7_5e079497","line":260,"range":{"start_line":260,"start_character":38,"end_line":260,"end_character":59},"in_reply_to":"c01073a5_a778d9cb","updated":"2021-02-08 17:15:45.000000000","message":"Again, this chart is really just a scope setting high level guideline. More detail is below, and realistically some of this will need to be sorted out in code.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"cc32f6bc799e2ac9243c6776771eb01c4398f0ba","unresolved":true,"context_lines":[{"line_number":262,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":263,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"},{"line_number":264,"context_line":"|             |                      | ``lessee`` fields. Some additional    |"},{"line_number":265,"context_line":"|             |                      | fields or update restricitons will    |"},{"line_number":266,"context_line":"|             |                      | exist.                                |"},{"line_number":267,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":268,"context_line":"| reader      | Effectively the same | This is a read-only user concept      |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"6e0e3d4c_e3401632","line":265,"range":{"start_line":265,"start_character":56,"end_line":265,"end_character":68},"updated":"2021-02-08 14:55:27.000000000","message":"restrictions","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":262,"context_line":"|             | Can\u0027t add or delete  | updates on individual nodes with the  |"},{"line_number":263,"context_line":"|             | nodes.               | exception of the ``owner`` and        |"},{"line_number":264,"context_line":"|             |                      | ``lessee`` fields. Some additional    |"},{"line_number":265,"context_line":"|             |                      | fields or update restricitons will    |"},{"line_number":266,"context_line":"|             |                      | exist.                                |"},{"line_number":267,"context_line":"+-------------+----------------------+---------------------------------------+"},{"line_number":268,"context_line":"| reader      | Effectively the same | This is a read-only user concept      |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"351bb01d_dd03f3db","line":265,"range":{"start_line":265,"start_character":56,"end_line":265,"end_character":68},"in_reply_to":"6e0e3d4c_e3401632","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":280,"context_line":"   reader does not equal an auditor in role. The concept for ``auditor`` would"},{"line_number":281,"context_line":"   expect to allow secrets such as masked fields to be unmasked."},{"line_number":282,"context_line":""},{"line_number":283,"context_line":".. note:: Some role/scope combinations may be combined in discussions and"},{"line_number":284,"context_line":"   communication in a {scope}-{role} format. This is effectively the persona"},{"line_number":285,"context_line":"   being defined. Such as `system-admin` for a system wide scope or"},{"line_number":286,"context_line":"   `project-admin` for a user who is a project administrator."},{"line_number":287,"context_line":""},{"line_number":288,"context_line":".. note:: Field restriction are likely to be controlled by additional policy"},{"line_number":289,"context_line":"   rules, which MAY cascade in structure where if full general update access"}],"source_content_type":"text/x-rst","patch_set":12,"id":"346666ca_807338ce","line":286,"range":{"start_line":283,"start_character":0,"end_line":286,"end_character":61},"updated":"2021-02-08 16:21:02.000000000","message":"What about other implications? Like what images project scope people can use?\nWhat is the state of a node when project lessee \"return\" to system one?","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":280,"context_line":"   reader does not equal an auditor in role. The concept for ``auditor`` would"},{"line_number":281,"context_line":"   expect to allow secrets such as masked fields to be unmasked."},{"line_number":282,"context_line":""},{"line_number":283,"context_line":".. note:: Some role/scope combinations may be combined in discussions and"},{"line_number":284,"context_line":"   communication in a {scope}-{role} format. This is effectively the persona"},{"line_number":285,"context_line":"   being defined. Such as `system-admin` for a system wide scope or"},{"line_number":286,"context_line":"   `project-admin` for a user who is a project administrator."},{"line_number":287,"context_line":""},{"line_number":288,"context_line":".. note:: Field restriction are likely to be controlled by additional policy"},{"line_number":289,"context_line":"   rules, which MAY cascade in structure where if full general update access"}],"source_content_type":"text/x-rst","patch_set":12,"id":"4c62e57a_279f4997","line":286,"range":{"start_line":283,"start_character":0,"end_line":286,"end_character":61},"in_reply_to":"346666ca_807338ce","updated":"2021-02-08 17:15:45.000000000","message":"Other implications with cross-proejct interactions are noted on line 194, at least at a high level. Since there is a concurrency in operation. Part of why we need to get this moving forward as quickly as possible so we\u0027re on an even footing with other projects and if we catch issues with interactions they can be fixed quickly.\n\nAs for states of node when a node is returned, that is more about the lessee interaction and not the access control. right now, the field is manually managed, and should we support nova integration for recording/setting it where applicable, then we need to determine mechanics, but most likely out of scope for the purposes of role based access control to Ironic\u0027s API. Such integrations would just leverage the RBAC work later to provide filtered views and access to the machines in a more consistent and secure way.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"0883c16135f1f93c7982f640b55bf8580979a310","unresolved":false,"context_lines":[{"line_number":280,"context_line":"   reader does not equal an auditor in role. The concept for ``auditor`` would"},{"line_number":281,"context_line":"   expect to allow secrets such as masked fields to be unmasked."},{"line_number":282,"context_line":""},{"line_number":283,"context_line":".. note:: Some role/scope combinations may be combined in discussions and"},{"line_number":284,"context_line":"   communication in a {scope}-{role} format. This is effectively the persona"},{"line_number":285,"context_line":"   being defined. Such as `system-admin` for a system wide scope or"},{"line_number":286,"context_line":"   `project-admin` for a user who is a project administrator."},{"line_number":287,"context_line":""},{"line_number":288,"context_line":".. note:: Field restriction are likely to be controlled by additional policy"},{"line_number":289,"context_line":"   rules, which MAY cascade in structure where if full general update access"}],"source_content_type":"text/x-rst","patch_set":12,"id":"7c324cbc_d0ca8d3d","line":286,"range":{"start_line":283,"start_character":0,"end_line":286,"end_character":61},"in_reply_to":"4c62e57a_279f4997","updated":"2021-02-08 21:05:26.000000000","message":"Ack","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":334,"context_line":""},{"line_number":335,"context_line":"The transition for System scoped roles is fairly straight forward as described"},{"line_number":336,"context_line":"by the chart `High Level Matrix`_ in `Proposed Change`_."},{"line_number":337,"context_line":"Existing Admin/Observer roles would be translated to System-Admin"},{"line_number":338,"context_line":"and System-Reader respectively."},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"},{"line_number":341,"context_line":"who can *Read* and *Update*, but that cannot *Create* or *Delete*"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ea3c588b_ff903768","line":338,"range":{"start_line":337,"start_character":0,"end_line":338,"end_character":31},"updated":"2021-02-08 16:21:02.000000000","message":"good. Let\u0027s minimize the impact on the current users.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1929943c5a71efa800e4e9dff6420f79e1e0fe0","unresolved":false,"context_lines":[{"line_number":334,"context_line":""},{"line_number":335,"context_line":"The transition for System scoped roles is fairly straight forward as described"},{"line_number":336,"context_line":"by the chart `High Level Matrix`_ in `Proposed Change`_."},{"line_number":337,"context_line":"Existing Admin/Observer roles would be translated to System-Admin"},{"line_number":338,"context_line":"and System-Reader respectively."},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"},{"line_number":341,"context_line":"who can *Read* and *Update*, but that cannot *Create* or *Delete*"}],"source_content_type":"text/x-rst","patch_set":12,"id":"c92bc81f_d5a8c017","line":338,"range":{"start_line":337,"start_character":0,"end_line":338,"end_character":31},"in_reply_to":"ea3c588b_ff903768","updated":"2021-02-10 14:25:09.000000000","message":"Done","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7d9f1f2b83e31b8a871a63588553d57a4b33f339","unresolved":true,"context_lines":[{"line_number":337,"context_line":"Existing Admin/Observer roles would be translated to System-Admin"},{"line_number":338,"context_line":"and System-Reader respectively."},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"},{"line_number":341,"context_line":"who can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":342,"context_line":"records. In other words, the API consumer can deploy a node, they can update"},{"line_number":343,"context_line":"a node, but they are unable to remove a node. They should be able to"},{"line_number":344,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":345,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":348,"context_line":"having full API surface visibility with exception of the special purpose"}],"source_content_type":"text/x-rst","patch_set":12,"id":"2bccde81_24268dd2","line":345,"range":{"start_line":340,"start_character":0,"end_line":345,"end_character":68},"updated":"2021-02-08 16:21:02.000000000","message":"let\u0027s also write it from user point of view not just implementation point of view","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"eb1278aadc6bff152bba47589ff5725aa2305bf9","unresolved":true,"context_lines":[{"line_number":337,"context_line":"Existing Admin/Observer roles would be translated to System-Admin"},{"line_number":338,"context_line":"and System-Reader respectively."},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"The addition to this scope is the ``member`` role concept. This is a user"},{"line_number":341,"context_line":"who can *Read* and *Update*, but that cannot *Create* or *Delete*"},{"line_number":342,"context_line":"records. In other words, the API consumer can deploy a node, they can update"},{"line_number":343,"context_line":"a node, but they are unable to remove a node. They should be able to"},{"line_number":344,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":345,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":348,"context_line":"having full API surface visibility with exception of the special purpose"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1bdbd57a_5ef24861","line":345,"range":{"start_line":340,"start_character":0,"end_line":345,"end_character":68},"in_reply_to":"2bccde81_24268dd2","updated":"2021-02-08 17:15:45.000000000","message":"That would all be project scope, if your speaking of end users as in humans.","commit_id":"cf41a3ef4194939e0220ff63d36c7ef863c6f531"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In essence this effort is to group the access and actions behind personas,"},{"line_number":36,"context_line":"which are role and scope permutations that can be applied to a user via role"},{"line_number":37,"context_line":"assignments in keystone.users and then ensuring that the invoked access rights"},{"line_number":38,"context_line":"do not permit inappropriate access such as edit fields as a reader only"},{"line_number":39,"context_line":"role on the system scope. At a high level, this is conceptually modeled into"},{"line_number":40,"context_line":"``admin``, ``member``, and ``reader`` roles. During the"}],"source_content_type":"text/x-rst","patch_set":13,"id":"d849345f_f763a54e","line":37,"updated":"2021-02-15 16:34:47.000000000","message":"nit: \"is to group .... and then ensure\"","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":144,"context_line":"a) Have greater consistency through the adoption of standard roles."},{"line_number":145,"context_line":"b) Implement the ability to move to the standard scope based"},{"line_number":146,"context_line":"   restriction where the new standardized roles would apply."},{"line_number":147,"context_line":"c) Move services, such as ironic from the concept of `admin projects`"},{"line_number":148,"context_line":"   to a `system scope`."},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"We will do this by:"}],"source_content_type":"text/x-rst","patch_set":13,"id":"c2903a05_11ea211a","line":147,"updated":"2021-02-15 16:34:47.000000000","message":"nit: comma after ironic?","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":152,"context_line":"1) Constructing a new set of policies to reflect the secure"},{"line_number":153,"context_line":"   RBAC model where the \"scope\" is included as part of the definition."},{"line_number":154,"context_line":"2) Deprecating the previous policies in code which consist of roles"},{"line_number":155,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":156,"context_line":"   removed at a later point in time."},{"line_number":157,"context_line":"3) Implementing explicit testing to ensure scopes are handled as we expect."},{"line_number":158,"context_line":"4) Creating an integration test job leveraging the ``oslo.policy`` setting"}],"source_content_type":"text/x-rst","patch_set":13,"id":"20142d25_27cb75a2","line":155,"updated":"2021-02-15 16:34:47.000000000","message":"Is it really a thing? I haven\u0027t seen it, I think TripleO uses admin/services projects.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":152,"context_line":"1) Constructing a new set of policies to reflect the secure"},{"line_number":153,"context_line":"   RBAC model where the \"scope\" is included as part of the definition."},{"line_number":154,"context_line":"2) Deprecating the previous policies in code which consist of roles"},{"line_number":155,"context_line":"   scoped to the ``baremetal`` project. These should be anticipated to be"},{"line_number":156,"context_line":"   removed at a later point in time."},{"line_number":157,"context_line":"3) Implementing explicit testing to ensure scopes are handled as we expect."},{"line_number":158,"context_line":"4) Creating an integration test job leveraging the ``oslo.policy`` setting"}],"source_content_type":"text/x-rst","patch_set":13,"id":"748075b1_42746241","line":155,"in_reply_to":"20142d25_27cb75a2","updated":"2021-02-15 18:15:23.000000000","message":"It is literally what is done today. I have a patch to make it more configurable which we can hopefully backport to allow it to be fine tuned a little more, but I think that is entirely disjointed from this.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":156,"context_line":"   removed at a later point in time."},{"line_number":157,"context_line":"3) Implementing explicit testing to ensure scopes are handled as we expect."},{"line_number":158,"context_line":"4) Creating an integration test job leveraging the ``oslo.policy`` setting"},{"line_number":159,"context_line":"   to enforce scope restriction to help ensure cross-service compatability"},{"line_number":160,"context_line":"   and potentially having to alter some cross-service interactions to ensure"},{"line_number":161,"context_line":"   requests are appropriately modeled. It should be expected that this may"},{"line_number":162,"context_line":"   make visible any number of possible issues which will need to be addressed."}],"source_content_type":"text/x-rst","patch_set":13,"id":"51477e2c_1203b143","line":159,"updated":"2021-02-15 16:34:47.000000000","message":"nit: compatibility","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":202,"context_line":"In terms of ``ironic-inspector`` and its API, the resulting default policies"},{"line_number":203,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":204,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":205,"context_line":"purely an admin-only and hardware data collection oriented service."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":".. NOTE::"},{"line_number":208,"context_line":"   In review of this specification document, it has been highlighted that"}],"source_content_type":"text/x-rst","patch_set":13,"id":"fea1cf09_425bcea3","line":205,"updated":"2021-02-15 16:34:47.000000000","message":"We should really merge most of inspector back into ironic, especially the introspection rules part..","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":202,"context_line":"In terms of ``ironic-inspector`` and its API, the resulting default policies"},{"line_number":203,"context_line":"for this effort would be entirely system scoped and no other scope is"},{"line_number":204,"context_line":"anticipated to need implementation as the ``ironic-inspector`` is"},{"line_number":205,"context_line":"purely an admin-only and hardware data collection oriented service."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":".. NOTE::"},{"line_number":208,"context_line":"   In review of this specification document, it has been highlighted that"}],"source_content_type":"text/x-rst","patch_set":13,"id":"6cbaafbc_5978aad7","line":205,"in_reply_to":"fea1cf09_425bcea3","updated":"2021-02-15 18:15:23.000000000","message":"Yeah, Still I think that is mostly all pure system scoped $things,.. I think.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":322,"context_line":""},{"line_number":323,"context_line":"In accordance with API standards, even though it will not modify functional"},{"line_number":324,"context_line":"behavior this change will increment the API micro-version. This is to enable"},{"line_number":325,"context_line":"API consumers to be able to navigate around possible logic or policy changes"},{"line_number":326,"context_line":"around an upgrade. This is unrelated to policy enforcement specifics which"},{"line_number":327,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":328,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"25eab260_9b6a3f71","line":325,"updated":"2021-02-15 16:34:47.000000000","message":"+1","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":322,"context_line":""},{"line_number":323,"context_line":"In accordance with API standards, even though it will not modify functional"},{"line_number":324,"context_line":"behavior this change will increment the API micro-version. This is to enable"},{"line_number":325,"context_line":"API consumers to be able to navigate around possible logic or policy changes"},{"line_number":326,"context_line":"around an upgrade. This is unrelated to policy enforcement specifics which"},{"line_number":327,"context_line":"cannot be permitted to be visible via the API surface."},{"line_number":328,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"64e23fc7_e505b83d","line":325,"in_reply_to":"25eab260_9b6a3f71","updated":"2021-02-15 18:15:23.000000000","message":"This reminds me, I do need to rev that version once project work is done :)","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":343,"context_line":"records. In other words, the API consumer can deploy a node, they can update"},{"line_number":344,"context_line":"a node, but they are unable to remove a node. They should be able to"},{"line_number":345,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":346,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":349,"context_line":"having full API surface visibility with exception of the special purpose"}],"source_content_type":"text/x-rst","patch_set":13,"id":"49a4c6c4_d31e3b16","line":346,"updated":"2021-02-15 16:34:47.000000000","message":"I\u0027m wondering about clean steps. Some of them can be quite destructive, e.g. the iLO5\u0027s shred-the-machine-from-inside step.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":343,"context_line":"records. In other words, the API consumer can deploy a node, they can update"},{"line_number":344,"context_line":"a node, but they are unable to remove a node. They should be able to"},{"line_number":345,"context_line":"attach/detach VIFs, and ultimately this should be able to be the rights"},{"line_number":346,"context_line":"granted to the service account used by the ``nova-compute`` process."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"A user with a system scope of any valid role type should be anticipated as"},{"line_number":349,"context_line":"having full API surface visibility with exception of the special purpose"}],"source_content_type":"text/x-rst","patch_set":13,"id":"f2e35426_bbe20f96","line":346,"in_reply_to":"49a4c6c4_d31e3b16","updated":"2021-02-15 18:15:23.000000000","message":"Hmm... this is a major conundrum. Still somewhat disjointed. I wonder if we need to be able to put a policy check on individual steps?","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":463,"context_line":"| /v1/nodes/{uuid}/volume/connectors | Filtered view, read-only.              |"},{"line_number":464,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":465,"context_line":"| /v1/nodes/{uuid}/volume/targets    | Filtered view, read-only.              |"},{"line_number":466,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":467,"context_line":"| /v1/drivers                        | No, `system` scope only.               |"},{"line_number":468,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":469,"context_line":"| /v1/nodes/{uuid}/bios              | Yes, Filtered view based on access     |"}],"source_content_type":"text/x-rst","patch_set":13,"id":"aace51bf_ef24a978","line":466,"updated":"2021-02-15 16:34:47.000000000","message":"In theory, knowing drivers can be useful for whoever creates nodes or can update *_interface fields, but IIUC this is only the system admin.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":463,"context_line":"| /v1/nodes/{uuid}/volume/connectors | Filtered view, read-only.              |"},{"line_number":464,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":465,"context_line":"| /v1/nodes/{uuid}/volume/targets    | Filtered view, read-only.              |"},{"line_number":466,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":467,"context_line":"| /v1/drivers                        | No, `system` scope only.               |"},{"line_number":468,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":469,"context_line":"| /v1/nodes/{uuid}/bios              | Yes, Filtered view based on access     |"}],"source_content_type":"text/x-rst","patch_set":13,"id":"8489dd93_1d1115c4","line":466,"in_reply_to":"aace51bf_ef24a978","updated":"2021-02-15 18:15:23.000000000","message":"This is correct.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":466,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":467,"context_line":"| /v1/drivers                        | No, `system` scope only.               |"},{"line_number":468,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":469,"context_line":"| /v1/nodes/{uuid}/bios              | Yes, Filtered view based on access     |"},{"line_number":470,"context_line":"|                                    | rights to the underlying node.         |"},{"line_number":471,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":472,"context_line":"| /v1/conductors                     | No, `system` scope only.               |"}],"source_content_type":"text/x-rst","patch_set":13,"id":"7c5f1657_256109be","line":469,"updated":"2021-02-15 16:34:47.000000000","message":"This exposes a lot of vendor-specific information.. on the other hand, the same things may be read in-band usually.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":466,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":467,"context_line":"| /v1/drivers                        | No, `system` scope only.               |"},{"line_number":468,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":469,"context_line":"| /v1/nodes/{uuid}/bios              | Yes, Filtered view based on access     |"},{"line_number":470,"context_line":"|                                    | rights to the underlying node.         |"},{"line_number":471,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":472,"context_line":"| /v1/conductors                     | No, `system` scope only.               |"}],"source_content_type":"text/x-rst","patch_set":13,"id":"5d3ef2dd_8cfdae92","line":469,"in_reply_to":"7c5f1657_256109be","updated":"2021-02-15 18:15:23.000000000","message":"Yeah, Basically the pattern in project scope is we run a \"can you even see the node\" check first which requires project_id to owner or lessee match, which restricts things nicely. Would still need to be observer visible, so the only thing I would be worried about is lessee readers inside a project.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":476,"context_line":"|                                    | this endpoint.                         |"},{"line_number":477,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":478,"context_line":"| /v1/deploy_templates               | No, `system` scope only at this time.  |"},{"line_number":479,"context_line":"|                                    | as the table/data structure is not     |"},{"line_number":480,"context_line":"|                                    | modeled for compatability.             |"},{"line_number":481,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":482,"context_line":"| /v1/chassis                        | No, `system` scope only.               |"}],"source_content_type":"text/x-rst","patch_set":13,"id":"337b69bb_24544970","line":479,"updated":"2021-02-15 16:34:47.000000000","message":"If we allow using deploy_steps to members, why cannot they create deploy templates? Or do you plan on restricting using the new deploy_steps argument?\n\nAlthough then they need to be able to edit traits... Hmm.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":476,"context_line":"|                                    | this endpoint.                         |"},{"line_number":477,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":478,"context_line":"| /v1/deploy_templates               | No, `system` scope only at this time.  |"},{"line_number":479,"context_line":"|                                    | as the table/data structure is not     |"},{"line_number":480,"context_line":"|                                    | modeled for compatability.             |"},{"line_number":481,"context_line":"+------------------------------------+----------------------------------------+"},{"line_number":482,"context_line":"| /v1/chassis                        | No, `system` scope only.               |"}],"source_content_type":"text/x-rst","patch_set":13,"id":"ab214ca5_fb8f7708","line":479,"in_reply_to":"337b69bb_24544970","updated":"2021-02-15 18:15:23.000000000","message":"I see where your brain is going. I think we can make deploy_templates multi-viewable, but I think that may end up being outside out of the initial gate since we\u0027re going to need to record and match/isolate based upon these values since at present they are global.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":521,"context_line":"* target_power_state - Read-Only"},{"line_number":522,"context_line":"* provision_state - Read-Only"},{"line_number":523,"context_line":"* target_provision_state - Read-Only"},{"line_number":524,"context_line":"* maintenance - Read/Write"},{"line_number":525,"context_line":"* maintenance_reason - Read/Write"},{"line_number":526,"context_line":"* fault - Read/Write"},{"line_number":527,"context_line":"* last_error - ???"}],"source_content_type":"text/x-rst","patch_set":13,"id":"d312f884_ec58db6e","line":524,"updated":"2021-02-15 16:34:47.000000000","message":"Only owners?","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":true,"context_lines":[{"line_number":521,"context_line":"* target_power_state - Read-Only"},{"line_number":522,"context_line":"* provision_state - Read-Only"},{"line_number":523,"context_line":"* target_provision_state - Read-Only"},{"line_number":524,"context_line":"* maintenance - Read/Write"},{"line_number":525,"context_line":"* maintenance_reason - Read/Write"},{"line_number":526,"context_line":"* fault - Read/Write"},{"line_number":527,"context_line":"* last_error - ???"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3b3be987_1f90004c","line":524,"in_reply_to":"d312f884_ec58db6e","updated":"2021-02-15 18:15:23.000000000","message":"Good question... lets see what I proposed. Lessee Admin as well. https://review.opendev.org/c/openstack/ironic/+/773924/8/ironic/common/policy.py#575 I thought it kind of made sense.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":524,"context_line":"* maintenance - Read/Write"},{"line_number":525,"context_line":"* maintenance_reason - Read/Write"},{"line_number":526,"context_line":"* fault - Read/Write"},{"line_number":527,"context_line":"* last_error - ???"},{"line_number":528,"context_line":"  .. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":529,"context_line":"* reservation - Returned as a True/False for project users."},{"line_number":530,"context_line":"* driver - Read-Only"}],"source_content_type":"text/x-rst","patch_set":13,"id":"21f64895_6a5b23cb","line":527,"updated":"2021-02-15 16:34:47.000000000","message":"We probably need to introduce a lighter version of error, something like error_code","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":true,"context_lines":[{"line_number":524,"context_line":"* maintenance - Read/Write"},{"line_number":525,"context_line":"* maintenance_reason - Read/Write"},{"line_number":526,"context_line":"* fault - Read/Write"},{"line_number":527,"context_line":"* last_error - ???"},{"line_number":528,"context_line":"  .. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":529,"context_line":"* reservation - Returned as a True/False for project users."},{"line_number":530,"context_line":"* driver - Read-Only"}],"source_content_type":"text/x-rst","patch_set":13,"id":"243bc108_d9972db2","line":527,"in_reply_to":"21f64895_6a5b23cb","updated":"2021-02-15 18:15:23.000000000","message":"++","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":525,"context_line":"* maintenance_reason - Read/Write"},{"line_number":526,"context_line":"* fault - Read/Write"},{"line_number":527,"context_line":"* last_error - ???"},{"line_number":528,"context_line":"  .. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":529,"context_line":"* reservation - Returned as a True/False for project users."},{"line_number":530,"context_line":"* driver - Read-Only"},{"line_number":531,"context_line":"* driver_info - Likely returns as an empty dictionary, although"}],"source_content_type":"text/x-rst","patch_set":13,"id":"6f3446ea_b9962684","line":528,"updated":"2021-02-15 16:34:47.000000000","message":"I\u0027m very much against changing the types of any fields. I\u0027m fine with some vague string like \"reserved\", but a different type is a nightmare for consumers, especially those with statically compiled languages, especially since this change won\u0027t be microversioned.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":true,"context_lines":[{"line_number":525,"context_line":"* maintenance_reason - Read/Write"},{"line_number":526,"context_line":"* fault - Read/Write"},{"line_number":527,"context_line":"* last_error - ???"},{"line_number":528,"context_line":"  .. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":529,"context_line":"* reservation - Returned as a True/False for project users."},{"line_number":530,"context_line":"* driver - Read-Only"},{"line_number":531,"context_line":"* driver_info - Likely returns as an empty dictionary, although"}],"source_content_type":"text/x-rst","patch_set":13,"id":"60351c8d_a41d84d4","line":528,"in_reply_to":"6f3446ea_b9962684","updated":"2021-02-15 18:15:23.000000000","message":"Whoaw, we\u0027re not changing any types. We do have string fields that can be null when unpopulated and the json body null is the result or a string. Dictionary fields are just that, empty dictionary fields. How do things like rust handle that headahce?","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":528,"context_line":"  .. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":529,"context_line":"* reservation - Returned as a True/False for project users."},{"line_number":530,"context_line":"* driver - Read-Only"},{"line_number":531,"context_line":"* driver_info - Likely returns as an empty dictionary, although"},{"line_number":532,"context_line":"  alternatively we can strip the URLs out, but that seems a little"},{"line_number":533,"context_line":"  more complicated."},{"line_number":534,"context_line":"* driver_internal_info - Likely will return an empty dictionary as"}],"source_content_type":"text/x-rst","patch_set":13,"id":"ed395d1f_6aa1468d","line":531,"updated":"2021-02-15 16:34:47.000000000","message":"We can strip everything ending with _address, _port, _username and _password (and reject updates)","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":true,"context_lines":[{"line_number":528,"context_line":"  .. TODO:: The issue with ``last_error`` is that it can leak infrastructure hostnames of conductors, bmcs, etc. For BMaaS, it might make sense?"},{"line_number":529,"context_line":"* reservation - Returned as a True/False for project users."},{"line_number":530,"context_line":"* driver - Read-Only"},{"line_number":531,"context_line":"* driver_info - Likely returns as an empty dictionary, although"},{"line_number":532,"context_line":"  alternatively we can strip the URLs out, but that seems a little"},{"line_number":533,"context_line":"  more complicated."},{"line_number":534,"context_line":"* driver_internal_info - Likely will return an empty dictionary as"}],"source_content_type":"text/x-rst","patch_set":13,"id":"e40e9d9d_bf8f0167","line":531,"in_reply_to":"ed395d1f_6aa1468d","updated":"2021-02-15 18:15:23.000000000","message":"So seems like owners will get it, but not lesses under the concept that the owner is the \"real\" manager/asset owner where lessee is just the end user.  So I guess we could.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":532,"context_line":"  alternatively we can strip the URLs out, but that seems a little"},{"line_number":533,"context_line":"  more complicated."},{"line_number":534,"context_line":"* driver_internal_info - Likely will return an empty dictionary as"},{"line_number":535,"context_line":"  Project Admins and Project Members should not really need to see"},{"line_number":536,"context_line":"  the inner working details of the driver."},{"line_number":537,"context_line":"* properties - Read-Only"},{"line_number":538,"context_line":"* instance_info - Project Admin/Project Member Read-Write"}],"source_content_type":"text/x-rst","patch_set":13,"id":"33e17ee9_4bae857e","line":535,"updated":"2021-02-15 16:34:47.000000000","message":"Absolutely","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"532ee984287359d6f95e3aaa94480cd895619650","unresolved":false,"context_lines":[{"line_number":569,"context_line":"  from changing the field value."},{"line_number":570,"context_line":"* description - Read-Write"},{"line_number":571,"context_line":"* conductor - Returns None as it provides insight into the running"},{"line_number":572,"context_line":"  infrastucture configuration and state, i.e. System visible is the"},{"line_number":573,"context_line":"  onlly appropriate state."},{"line_number":574,"context_line":"* allocation_uuid - Read Only"},{"line_number":575,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"95f27349_9d1a0a4d","line":572,"updated":"2021-02-15 16:34:47.000000000","message":"This may easily break someone.. No idea what to do, an empty string is probably better.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"81b0e305bcd70483daa7d600d739c0e2511cf813","unresolved":false,"context_lines":[{"line_number":569,"context_line":"  from changing the field value."},{"line_number":570,"context_line":"* description - Read-Write"},{"line_number":571,"context_line":"* conductor - Returns None as it provides insight into the running"},{"line_number":572,"context_line":"  infrastucture configuration and state, i.e. System visible is the"},{"line_number":573,"context_line":"  onlly appropriate state."},{"line_number":574,"context_line":"* allocation_uuid - Read Only"},{"line_number":575,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"8742c03f_5e8cf5ae","line":572,"in_reply_to":"95f27349_9d1a0a4d","updated":"2021-02-15 18:15:23.000000000","message":"I don\u0027t think it will break anyone right *now* since the default usage doesn\u0027t cover it. Null vs \u0027\u0027 for strings discussion I think is the concern here.","commit_id":"51673500d664a676f96d8f6817841670b6cbec43"}]}
