)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2021-09-13 19:49:50 +0000"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Power control intermediary spec proposal"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: I48f5545a9088abcc9f765f6d3bf6e4aad0748c71"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"23ae30bf_2baeae40","line":8,"updated":"2021-09-13 21:25:50.000000000","message":"Is there a story in storyboard.openstack.org for this? Ideally we\u0027ll want one to track the patches by, so each patch will be a task, and we can track it from there. This also gives us a central point to go back and reference if we need to do things like backporting or see the status/progress.\n\nNote, this is in the following format:\n\nStory: NNNNNNN\nTask: NNNNN","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eacd92cb217bce03fb251fa9be4b26f7403ed970","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"2e8dfadf_e56edef8","updated":"2021-12-07 12:43:27.000000000","message":"Very nice!","commit_id":"4e31859a7f3da5ba201f8facce008aa759782ba3"}],"specs/approved/ironic-redfish-proxy.rst":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eacd92cb217bce03fb251fa9be4b26f7403ed970","unresolved":true,"context_lines":[{"line_number":650,"context_line":"      {"},{"line_number":651,"context_line":"          \"@odata.type\": \"#ComputerSystem.v1.0.0.ComputerSystem\","},{"line_number":652,"context_line":"          \"Id\": \"ABCDEFG\","},{"line_number":653,"context_line":"          \"Name\": \"Baremetal Host ABC\","},{"line_number":654,"context_line":"          \"Description\": \"It\u0027s a computer\","},{"line_number":655,"context_line":"          \"UUID\": \"ABCDEFG\","},{"line_number":656,"context_line":"          \"PowerState\": \"On\","}],"source_content_type":"text/x-rst","patch_set":5,"id":"a75d7802_67fdb5ed","line":653,"updated":"2021-12-07 12:43:27.000000000","message":"very nit: this is not a valid name, we don\u0027t allow spaces","commit_id":"4e31859a7f3da5ba201f8facce008aa759782ba3"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eacd92cb217bce03fb251fa9be4b26f7403ed970","unresolved":true,"context_lines":[{"line_number":717,"context_line":"    for the resource they are attempting to access."},{"line_number":718,"context_line":"  * Accepts the following values for ResetType in the body [#]_:"},{"line_number":719,"context_line":""},{"line_number":720,"context_line":"    * \"On\" (soft power on)"},{"line_number":721,"context_line":"    * \"ForceOn\" (hard power on)"},{"line_number":722,"context_line":"    * \"GracefulShutdown\" (soft power off)"},{"line_number":723,"context_line":"    * \"ForceOff\" (hard power off)"}],"source_content_type":"text/x-rst","patch_set":5,"id":"15426614_9738046b","line":720,"updated":"2021-12-07 12:43:27.000000000","message":"nit: there is no such thing as \"soft power on\", soft/hard concerns how quickly the operating systems goes down","commit_id":"4e31859a7f3da5ba201f8facce008aa759782ba3"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eacd92cb217bce03fb251fa9be4b26f7403ed970","unresolved":true,"context_lines":[{"line_number":944,"context_line":".. [#] The Redfish schema for ResetType also includes \"Nmi\" (diagnostic"},{"line_number":945,"context_line":"       interrupt) and \"PushPowerButton\" (simulates a physical power button"},{"line_number":946,"context_line":"       press event). However, neither of these actions are part of Ironic\u0027s"},{"line_number":947,"context_line":"       node power state workflow and support for these actions varies greatly"},{"line_number":948,"context_line":"       depending on the driver and hardware."}],"source_content_type":"text/x-rst","patch_set":5,"id":"f4cfd4a1_c6c82dce","line":947,"updated":"2021-12-07 12:43:27.000000000","message":"We do, in fact, support NMI.","commit_id":"4e31859a7f3da5ba201f8facce008aa759782ba3"}],"specs/approved/power-control-intermediary.rst":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Ironic Power Control Intermediary"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://storyboard.openstack.org/#!/story/2009184"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"One important aspect of our goal of improving support for node multi-tenancy"},{"line_number":14,"context_line":"is to provide a seamless user experience for node lessees. This includes"}],"source_content_type":"text/x-rst","patch_set":2,"id":"992dc09d_ce84bb1a","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":49},"updated":"2021-09-13 21:25:50.000000000","message":"Ahh, here is a story!","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Ironic Power Control Intermediary"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://storyboard.openstack.org/#!/story/2009184"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"One important aspect of our goal of improving support for node multi-tenancy"},{"line_number":14,"context_line":"is to provide a seamless user experience for node lessees. This includes"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c461a85f_f25c5d8e","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":49},"in_reply_to":"992dc09d_ce84bb1a","updated":"2021-09-14 17:53:01.000000000","message":"Yep! Should I amend the commit message w/ the next patch to include this link?","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dfc99ed87e55de04e36e16f865ac928746da8aba","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Ironic Power Control Intermediary"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://storyboard.openstack.org/#!/story/2009184"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"One important aspect of our goal of improving support for node multi-tenancy"},{"line_number":14,"context_line":"is to provide a seamless user experience for node lessees. This includes"}],"source_content_type":"text/x-rst","patch_set":2,"id":"36b961dd_ac4566f3","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":49},"in_reply_to":"c461a85f_f25c5d8e","updated":"2021-09-27 18:01:56.000000000","message":"Generally story and task tags are expected. But not strictly required.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":18,"context_line":"major problem."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Currently, for an Ironic node lessee to obtain direct access to power"},{"line_number":21,"context_line":"management APIs, they would require either admin privileges or the power"},{"line_number":22,"context_line":"credentials to the BMC of the node in question. For many reasons, doing this"},{"line_number":23,"context_line":"would be very inefficient, insecure, and generally unwise. It also runs"},{"line_number":24,"context_line":"counter to one of the goals of node multi-tenancy, which is to allow users to"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e836b773_0fc44cca","line":21,"range":{"start_line":21,"start_character":43,"end_line":21,"end_character":62},"updated":"2021-09-13 21:25:50.000000000","message":"Lessee project members (afaik) are allowed to perform power ops as basic operations.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":18,"context_line":"major problem."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Currently, for an Ironic node lessee to obtain direct access to power"},{"line_number":21,"context_line":"management APIs, they would require either admin privileges or the power"},{"line_number":22,"context_line":"credentials to the BMC of the node in question. For many reasons, doing this"},{"line_number":23,"context_line":"would be very inefficient, insecure, and generally unwise. It also runs"},{"line_number":24,"context_line":"counter to one of the goals of node multi-tenancy, which is to allow users to"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e188e3c2_3292dd55","line":21,"range":{"start_line":21,"start_character":43,"end_line":21,"end_character":62},"in_reply_to":"e836b773_0fc44cca","updated":"2021-09-14 17:53:01.000000000","message":"I believe you are correct. The wording in the first parts of this spec is inaccurate and I should probably clarify that I mean something along the lines of \"the only way for a node lessee to access standards-based APIs...\" or \"...to use the APIs that provisioning tools expect to have access to...\", etc. You\u0027re not the first to be confused by this wording so I will work on updating it to make it more clear.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":28,"context_line":"Because we do not wish to grant lessees direct access to the BMC, to enable"},{"line_number":29,"context_line":"the use of existing provisioning tools, we instead intend to emulate a"},{"line_number":30,"context_line":"standards-based interface (Redfish, in this case), directly within Ironic for"},{"line_number":31,"context_line":"use by node lessees. This way, authentication can instead go through Keystone"},{"line_number":32,"context_line":"and provisioning workflows that require power credentials can function as"},{"line_number":33,"context_line":"expected."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a1d43a45_a127f24a","line":33,"range":{"start_line":31,"start_character":21,"end_line":33,"end_character":9},"updated":"2021-09-13 21:25:50.000000000","message":"So, I\u0027ve not read any further, *but* if we\u0027re just passing through, using the lessee tenant... I guess it could be but wouldn\u0027t that also prevent session based auth for redfish.... Idea, unless we can just pass through the bearer token somehow...","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":28,"context_line":"Because we do not wish to grant lessees direct access to the BMC, to enable"},{"line_number":29,"context_line":"the use of existing provisioning tools, we instead intend to emulate a"},{"line_number":30,"context_line":"standards-based interface (Redfish, in this case), directly within Ironic for"},{"line_number":31,"context_line":"use by node lessees. This way, authentication can instead go through Keystone"},{"line_number":32,"context_line":"and provisioning workflows that require power credentials can function as"},{"line_number":33,"context_line":"expected."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"618a1a5f_c41062d9","line":33,"range":{"start_line":31,"start_character":21,"end_line":33,"end_character":9},"in_reply_to":"a1d43a45_a127f24a","updated":"2021-09-14 17:53:01.000000000","message":"My initial plan I had in mind for authentication when drafting this spec was.... not very well thought out. (more clarification, details, etc. will be noted in a comment below this one)","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Problem description"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"As it stands, the only way an unprivileged user, such as a lessee, can"},{"line_number":40,"context_line":"directly access power management APIs would be through the BMC with the node\u0027s"},{"line_number":41,"context_line":"power credentials. But since these credentials wouldn\u0027t necessarily change"},{"line_number":42,"context_line":"after the lessee loses access, they could potentially re-use them to change"},{"line_number":43,"context_line":"power settings on the node directly, regardless of whether or not they were"},{"line_number":44,"context_line":"granted permission within OpenStack cloud services."}],"source_content_type":"text/x-rst","patch_set":2,"id":"ac227594_b66f7e0e","line":41,"range":{"start_line":38,"start_character":0,"end_line":41,"end_character":18},"updated":"2021-09-13 21:25:50.000000000","message":"Not exactly true:\n\nhttps://github.com/openstack/ironic/blob/master/ironic/common/policy.py#L765\nhttps://github.com/openstack/ironic/blob/master/ironic/common/policy.py#L83\nhttps://github.com/openstack/ironic/blob/master/ironic/common/policy.py#L70","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dfc99ed87e55de04e36e16f865ac928746da8aba","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Problem description"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"As it stands, the only way an unprivileged user, such as a lessee, can"},{"line_number":40,"context_line":"directly access power management APIs would be through the BMC with the node\u0027s"},{"line_number":41,"context_line":"power credentials. But since these credentials wouldn\u0027t necessarily change"},{"line_number":42,"context_line":"after the lessee loses access, they could potentially re-use them to change"},{"line_number":43,"context_line":"power settings on the node directly, regardless of whether or not they were"},{"line_number":44,"context_line":"granted permission within OpenStack cloud services."}],"source_content_type":"text/x-rst","patch_set":2,"id":"c9e6d850_a38d13c0","line":41,"range":{"start_line":38,"start_character":0,"end_line":41,"end_character":18},"in_reply_to":"894c51b9_a9c65b79","updated":"2021-09-27 18:01:56.000000000","message":"That was kind of what kind of my thought, that the idea kind of got across, but that excess words were really kind of getting in the way. Sounds like a good plan! 😊","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Problem description"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"As it stands, the only way an unprivileged user, such as a lessee, can"},{"line_number":40,"context_line":"directly access power management APIs would be through the BMC with the node\u0027s"},{"line_number":41,"context_line":"power credentials. But since these credentials wouldn\u0027t necessarily change"},{"line_number":42,"context_line":"after the lessee loses access, they could potentially re-use them to change"},{"line_number":43,"context_line":"power settings on the node directly, regardless of whether or not they were"},{"line_number":44,"context_line":"granted permission within OpenStack cloud services."}],"source_content_type":"text/x-rst","patch_set":2,"id":"894c51b9_a9c65b79","line":41,"range":{"start_line":38,"start_character":0,"end_line":41,"end_character":18},"in_reply_to":"ac227594_b66f7e0e","updated":"2021-09-14 17:53:01.000000000","message":"Now that I think about it, this whole section could use a bit of a rewrite, as what I meant isn\u0027t exactly clear. What I had meant was that the only way to access the APIs that provisioning tools (particularly Redfish-based ones) expect would be directly thru the BMC. I assume this is accurate but do let me know if that is inaccurate also. Regardless, I will update the wording to reflect our intentions.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"In a situation like this, the lessee would be forced to use Ironic\u0027s API and"},{"line_number":47,"context_line":"provisioning tools, likely requiring existing workflows to be completely"},{"line_number":48,"context_line":"refactored. There are many potential cases in which this would be very"},{"line_number":49,"context_line":"problematic to the end-user, and the alternative solution of providing the"},{"line_number":50,"context_line":"lessee with power credentials would be a huge security risk unacceptable to"},{"line_number":51,"context_line":"most administrators."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"226857eb_4db2810e","line":51,"range":{"start_line":48,"start_character":12,"end_line":51,"end_character":20},"updated":"2021-09-13 21:25:50.000000000","message":"Honestly, I\u0027d drop this completely.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"In a situation like this, the lessee would be forced to use Ironic\u0027s API and"},{"line_number":47,"context_line":"provisioning tools, likely requiring existing workflows to be completely"},{"line_number":48,"context_line":"refactored. There are many potential cases in which this would be very"},{"line_number":49,"context_line":"problematic to the end-user, and the alternative solution of providing the"},{"line_number":50,"context_line":"lessee with power credentials would be a huge security risk unacceptable to"},{"line_number":51,"context_line":"most administrators."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d32027e1_a1fe55ed","line":51,"range":{"start_line":48,"start_character":12,"end_line":51,"end_character":20},"in_reply_to":"226857eb_4db2810e","updated":"2021-09-14 17:53:01.000000000","message":"Fair. To be honest, I think was having a hard time wording a conclusion to this section and ended up unintentionally tacking on a bunch of extraneous words.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dfc99ed87e55de04e36e16f865ac928746da8aba","unresolved":true,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"In a situation like this, the lessee would be forced to use Ironic\u0027s API and"},{"line_number":47,"context_line":"provisioning tools, likely requiring existing workflows to be completely"},{"line_number":48,"context_line":"refactored. There are many potential cases in which this would be very"},{"line_number":49,"context_line":"problematic to the end-user, and the alternative solution of providing the"},{"line_number":50,"context_line":"lessee with power credentials would be a huge security risk unacceptable to"},{"line_number":51,"context_line":"most administrators."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"034349bd_6935d55e","line":51,"range":{"start_line":48,"start_character":12,"end_line":51,"end_character":20},"in_reply_to":"d32027e1_a1fe55ed","updated":"2021-09-27 18:01:56.000000000","message":"Ahh, sometimes less is more! :)","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":103,"context_line":"potential value of this existing in Ironic proper have led to the proposal"},{"line_number":104,"context_line":"of this spec. [5]_"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"As far as implementation goes, we currently plan on integrating this into the"},{"line_number":107,"context_line":"Ironic API itself, however it could also exist separately as its own separate"},{"line_number":108,"context_line":"WSGI service."},{"line_number":109,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"6ab200c1_241dfd7c","line":106,"range":{"start_line":106,"start_character":0,"end_line":106,"end_character":30},"updated":"2021-09-13 21:25:50.000000000","message":"Just a suggestion, maybe \"Regardless of the implementation direction goes,\"","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":103,"context_line":"potential value of this existing in Ironic proper have led to the proposal"},{"line_number":104,"context_line":"of this spec. [5]_"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"As far as implementation goes, we currently plan on integrating this into the"},{"line_number":107,"context_line":"Ironic API itself, however it could also exist separately as its own separate"},{"line_number":108,"context_line":"WSGI service."},{"line_number":109,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"56df4cbf_5a3c9356","line":106,"range":{"start_line":106,"start_character":0,"end_line":106,"end_character":30},"in_reply_to":"6ab200c1_241dfd7c","updated":"2021-09-14 17:53:01.000000000","message":"I like that wording a lot better. Will revise this in the next patch.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":177,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":178,"context_line":"    | Links            | object | Contains objects that contain links to      |"},{"line_number":179,"context_line":"    |                  |        | relevant resource collections.              |"},{"line_number":180,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":181,"context_line":"    | Systems          | object | Contains a link to a collection of Systems  |"},{"line_number":182,"context_line":"    |                  |        | resources.                                  |"},{"line_number":183,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":184,"context_line":"    | SessionService   | object | Contains a link to the SessionsService      |"},{"line_number":185,"context_line":"    |                  |        | resource.                                   |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"fd02c293_52b1fde7","line":182,"range":{"start_line":180,"start_character":0,"end_line":182,"end_character":71},"updated":"2021-09-13 21:25:50.000000000","message":"I\u0027m assuming we would also be filtering by node, so the view would be restricted based upon the associated project ID... Or would the view only be visible of the single node?\n\nI guess, implementation question which may be worthwhile to ponder, how do we associate.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dfc99ed87e55de04e36e16f865ac928746da8aba","unresolved":true,"context_lines":[{"line_number":177,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":178,"context_line":"    | Links            | object | Contains objects that contain links to      |"},{"line_number":179,"context_line":"    |                  |        | relevant resource collections.              |"},{"line_number":180,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":181,"context_line":"    | Systems          | object | Contains a link to a collection of Systems  |"},{"line_number":182,"context_line":"    |                  |        | resources.                                  |"},{"line_number":183,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":184,"context_line":"    | SessionService   | object | Contains a link to the SessionsService      |"},{"line_number":185,"context_line":"    |                  |        | resource.                                   |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"0fac6e61_7478327d","line":182,"range":{"start_line":180,"start_character":0,"end_line":182,"end_character":71},"in_reply_to":"7c2aa777_c2b2a6c0","updated":"2021-09-27 18:01:56.000000000","message":"Do-able, however I\u0027d skip calling the API code if you can avoid it. Or at least, directly. If you can run from the back-end DB it will be a more performant interface than doing wholesale proxying since that interface can be rather CPU intensive to return results.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":177,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":178,"context_line":"    | Links            | object | Contains objects that contain links to      |"},{"line_number":179,"context_line":"    |                  |        | relevant resource collections.              |"},{"line_number":180,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":181,"context_line":"    | Systems          | object | Contains a link to a collection of Systems  |"},{"line_number":182,"context_line":"    |                  |        | resources.                                  |"},{"line_number":183,"context_line":"    +------------------+--------+---------------------------------------------+"},{"line_number":184,"context_line":"    | SessionService   | object | Contains a link to the SessionsService      |"},{"line_number":185,"context_line":"    |                  |        | resource.                                   |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7c2aa777_c2b2a6c0","line":182,"range":{"start_line":180,"start_character":0,"end_line":182,"end_character":71},"in_reply_to":"fd02c293_52b1fde7","updated":"2021-09-14 17:53:01.000000000","message":"Hmm... since the Systems interface requires authentication, I think the plan is to use the credentials used to authenticate w/ the Systems interface (more details below) to proxy a GET request to /v1/nodes/ and provide a Redfish-friendly representation of the response to the user.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":279,"context_line":"    | Members             | array  | An array of objects that contain links   |"},{"line_number":280,"context_line":"    |                     |        | to individual Session interfaces.        |"},{"line_number":281,"context_line":"    +---------------------+--------+------------------------------------------+"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":"* POST /redfish/v1/SessionService/Sessions"},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"  * Requests Session authentication. A username and password is to be passed in"},{"line_number":286,"context_line":"    the body, and upon success, the created Session object will be returned."},{"line_number":287,"context_line":"    Included in the headers of this response will be the authentication token"},{"line_number":288,"context_line":"    in the ``X-Auth-Token`` header, and the link to the Session object in the"},{"line_number":289,"context_line":"    ``Location`` header."},{"line_number":290,"context_line":"  * Normal response code: 201 Created"},{"line_number":291,"context_line":"  * Error response codes: 400 Bad Request, 403 Forbidden, 500 Internal Server"},{"line_number":292,"context_line":"    Error"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"    * 400 Bad Request will be returned if the username/password fields are not"},{"line_number":295,"context_line":"      found in the message body."},{"line_number":296,"context_line":"    * 403 Forbidden will be returned if the credentials provided are invalid."},{"line_number":297,"context_line":"    * 500 Internal Server Error will be returned if the internal request to"},{"line_number":298,"context_line":"      authenticate could not be fufilled."},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"  * Example Request::"},{"line_number":301,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"2eafdbf1_c1ead488","line":298,"range":{"start_line":282,"start_character":0,"end_line":298,"end_character":41},"updated":"2021-09-13 21:25:50.000000000","message":"So... db table for this to be tracked?","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":279,"context_line":"    | Members             | array  | An array of objects that contain links   |"},{"line_number":280,"context_line":"    |                     |        | to individual Session interfaces.        |"},{"line_number":281,"context_line":"    +---------------------+--------+------------------------------------------+"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":"* POST /redfish/v1/SessionService/Sessions"},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"  * Requests Session authentication. A username and password is to be passed in"},{"line_number":286,"context_line":"    the body, and upon success, the created Session object will be returned."},{"line_number":287,"context_line":"    Included in the headers of this response will be the authentication token"},{"line_number":288,"context_line":"    in the ``X-Auth-Token`` header, and the link to the Session object in the"},{"line_number":289,"context_line":"    ``Location`` header."},{"line_number":290,"context_line":"  * Normal response code: 201 Created"},{"line_number":291,"context_line":"  * Error response codes: 400 Bad Request, 403 Forbidden, 500 Internal Server"},{"line_number":292,"context_line":"    Error"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"    * 400 Bad Request will be returned if the username/password fields are not"},{"line_number":295,"context_line":"      found in the message body."},{"line_number":296,"context_line":"    * 403 Forbidden will be returned if the credentials provided are invalid."},{"line_number":297,"context_line":"    * 500 Internal Server Error will be returned if the internal request to"},{"line_number":298,"context_line":"      authenticate could not be fufilled."},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"  * Example Request::"},{"line_number":301,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9ce1a4d5_faf9c9fc","line":298,"range":{"start_line":282,"start_character":0,"end_line":298,"end_character":41},"in_reply_to":"2eafdbf1_c1ead488","updated":"2021-09-14 17:53:01.000000000","message":"So you\u0027re right here in pointing out that this would require a new database table if implemented as described, and this slipped my mind when I was drafting this spec. Additional database entries, the cycles required to make those queries, and the overhead required to manage such a database was something I wanted to avoid, and after thinking this through I *think* I have a solid plan:\n\nWhat will remain here is the implementation detail of authenticating Sessions via application credential ID/secret. This is for two reasons: the first being that I want to avoid handling credentials (specifically passwords) directly wherever possible, and the second being that because one can authenticate a request with only the app. credential id and that identifier\u0027s secret, we avoid requiring a custom schema to provide details such as project id and user/project domain.\n\nHowever, instead of having my SessionService code generate and manage these Session objects, I instead plan to request a scoped authorization token for the user, project, and domain associated with the application credential and return that to the user as the X-Auth-Token in the header.\n\nAs for the identifier for this pseudo-Session (which would essentially just be a Keystone auth token), I\u0027m not 100% certain which direction to go, but after some research I feel that perhaps the token\u0027s audit ID could be appropriate? The Identity API reference notes that \"You can use these audit IDs to track the use of a token ... without exposing the token ID to non-privileged users.\" so my takeaway was that this could work for this purpose, although do let me know if this would be an inappropriate use. (ref: https://docs.openstack.org/api-ref/identity/v3/index.html)\n\nFinally, this would also address the problem of Session expiration. In the implementation described here, it would have to be managed by new code that I would have to write, but in having the Sessions interface be a proxy for the Identity service, these sessions would be automatically expired by an already existing service.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dfc99ed87e55de04e36e16f865ac928746da8aba","unresolved":true,"context_lines":[{"line_number":279,"context_line":"    | Members             | array  | An array of objects that contain links   |"},{"line_number":280,"context_line":"    |                     |        | to individual Session interfaces.        |"},{"line_number":281,"context_line":"    +---------------------+--------+------------------------------------------+"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":"* POST /redfish/v1/SessionService/Sessions"},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"  * Requests Session authentication. A username and password is to be passed in"},{"line_number":286,"context_line":"    the body, and upon success, the created Session object will be returned."},{"line_number":287,"context_line":"    Included in the headers of this response will be the authentication token"},{"line_number":288,"context_line":"    in the ``X-Auth-Token`` header, and the link to the Session object in the"},{"line_number":289,"context_line":"    ``Location`` header."},{"line_number":290,"context_line":"  * Normal response code: 201 Created"},{"line_number":291,"context_line":"  * Error response codes: 400 Bad Request, 403 Forbidden, 500 Internal Server"},{"line_number":292,"context_line":"    Error"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"    * 400 Bad Request will be returned if the username/password fields are not"},{"line_number":295,"context_line":"      found in the message body."},{"line_number":296,"context_line":"    * 403 Forbidden will be returned if the credentials provided are invalid."},{"line_number":297,"context_line":"    * 500 Internal Server Error will be returned if the internal request to"},{"line_number":298,"context_line":"      authenticate could not be fufilled."},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"  * Example Request::"},{"line_number":301,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"d2054356_58dc6de2","line":298,"range":{"start_line":282,"start_character":0,"end_line":298,"end_character":41},"in_reply_to":"9ce1a4d5_faf9c9fc","updated":"2021-09-27 18:01:56.000000000","message":"I do really like that idea. And just getting a new token/session with keystone does solve a lot of the headaches related to the intermediate layer. The authentication middleware... possibly with a little help, can re-authenticate and help fill in the request context, so I *think* that might actaully work really well. Just if the token expires, the redfish client really won\u0027t know how to navigate that, but I think that is okay!","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":403,"context_line":"  * Equivalent to ``baremetal node list``, will return a collection of Redfish"},{"line_number":404,"context_line":"    ComputerSystem interfaces that correspond to Ironic nodes. Requires the"},{"line_number":405,"context_line":"    user to have a valid ``X-Auth-Token`` in the request header for the"},{"line_number":406,"context_line":"    resource they are trying to access."},{"line_number":407,"context_line":"  * Normal response code: 200 OK"},{"line_number":408,"context_line":"  * Error response codes: 403 Forbidden, 500 Internal Server Error"},{"line_number":409,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"8564aa7d_4bcc1da3","line":406,"updated":"2021-09-13 21:25:50.000000000","message":"So this needs to be a restricted view. In essence we would likely want to join the session to the tables or something along those lines. Implementation detail though, but filtering it is the important key.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":403,"context_line":"  * Equivalent to ``baremetal node list``, will return a collection of Redfish"},{"line_number":404,"context_line":"    ComputerSystem interfaces that correspond to Ironic nodes. Requires the"},{"line_number":405,"context_line":"    user to have a valid ``X-Auth-Token`` in the request header for the"},{"line_number":406,"context_line":"    resource they are trying to access."},{"line_number":407,"context_line":"  * Normal response code: 200 OK"},{"line_number":408,"context_line":"  * Error response codes: 403 Forbidden, 500 Internal Server Error"},{"line_number":409,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b93be896_661a9431","line":406,"in_reply_to":"8564aa7d_4bcc1da3","updated":"2021-09-14 17:53:01.000000000","message":"I\u0027ve got a new plan for handling authentication and identity that basically boils down to \"let Keystone handle it\" (described above) so *hopefully* with that plan in mind, we will make an Ironic API request with the lessee\u0027s identity (user/project/domain) to /v1/nodes/ and let Ironic filter the node info returned to the user/client using the identity info provided.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dfc99ed87e55de04e36e16f865ac928746da8aba","unresolved":true,"context_lines":[{"line_number":403,"context_line":"  * Equivalent to ``baremetal node list``, will return a collection of Redfish"},{"line_number":404,"context_line":"    ComputerSystem interfaces that correspond to Ironic nodes. Requires the"},{"line_number":405,"context_line":"    user to have a valid ``X-Auth-Token`` in the request header for the"},{"line_number":406,"context_line":"    resource they are trying to access."},{"line_number":407,"context_line":"  * Normal response code: 200 OK"},{"line_number":408,"context_line":"  * Error response codes: 403 Forbidden, 500 Internal Server Error"},{"line_number":409,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"335513c2_a64a3f17","line":406,"in_reply_to":"b93be896_661a9431","updated":"2021-09-27 18:01:56.000000000","message":"I\u0027d directly query the DB, fwiw. Performance wise, there is a lot that happens under the hood to make the rest api responses reply. There *is* the policy enforcement logic, but that can likely also just be copied where appropriate.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":450,"context_line":""},{"line_number":451,"context_line":"  * Equivalent to ``baremetal node show``, albeit with fewer details. Will"},{"line_number":452,"context_line":"    return a Redfish System resource containing basic info, power info, and the"},{"line_number":453,"context_line":"    location of the power control interface. Requires the user to have a valid"},{"line_number":454,"context_line":"    ``X-Auth-Token`` for the resource they are trying to access."},{"line_number":455,"context_line":"  * Normal response code: 200 OK"},{"line_number":456,"context_line":"  * Error reponse codes: 403 Forbidden, 404 Not Found, 500 Internal Server"},{"line_number":457,"context_line":"    Error"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6e21fae8_53bfbf19","line":454,"range":{"start_line":453,"start_character":0,"end_line":454,"end_character":64},"updated":"2021-09-13 21:25:50.000000000","message":"Thinking outloud: are we going to do this with oslo_policy mapping? I guess I\u0027m asking because I\u0027m sure some might find a redfish-ish API for everything semi-useful one day.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":450,"context_line":""},{"line_number":451,"context_line":"  * Equivalent to ``baremetal node show``, albeit with fewer details. Will"},{"line_number":452,"context_line":"    return a Redfish System resource containing basic info, power info, and the"},{"line_number":453,"context_line":"    location of the power control interface. Requires the user to have a valid"},{"line_number":454,"context_line":"    ``X-Auth-Token`` for the resource they are trying to access."},{"line_number":455,"context_line":"  * Normal response code: 200 OK"},{"line_number":456,"context_line":"  * Error reponse codes: 403 Forbidden, 404 Not Found, 500 Internal Server"},{"line_number":457,"context_line":"    Error"}],"source_content_type":"text/x-rst","patch_set":2,"id":"17f65271_9c1760c4","line":454,"range":{"start_line":453,"start_character":0,"end_line":454,"end_character":64},"in_reply_to":"6e21fae8_53bfbf19","updated":"2021-09-14 17:53:01.000000000","message":"After thinking about how to improve upon the authentication strategy provided here, hopefully w/ the system described above, policy mapping should be straightforward.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":629,"context_line":"and password along with each request. Redfish literature notes that Basic"},{"line_number":630,"context_line":"Authentication is expensive, since it requires that credentials be checked"},{"line_number":631,"context_line":"manually for every request, leading to the potential for numerous requests"},{"line_number":632,"context_line":"to overload the system. [8]_ This is why we chose to use it as a means for"},{"line_number":633,"context_line":"authenticating requests."},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Other end user impact"},{"line_number":636,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"495546e8_e9facec4","line":633,"range":{"start_line":632,"start_character":29,"end_line":633,"end_character":24},"updated":"2021-09-13 21:25:50.000000000","message":"Technically both would need to be supported, some tools don\u0027t support sessions, and some do. Most BMCs prefer sessions FWIW.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":629,"context_line":"and password along with each request. Redfish literature notes that Basic"},{"line_number":630,"context_line":"Authentication is expensive, since it requires that credentials be checked"},{"line_number":631,"context_line":"manually for every request, leading to the potential for numerous requests"},{"line_number":632,"context_line":"to overload the system. [8]_ This is why we chose to use it as a means for"},{"line_number":633,"context_line":"authenticating requests."},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"Other end user impact"},{"line_number":636,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6f807752_c42fa4c6","line":633,"range":{"start_line":632,"start_character":29,"end_line":633,"end_character":24},"in_reply_to":"495546e8_e9facec4","updated":"2021-09-14 17:53:01.000000000","message":"Ah, that was something I meant to ask-- should we support basic auth? I can see pros and cons and meant to ask for someone who is knowledgeable\u0027s take on this.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"30fdb3c8405a2f743d5ca9e2287962810b443e61","unresolved":true,"context_lines":[{"line_number":696,"context_line":"* Write documentation for how to use and configure this functionality, for"},{"line_number":697,"context_line":"  users, administrators, and developers."},{"line_number":698,"context_line":"* Test this feature on real hardware in a way that mimics expected use cases."},{"line_number":699,"context_line":""},{"line_number":700,"context_line":"Dependencies"},{"line_number":701,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":702,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5355e127_c411634c","line":699,"updated":"2021-09-13 21:25:50.000000000","message":"We will need a tempest test or twenty for this feature. We can help with that, as they should go fairly quickly.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":33905,"name":"Samuel Zuk","email":"szuk@redhat.com","username":"szuk"},"change_message_id":"d09ec57d6e562956bae03f68b297dfd524b220d2","unresolved":true,"context_lines":[{"line_number":696,"context_line":"* Write documentation for how to use and configure this functionality, for"},{"line_number":697,"context_line":"  users, administrators, and developers."},{"line_number":698,"context_line":"* Test this feature on real hardware in a way that mimics expected use cases."},{"line_number":699,"context_line":""},{"line_number":700,"context_line":"Dependencies"},{"line_number":701,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":702,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"25fe72a3_245ac05b","line":699,"in_reply_to":"5355e127_c411634c","updated":"2021-09-14 17:53:01.000000000","message":"For sure. As I work on implementation, I\u0027ll jot down ideas for what tests would be required as well.","commit_id":"5934cf720c676c9150c67e170fa7d72cb756a574"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":67,"context_line":"with a limited feature set. This interface will provide minimal functionality,"},{"line_number":68,"context_line":"just enough to allow Redfish provisioning tools to access power controls. In"},{"line_number":69,"context_line":"the future, this emulator could be extended to provide additional features;"},{"line_number":70,"context_line":"however, this is beyond the scope of what we aim to achieve in this spec."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"At minimum, we require a means of authentication and identification, alongside"},{"line_number":73,"context_line":"the power interfaces of the nodes themselves. Authentication and identity are"}],"source_content_type":"text/x-rst","patch_set":3,"id":"47ea06e0_4e4357d1","line":70,"updated":"2021-09-27 16:29:57.000000000","message":"I suspect the next logical step will be boot devices, boot modes and virtual media. But this, indeed, can wait.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de950f38211836b51ed743a53e4b579612f90b09","unresolved":false,"context_lines":[{"line_number":67,"context_line":"with a limited feature set. This interface will provide minimal functionality,"},{"line_number":68,"context_line":"just enough to allow Redfish provisioning tools to access power controls. In"},{"line_number":69,"context_line":"the future, this emulator could be extended to provide additional features;"},{"line_number":70,"context_line":"however, this is beyond the scope of what we aim to achieve in this spec."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"At minimum, we require a means of authentication and identification, alongside"},{"line_number":73,"context_line":"the power interfaces of the nodes themselves. Authentication and identity are"}],"source_content_type":"text/x-rst","patch_set":3,"id":"34b9a8d0_3192b7fb","line":70,"in_reply_to":"47ea06e0_4e4357d1","updated":"2021-09-27 18:56:01.000000000","message":"++","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":105,"context_line":"   * Internally, these will initiate a request to Keystone for a scoped"},{"line_number":106,"context_line":"     authorization token, using the provided application credential. The"},{"line_number":107,"context_line":"     Session object returned to the Redfish user will essentially just be a"},{"line_number":108,"context_line":"     representation of this token."},{"line_number":109,"context_line":"   * In response, they will receive a Redfish schema-compliant Session object"},{"line_number":110,"context_line":"     in the body, as well as an authorization token and the URL of the newly"},{"line_number":111,"context_line":"     created Session\u0027s interface in the header. The auth token will be equal to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"edf75603_93c510c9","line":108,"updated":"2021-09-27 16:29:57.000000000","message":"I hope nobody assumes Session IDs are short...","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de950f38211836b51ed743a53e4b579612f90b09","unresolved":true,"context_lines":[{"line_number":116,"context_line":"   provisioning actions their workflow calls for as long as they provide their"},{"line_number":117,"context_line":"   authorization token in the header of all such requests."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"   * Internally, these requests are transformed into equivalent Ironic API"},{"line_number":120,"context_line":"     requests and the response from Ironic is returned to the user in the"},{"line_number":121,"context_line":"     expected Redfish format."},{"line_number":122,"context_line":"   * Since the internal requests will be made using the user\u0027s identity, the"},{"line_number":123,"context_line":"     data returned by Ironic should be no more and no less than what would"},{"line_number":124,"context_line":"     be received if done directly via interfaces such as the CLI."}],"source_content_type":"text/x-rst","patch_set":3,"id":"074e61ec_617044dc","line":121,"range":{"start_line":119,"start_character":53,"end_line":121,"end_character":28},"updated":"2021-09-27 18:56:01.000000000","message":"There is a *lot* of overhead here. I\u0027d be happy to talk through this, but cleaner would be to query the DB. If we *do* go down the path of calling the API code, please have the gets of the list of nodes be field aware. This will cut down the amount of requesst/response overhead substantiallly and also keep the memory footprint required to handle the response to a minimum, for those larger thousands of node deployments out there.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":165,"context_line":""},{"line_number":166,"context_line":"Regardless of the direction our implementation goes, we currently plan on"},{"line_number":167,"context_line":"integrating this into the Ironic API itself, however it could also exist"},{"line_number":168,"context_line":"independently as its own separate WSGI service."},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Additional implementation details"},{"line_number":171,"context_line":"---------------------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fb2fcc1e_e3f6959a","line":168,"updated":"2021-09-27 16:29:57.000000000","message":"Side note: it can be a separate WSGI service within the Ironic repository, so that admins have a greater freedom.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de950f38211836b51ed743a53e4b579612f90b09","unresolved":false,"context_lines":[{"line_number":165,"context_line":""},{"line_number":166,"context_line":"Regardless of the direction our implementation goes, we currently plan on"},{"line_number":167,"context_line":"integrating this into the Ironic API itself, however it could also exist"},{"line_number":168,"context_line":"independently as its own separate WSGI service."},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Additional implementation details"},{"line_number":171,"context_line":"---------------------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"18c276e4_e8356bcd","line":168,"in_reply_to":"fb2fcc1e_e3f6959a","updated":"2021-09-27 18:56:01.000000000","message":"++","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":190,"context_line":"be implemented by sending a request to update the expiration time of the token"},{"line_number":191,"context_line":"by a defined amount for each request made using said token. Alternatively, it"},{"line_number":192,"context_line":"can simply not be implemented and a placeholder value for the length of this"},{"line_number":193,"context_line":"timeout period can be returned to the user."},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"Potentially, the difference between how the Redfish user expects Sessions to"},{"line_number":196,"context_line":"behave and how they behave in practice could cause some issues, but it would"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ed283734_14e3911f","line":193,"updated":"2021-09-27 16:29:57.000000000","message":"I\u0027d skip this detail for now. Any real-world client has to deal with the fact that session IDs expire or can disappear for other reasons (BMC reset?).","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de950f38211836b51ed743a53e4b579612f90b09","unresolved":false,"context_lines":[{"line_number":190,"context_line":"be implemented by sending a request to update the expiration time of the token"},{"line_number":191,"context_line":"by a defined amount for each request made using said token. Alternatively, it"},{"line_number":192,"context_line":"can simply not be implemented and a placeholder value for the length of this"},{"line_number":193,"context_line":"timeout period can be returned to the user."},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"Potentially, the difference between how the Redfish user expects Sessions to"},{"line_number":196,"context_line":"behave and how they behave in practice could cause some issues, but it would"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa1b0b20_ea55ec17","line":193,"in_reply_to":"ed283734_14e3911f","updated":"2021-09-27 18:56:01.000000000","message":"++. We\u0027ve seen this happen... a lot... with some of the vendors. Most of the client code I\u0027ve seen just bombs and expect a user to start over upon expiration.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":214,"context_line":"* Return one item every time: the Session used to make the GET request in the"},{"line_number":215,"context_line":"  first place. This will be less expensive, poses no risk of exposing extra"},{"line_number":216,"context_line":"  data unintentionally, and should ensure compatibility (e.g. a sanity check"},{"line_number":217,"context_line":"  request to ensure the newly created Session is returned back)"},{"line_number":218,"context_line":"* Return all the Sessions created with the same credentials. This would be a"},{"line_number":219,"context_line":"  slightly more expensive operation and could potentially disclose the"},{"line_number":220,"context_line":"  existence of tokens that the user didn\u0027t intend to expose, but would play"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b0bfc794_994a7fcf","line":217,"updated":"2021-09-27 16:29:57.000000000","message":"I think it\u0027s fine for the start.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":215,"context_line":"  first place. This will be less expensive, poses no risk of exposing extra"},{"line_number":216,"context_line":"  data unintentionally, and should ensure compatibility (e.g. a sanity check"},{"line_number":217,"context_line":"  request to ensure the newly created Session is returned back)"},{"line_number":218,"context_line":"* Return all the Sessions created with the same credentials. This would be a"},{"line_number":219,"context_line":"  slightly more expensive operation and could potentially disclose the"},{"line_number":220,"context_line":"  existence of tokens that the user didn\u0027t intend to expose, but would play"},{"line_number":221,"context_line":"  much nicer with workflows that involve provisioning multiple nodes at once."}],"source_content_type":"text/x-rst","patch_set":3,"id":"b2eb2a88_b73ca813","line":218,"updated":"2021-09-27 16:29:57.000000000","message":"Do we even have such API in keystone?","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":244,"context_line":"for compatibility. My proposed solution is that it should be disabled unless"},{"line_number":245,"context_line":"explicitly enabled via a configuration setting, but again, I believe this"},{"line_number":246,"context_line":"warrants further discussion, particularly by those among us who are"},{"line_number":247,"context_line":"knowledgeable in cybersecurity."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"Redfish representation of Ironic node power states"},{"line_number":250,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":3,"id":"719a51b9_584a2757","line":247,"updated":"2021-09-27 16:29:57.000000000","message":"We need to support basic auth when Keystone is not enabled. In our case it\u0027s actually very cheap since we have a static file with password hashes.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de950f38211836b51ed743a53e4b579612f90b09","unresolved":false,"context_lines":[{"line_number":244,"context_line":"for compatibility. My proposed solution is that it should be disabled unless"},{"line_number":245,"context_line":"explicitly enabled via a configuration setting, but again, I believe this"},{"line_number":246,"context_line":"warrants further discussion, particularly by those among us who are"},{"line_number":247,"context_line":"knowledgeable in cybersecurity."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"Redfish representation of Ironic node power states"},{"line_number":250,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5eaea727_d91f52c9","line":247,"in_reply_to":"719a51b9_584a2757","updated":"2021-09-27 18:56:01.000000000","message":"And we don\u0027t need to worry about a bunch of the policy enforcement logic.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":271,"context_line":""},{"line_number":272,"context_line":"Three of these map cleanly onto defined Redfish power states (POWER_ON -\u003e On,"},{"line_number":273,"context_line":"POWER_OFF -\u003e Off, SOFT_POWER_OFF -\u003e Powering Off), but the Ironic \"reboot\""},{"line_number":274,"context_line":"power states do not."},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"I see a few possible solutions here, one being to map both \"reboot\" states onto"},{"line_number":277,"context_line":"\"Powering On\", the other being to serve a custom schema that includes a"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a31f69e2_55c0ed95","line":274,"updated":"2021-09-27 16:29:57.000000000","message":"You\u0027re confusing states with actions. What you have above for Ironic are actions, for Redfish - states. Powering Off is a transient state which in ironic corresponds to target_power_state \u003d\u003d \u0027power off\u0027.\n\nThese are Redfish actions: https://opendev.org/openstack/sushy/src/branch/master/sushy/resources/constants.py#L92-L118. As you see, reboots and soft actions are there.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":300,"context_line":"---------------"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"The following endpoints will be added, available beginning with a new Bare"},{"line_number":303,"context_line":"Metal API microversion. All of the endpoints below mirror those defined in"},{"line_number":304,"context_line":"version 1.0.0 of the Redfish specification [RFSHSPEC]_ and schema [RFSHSCHM]_."},{"line_number":305,"context_line":""},{"line_number":306,"context_line":"Redfish API Versions:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4d12fbb2_db432f78","line":303,"updated":"2021-09-27 16:29:57.000000000","message":"I suggest we don\u0027t microversion the Redfish API. Redfish is not compatible with our microversions.\n\nWe can raise our current microversion to indicate the presence of the new API, but nothign else.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":343,"context_line":"          \"Systems\": {"},{"line_number":344,"context_line":"              \"@odata.id\": \"/redfish/v1/Systems\""},{"line_number":345,"context_line":"          },"},{"line_number":346,"context_line":"          \"SessionService\": {"},{"line_number":347,"context_line":"              \"@odata.id\": \"/redfish/v1/SessionService\""},{"line_number":348,"context_line":"          },"},{"line_number":349,"context_line":"          \"@odata.id\": \"/redfish/v1/\""}],"source_content_type":"text/x-rst","patch_set":3,"id":"54196bff_ce11247d","line":346,"updated":"2021-09-27 16:29:57.000000000","message":"Let\u0027s skip SessionService if Keystone is not enabled.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"de950f38211836b51ed743a53e4b579612f90b09","unresolved":false,"context_lines":[{"line_number":343,"context_line":"          \"Systems\": {"},{"line_number":344,"context_line":"              \"@odata.id\": \"/redfish/v1/Systems\""},{"line_number":345,"context_line":"          },"},{"line_number":346,"context_line":"          \"SessionService\": {"},{"line_number":347,"context_line":"              \"@odata.id\": \"/redfish/v1/SessionService\""},{"line_number":348,"context_line":"          },"},{"line_number":349,"context_line":"          \"@odata.id\": \"/redfish/v1/\""}],"source_content_type":"text/x-rst","patch_set":3,"id":"da5e0cec_4985f090","line":346,"in_reply_to":"54196bff_ce11247d","updated":"2021-09-27 18:56:01.000000000","message":"++","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":529,"context_line":"    |             |        | authentication                             |"},{"line_number":530,"context_line":"    +-------------+--------+--------------------------------------------+"},{"line_number":531,"context_line":""},{"line_number":532,"context_line":"* GET /redfish/v1/SessionService/Sessions/{identifier}"},{"line_number":533,"context_line":""},{"line_number":534,"context_line":"  * Returns the Session with the identifier specified in the URL. Requires the"},{"line_number":535,"context_line":"    user to provide valid authentication in the request header for the session"}],"source_content_type":"text/x-rst","patch_set":3,"id":"db4ba6ff_f9873da1","line":532,"updated":"2021-09-27 16:29:57.000000000","message":"That\u0027s going to be a really ugly URL given how long keystone session IDs can be.. Can\u0027t be helped I guess?","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a76f5853e390a6924e07c0e7e65cef2de88bc671","unresolved":false,"context_lines":[{"line_number":725,"context_line":"    for the resource they are attempting to access."},{"line_number":726,"context_line":"  * Accepts the following values for ResetType in the body [#]_:"},{"line_number":727,"context_line":""},{"line_number":728,"context_line":"    * \"On\" (soft power on)"},{"line_number":729,"context_line":"    * \"ForceOn\" (hard power on)"},{"line_number":730,"context_line":"    * \"GracefulShutdown\" (soft power off)"},{"line_number":731,"context_line":"    * \"ForceOff\" (hard power off)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a3635174_8dc2e288","line":728,"updated":"2021-09-27 16:29:57.000000000","message":"nit: I\u0027m not sure what they mean by \"soft power on\" in Redfish, Ironic only has power on.","commit_id":"a00a1c9049fe19a0176579562174461f4bc19356"}]}
