)]}'
{"ironic/api/controllers/v1/node.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1825,"context_line":"            policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1826,"context_line":"        except exception.HTTPForbidden:"},{"line_number":1827,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1828,"context_line":"                    not cdict[\"project_id\"]):"},{"line_number":1829,"context_line":"                raise"},{"line_number":1830,"context_line":"            policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1831,"context_line":"            owner \u003d cdict[\"project_id\"]"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_759fcbb3","line":1828,"updated":"2019-10-29 14:46:49.000000000","message":"should we use get() here in case project_id is missing at all?","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":1825,"context_line":"            policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1826,"context_line":"        except exception.HTTPForbidden:"},{"line_number":1827,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1828,"context_line":"                    not cdict[\"project_id\"]):"},{"line_number":1829,"context_line":"                raise"},{"line_number":1830,"context_line":"            policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1831,"context_line":"            owner \u003d cdict[\"project_id\"]"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_8a302157","line":1828,"in_reply_to":"3fa7e38b_759fcbb3","updated":"2019-10-29 20:59:47.000000000","message":"Ah, good idea! Fixed.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1827,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1828,"context_line":"                    not cdict[\"project_id\"]):"},{"line_number":1829,"context_line":"                raise"},{"line_number":1830,"context_line":"            policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1831,"context_line":"            owner \u003d cdict[\"project_id\"]"},{"line_number":1832,"context_line":""},{"line_number":1833,"context_line":"        api_utils.check_allow_specify_fields(fields)"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_15a0d7f2","line":1830,"updated":"2019-10-29 14:46:49.000000000","message":"here we need to raise Forbidden if the requested owner is non-empty and !\u003d cdict[\"project_id\"]","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":1827,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1828,"context_line":"                    not cdict[\"project_id\"]):"},{"line_number":1829,"context_line":"                raise"},{"line_number":1830,"context_line":"            policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1831,"context_line":"            owner \u003d cdict[\"project_id\"]"},{"line_number":1832,"context_line":""},{"line_number":1833,"context_line":"        api_utils.check_allow_specify_fields(fields)"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_4a3ea929","line":1830,"in_reply_to":"3fa7e38b_15a0d7f2","updated":"2019-10-29 20:59:47.000000000","message":"Nice catch - fixed!","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1903,"context_line":"                                     value."},{"line_number":1904,"context_line":"        \"\"\""},{"line_number":1905,"context_line":"        cdict \u003d api.request.context.to_policy_values()"},{"line_number":1906,"context_line":"        try:"},{"line_number":1907,"context_line":"            policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1908,"context_line":"        except exception.HTTPForbidden:"},{"line_number":1909,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_35a5d303","line":1906,"updated":"2019-10-29 14:46:49.000000000","message":"This snipped repeats twice already, maybe create a helper for it?","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":1903,"context_line":"                                     value."},{"line_number":1904,"context_line":"        \"\"\""},{"line_number":1905,"context_line":"        cdict \u003d api.request.context.to_policy_values()"},{"line_number":1906,"context_line":"        try:"},{"line_number":1907,"context_line":"            policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1908,"context_line":"        except exception.HTTPForbidden:"},{"line_number":1909,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_ada5f704","line":1906,"in_reply_to":"3fa7e38b_35a5d303","updated":"2019-10-29 20:59:47.000000000","message":"Added in utils.py","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1909,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1910,"context_line":"                    not cdict[\"project_id\"]):"},{"line_number":1911,"context_line":"                raise"},{"line_number":1912,"context_line":"            policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1913,"context_line":"            owner \u003d cdict[\"project_id\"]"},{"line_number":1914,"context_line":""},{"line_number":1915,"context_line":"        api_utils.check_for_invalid_state_and_allow_filter(provision_state)"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_d5ad5fea","line":1912,"updated":"2019-10-29 14:46:49.000000000","message":"ditto","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":1909,"context_line":"            if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1910,"context_line":"                    not cdict[\"project_id\"]):"},{"line_number":1911,"context_line":"                raise"},{"line_number":1912,"context_line":"            policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1913,"context_line":"            owner \u003d cdict[\"project_id\"]"},{"line_number":1914,"context_line":""},{"line_number":1915,"context_line":"        api_utils.check_for_invalid_state_and_allow_filter(provision_state)"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_8da03bf5","line":1912,"in_reply_to":"3fa7e38b_d5ad5fea","updated":"2019-10-29 20:59:47.000000000","message":"Fixed (through helper)","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1960,"context_line":"                raise exception.NotAcceptable()"},{"line_number":1961,"context_line":""},{"line_number":1962,"context_line":"        rpc_node \u003d api_utils.check_node_policy_and_retrieve("},{"line_number":1963,"context_line":"            \u0027baremetal:node:validate\u0027, node_uuid or node)"},{"line_number":1964,"context_line":""},{"line_number":1965,"context_line":"        topic \u003d api.request.rpcapi.get_topic_for(rpc_node)"},{"line_number":1966,"context_line":"        return api.request.rpcapi.validate_driver_interfaces("}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_f5aadbcf","line":1963,"updated":"2019-10-29 14:46:49.000000000","message":"nit: this is strictly speaking an API change, since the value of \u0027node\u0027 is now checked first. I don\u0027t mind it too much.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":1960,"context_line":"                raise exception.NotAcceptable()"},{"line_number":1961,"context_line":""},{"line_number":1962,"context_line":"        rpc_node \u003d api_utils.check_node_policy_and_retrieve("},{"line_number":1963,"context_line":"            \u0027baremetal:node:validate\u0027, node_uuid or node)"},{"line_number":1964,"context_line":""},{"line_number":1965,"context_line":"        topic \u003d api.request.rpcapi.get_topic_for(rpc_node)"},{"line_number":1966,"context_line":"        return api.request.rpcapi.validate_driver_interfaces("}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_4a55494f","line":1963,"in_reply_to":"3fa7e38b_f5aadbcf","updated":"2019-10-29 20:59:47.000000000","message":"Ah, true. I think there was only this one case where this happened, so I figured a change wouldn\u0027t be too bad.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1998,"context_line":""},{"line_number":1999,"context_line":"        context \u003d api.request.context"},{"line_number":2000,"context_line":"        cdict \u003d context.to_policy_values()"},{"line_number":2001,"context_line":"        policy.authorize(\u0027baremetal:node:create\u0027, cdict, cdict)"},{"line_number":2002,"context_line":""},{"line_number":2003,"context_line":"        if node.conductor is not wtypes.Unset:"},{"line_number":2004,"context_line":"            msg \u003d _(\"Cannot specify conductor on node creation.\")"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_95b3674e","line":2001,"updated":"2019-10-29 14:46:49.000000000","message":"What do we do if the user is not an administrator, and \u0027owner\u0027 is set? Or do we assume this is incorrect configuration?","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":1998,"context_line":""},{"line_number":1999,"context_line":"        context \u003d api.request.context"},{"line_number":2000,"context_line":"        cdict \u003d context.to_policy_values()"},{"line_number":2001,"context_line":"        policy.authorize(\u0027baremetal:node:create\u0027, cdict, cdict)"},{"line_number":2002,"context_line":""},{"line_number":2003,"context_line":"        if node.conductor is not wtypes.Unset:"},{"line_number":2004,"context_line":"            msg \u003d _(\"Cannot specify conductor on node creation.\")"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_6ad7e5c0","line":2001,"in_reply_to":"3fa7e38b_95b3674e","updated":"2019-10-29 20:59:47.000000000","message":"My assumption was that we wouldn\u0027t want a non-administrator to create a node, so that \u0027baremetal:node:create\u0027 would remain an admin-only action.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10206,"name":"Madhuri Kumari","email":"madhuri.kumari@intel.com","username":"Madhuri"},"change_message_id":"5c32af7e00c14eec1ab39898aa4a4a307687bbdf","unresolved":false,"context_lines":[{"line_number":188,"context_line":"    def _get_boot_device(self, rpc_node, supported\u003dFalse):"},{"line_number":189,"context_line":"        \"\"\"Get the current boot device or a list of supported devices."},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"        :param node_ident: the UUID or logical name of a node."},{"line_number":192,"context_line":"        :param supported: Boolean value. If true return a list of"},{"line_number":193,"context_line":"                          supported boot devices, if false return the"},{"line_number":194,"context_line":"                          current boot device. Default: False."}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_fa902652","line":191,"range":{"start_line":191,"start_character":15,"end_line":191,"end_character":25},"updated":"2019-11-06 10:47:02.000000000","message":"Please remove node_ident and add rpc_node","commit_id":"4def91511b061e35a58d1a5617358d699ba667e1"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"ac6248607e9c25f018ee6f05ff71c202897133ee","unresolved":false,"context_lines":[{"line_number":188,"context_line":"    def _get_boot_device(self, rpc_node, supported\u003dFalse):"},{"line_number":189,"context_line":"        \"\"\"Get the current boot device or a list of supported devices."},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"        :param node_ident: the UUID or logical name of a node."},{"line_number":192,"context_line":"        :param supported: Boolean value. If true return a list of"},{"line_number":193,"context_line":"                          supported boot devices, if false return the"},{"line_number":194,"context_line":"                          current boot device. Default: False."}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_96754a03","line":191,"range":{"start_line":191,"start_character":15,"end_line":191,"end_character":25},"in_reply_to":"3fa7e38b_fa902652","updated":"2019-11-06 14:56:54.000000000","message":"Ah, nice catch - fixed!","commit_id":"4def91511b061e35a58d1a5617358d699ba667e1"},{"author":{"_account_id":10206,"name":"Madhuri Kumari","email":"madhuri.kumari@intel.com","username":"Madhuri"},"change_message_id":"5c32af7e00c14eec1ab39898aa4a4a307687bbdf","unresolved":false,"context_lines":[{"line_number":1983,"context_line":""},{"line_number":1984,"context_line":"        context \u003d api.request.context"},{"line_number":1985,"context_line":"        cdict \u003d context.to_policy_values()"},{"line_number":1986,"context_line":"        policy.authorize(\u0027baremetal:node:create\u0027, cdict, cdict)"},{"line_number":1987,"context_line":""},{"line_number":1988,"context_line":"        if node.conductor is not wtypes.Unset:"},{"line_number":1989,"context_line":"            msg \u003d _(\"Cannot specify conductor on node creation.\")"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_3aaebe81","line":1986,"range":{"start_line":1986,"start_character":9,"end_line":1986,"end_character":63},"updated":"2019-11-06 10:47:02.000000000","message":"This needs to be removed. Right?\nAnd also missing the policy check.","commit_id":"4def91511b061e35a58d1a5617358d699ba667e1"},{"author":{"_account_id":10206,"name":"Madhuri Kumari","email":"madhuri.kumari@intel.com","username":"Madhuri"},"change_message_id":"65cbba4b55031c30d0f9d919ca547825915901cb","unresolved":false,"context_lines":[{"line_number":1983,"context_line":""},{"line_number":1984,"context_line":"        context \u003d api.request.context"},{"line_number":1985,"context_line":"        cdict \u003d context.to_policy_values()"},{"line_number":1986,"context_line":"        policy.authorize(\u0027baremetal:node:create\u0027, cdict, cdict)"},{"line_number":1987,"context_line":""},{"line_number":1988,"context_line":"        if node.conductor is not wtypes.Unset:"},{"line_number":1989,"context_line":"            msg \u003d _(\"Cannot specify conductor on node creation.\")"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_16edcfb6","line":1986,"range":{"start_line":1986,"start_character":9,"end_line":1986,"end_character":63},"in_reply_to":"3fa7e38b_3666d657","updated":"2019-11-07 09:21:26.000000000","message":"Ok, I get it. Because this method creates the node, we don\u0027t need to verify the owner.","commit_id":"4def91511b061e35a58d1a5617358d699ba667e1"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"ac6248607e9c25f018ee6f05ff71c202897133ee","unresolved":false,"context_lines":[{"line_number":1983,"context_line":""},{"line_number":1984,"context_line":"        context \u003d api.request.context"},{"line_number":1985,"context_line":"        cdict \u003d context.to_policy_values()"},{"line_number":1986,"context_line":"        policy.authorize(\u0027baremetal:node:create\u0027, cdict, cdict)"},{"line_number":1987,"context_line":""},{"line_number":1988,"context_line":"        if node.conductor is not wtypes.Unset:"},{"line_number":1989,"context_line":"            msg \u003d _(\"Cannot specify conductor on node creation.\")"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_3666d657","line":1986,"range":{"start_line":1986,"start_character":9,"end_line":1986,"end_character":63},"in_reply_to":"3fa7e38b_3aaebe81","updated":"2019-11-06 14:56:54.000000000","message":"My thought was that non-admins still should not be able to create nodes. Let me know if you disagree!","commit_id":"4def91511b061e35a58d1a5617358d699ba667e1"}],"ironic/api/controllers/v1/utils.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1175,"context_line":"            rpc_node \u003d get_rpc_node(node_ident)"},{"line_number":1176,"context_line":"    except exception.NodeNotFound:"},{"line_number":1177,"context_line":"        # don\u0027t expose non-existence of node unless requester"},{"line_number":1178,"context_line":"        # has generic access to policy"},{"line_number":1179,"context_line":"        policy.authorize(policy_name, cdict, cdict)"},{"line_number":1180,"context_line":"        raise"},{"line_number":1181,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_b5b0e341","line":1178,"updated":"2019-10-29 14:46:49.000000000","message":"++","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":1180,"context_line":"        raise"},{"line_number":1181,"context_line":""},{"line_number":1182,"context_line":"    target_dict \u003d dict(cdict)"},{"line_number":1183,"context_line":"    if api.request.version.minor \u003e\u003d versions.MINOR_50_NODE_OWNER:"},{"line_number":1184,"context_line":"        target_dict[\u0027node.owner\u0027] \u003d rpc_node[\u0027owner\u0027]"},{"line_number":1185,"context_line":"    policy.authorize(policy_name, target_dict, cdict)"},{"line_number":1186,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_5583af56","line":1183,"updated":"2019-10-29 14:46:49.000000000","message":"This means you\u0027re locking down access to any client that is using an old API version. Is it intended? E.g. a perfectly working application will not be usable with owned nodes if it was written against Newton API?","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"4e71f15bd6920957fe4ff908948732dd39a79ec4","unresolved":false,"context_lines":[{"line_number":1180,"context_line":"        raise"},{"line_number":1181,"context_line":""},{"line_number":1182,"context_line":"    target_dict \u003d dict(cdict)"},{"line_number":1183,"context_line":"    if api.request.version.minor \u003e\u003d versions.MINOR_50_NODE_OWNER:"},{"line_number":1184,"context_line":"        target_dict[\u0027node.owner\u0027] \u003d rpc_node[\u0027owner\u0027]"},{"line_number":1185,"context_line":"    policy.authorize(policy_name, target_dict, cdict)"},{"line_number":1186,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_60e299d6","line":1183,"in_reply_to":"3fa7e38b_2e526413","updated":"2019-10-30 14:36:07.000000000","message":"This is not some global version, this is the version this specific requests is using. With this code it can happen that one request works, the other - fails (because it uses the base version).","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":1180,"context_line":"        raise"},{"line_number":1181,"context_line":""},{"line_number":1182,"context_line":"    target_dict \u003d dict(cdict)"},{"line_number":1183,"context_line":"    if api.request.version.minor \u003e\u003d versions.MINOR_50_NODE_OWNER:"},{"line_number":1184,"context_line":"        target_dict[\u0027node.owner\u0027] \u003d rpc_node[\u0027owner\u0027]"},{"line_number":1185,"context_line":"    policy.authorize(policy_name, target_dict, cdict)"},{"line_number":1186,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_2e526413","line":1183,"in_reply_to":"3fa7e38b_5583af56","updated":"2019-10-29 20:59:47.000000000","message":"Oh, my intention was to only try to add owner information if the Ironic API version actually supported node owners. If it doesn\u0027t, then the policy check should still pass admins.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"940d7f89589d36eb9263a85a78390104e29671c0","unresolved":false,"context_lines":[{"line_number":1180,"context_line":"        raise"},{"line_number":1181,"context_line":""},{"line_number":1182,"context_line":"    target_dict \u003d dict(cdict)"},{"line_number":1183,"context_line":"    if api.request.version.minor \u003e\u003d versions.MINOR_50_NODE_OWNER:"},{"line_number":1184,"context_line":"        target_dict[\u0027node.owner\u0027] \u003d rpc_node[\u0027owner\u0027]"},{"line_number":1185,"context_line":"    policy.authorize(policy_name, target_dict, cdict)"},{"line_number":1186,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_7bb80a74","line":1183,"in_reply_to":"3fa7e38b_60e299d6","updated":"2019-10-30 15:19:00.000000000","message":"Ah, gotcha. Fixed!","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"3eee61cae3e86d384597d153031f87b8dc17db3e","unresolved":false,"context_lines":[{"line_number":1200,"context_line":"        policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1201,"context_line":"    except exception.HTTPForbidden:"},{"line_number":1202,"context_line":"        project_owner \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":1203,"context_line":"        if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1204,"context_line":"            not project_owner or (owner and owner !\u003d project_owner)):"},{"line_number":1205,"context_line":"            raise"},{"line_number":1206,"context_line":"        policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1207,"context_line":"        return project_owner"},{"line_number":1208,"context_line":"    return owner"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_c895763e","line":1205,"range":{"start_line":1203,"start_character":0,"end_line":1205,"end_character":17},"updated":"2019-11-05 10:41:37.000000000","message":"Sorry, missed this one. I think this falls under the same bucket as my previous comment: we want the policy changes to be consistent across API versions. A user doesn\u0027t have to understand the \u0027owner\u0027 field to be able to do \u0027node list\u0027.\n\nWe could introduce a separate version for this complete work. That would be quite non-trivial, thus I don\u0027t think we should go down that path.","commit_id":"c6fb3a4346400b8f0faee13853c953eede8baedf"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"0bbf7c1262f3097d2ec78a28e90f473afde7bbb4","unresolved":false,"context_lines":[{"line_number":1200,"context_line":"        policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1201,"context_line":"    except exception.HTTPForbidden:"},{"line_number":1202,"context_line":"        project_owner \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":1203,"context_line":"        if (api.request.version.minor \u003c versions.MINOR_50_NODE_OWNER or"},{"line_number":1204,"context_line":"            not project_owner or (owner and owner !\u003d project_owner)):"},{"line_number":1205,"context_line":"            raise"},{"line_number":1206,"context_line":"        policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1207,"context_line":"        return project_owner"},{"line_number":1208,"context_line":"    return owner"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_18b43582","line":1205,"range":{"start_line":1203,"start_character":0,"end_line":1205,"end_character":17},"in_reply_to":"3fa7e38b_c895763e","updated":"2019-11-05 19:38:39.000000000","message":"No, I should have realized based on your earlier comment. Fixed now!","commit_id":"c6fb3a4346400b8f0faee13853c953eede8baedf"},{"author":{"_account_id":26340,"name":"Ilya Etingof","email":"etingof@gmail.com","username":"etingof"},"change_message_id":"bd78e897241b73660be5d18eb40612d877a40961","unresolved":false,"context_lines":[{"line_number":1156,"context_line":""},{"line_number":1157,"context_line":""},{"line_number":1158,"context_line":"def check_node_policy_and_retrieve(policy_name, node_ident, with_suffix\u003dFalse):"},{"line_number":1159,"context_line":"    \"\"\"Check if the specified policy is authorised for this request on a node."},{"line_number":1160,"context_line":""},{"line_number":1161,"context_line":"    :param: policy_name: Name of the policy to check."},{"line_number":1162,"context_line":"    :param: node_ident: the UUID or logical name of a node."}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_26951289","line":1159,"range":{"start_line":1159,"start_character":30,"end_line":1159,"end_character":67},"updated":"2019-11-12 11:48:34.000000000","message":"nit: authorizes this request on a node\n?","commit_id":"a3e2d206647b45be70435452bbba4b1ce7128f53"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"0f9e9544d18c2e124ad5de692fec3f752de45d76","unresolved":false,"context_lines":[{"line_number":1156,"context_line":""},{"line_number":1157,"context_line":""},{"line_number":1158,"context_line":"def check_node_policy_and_retrieve(policy_name, node_ident, with_suffix\u003dFalse):"},{"line_number":1159,"context_line":"    \"\"\"Check if the specified policy is authorised for this request on a node."},{"line_number":1160,"context_line":""},{"line_number":1161,"context_line":"    :param: policy_name: Name of the policy to check."},{"line_number":1162,"context_line":"    :param: node_ident: the UUID or logical name of a node."}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_d67949fb","line":1159,"range":{"start_line":1159,"start_character":30,"end_line":1159,"end_character":67},"in_reply_to":"3fa7e38b_26951289","updated":"2019-11-12 15:48:37.000000000","message":"Fixed!","commit_id":"a3e2d206647b45be70435452bbba4b1ce7128f53"},{"author":{"_account_id":26340,"name":"Ilya Etingof","email":"etingof@gmail.com","username":"etingof"},"change_message_id":"bd78e897241b73660be5d18eb40612d877a40961","unresolved":false,"context_lines":[{"line_number":1187,"context_line":""},{"line_number":1188,"context_line":""},{"line_number":1189,"context_line":"def check_node_list_policy(owner\u003dNone):"},{"line_number":1190,"context_line":"    \"\"\"Check if the specified policy is authorised for this request on a node."},{"line_number":1191,"context_line":""},{"line_number":1192,"context_line":"    :param: owner: owner filter for list query, if any"},{"line_number":1193,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_66f0eafe","line":1190,"range":{"start_line":1190,"start_character":40,"end_line":1190,"end_character":50},"updated":"2019-11-12 11:48:34.000000000","message":"nit: ditto","commit_id":"a3e2d206647b45be70435452bbba4b1ce7128f53"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"0f9e9544d18c2e124ad5de692fec3f752de45d76","unresolved":false,"context_lines":[{"line_number":1187,"context_line":""},{"line_number":1188,"context_line":""},{"line_number":1189,"context_line":"def check_node_list_policy(owner\u003dNone):"},{"line_number":1190,"context_line":"    \"\"\"Check if the specified policy is authorised for this request on a node."},{"line_number":1191,"context_line":""},{"line_number":1192,"context_line":"    :param: owner: owner filter for list query, if any"},{"line_number":1193,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_366a1d1b","line":1190,"range":{"start_line":1190,"start_character":40,"end_line":1190,"end_character":50},"in_reply_to":"3fa7e38b_66f0eafe","updated":"2019-11-12 15:48:37.000000000","message":"Fixed as well :)","commit_id":"a3e2d206647b45be70435452bbba4b1ce7128f53"},{"author":{"_account_id":26340,"name":"Ilya Etingof","email":"etingof@gmail.com","username":"etingof"},"change_message_id":"bd78e897241b73660be5d18eb40612d877a40961","unresolved":false,"context_lines":[{"line_number":1200,"context_line":"        policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1201,"context_line":"    except exception.HTTPForbidden:"},{"line_number":1202,"context_line":"        project_owner \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":1203,"context_line":"        if (not project_owner or (owner and owner !\u003d project_owner)):"},{"line_number":1204,"context_line":"            raise"},{"line_number":1205,"context_line":"        policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1206,"context_line":"        return project_owner"}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_46be0e01","line":1203,"range":{"start_line":1203,"start_character":34,"end_line":1203,"end_character":39},"updated":"2019-11-12 11:48:34.000000000","message":"nit: do we need this condition?","commit_id":"a3e2d206647b45be70435452bbba4b1ce7128f53"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"0f9e9544d18c2e124ad5de692fec3f752de45d76","unresolved":false,"context_lines":[{"line_number":1200,"context_line":"        policy.authorize(\u0027baremetal:node:list_all\u0027, cdict, cdict)"},{"line_number":1201,"context_line":"    except exception.HTTPForbidden:"},{"line_number":1202,"context_line":"        project_owner \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":1203,"context_line":"        if (not project_owner or (owner and owner !\u003d project_owner)):"},{"line_number":1204,"context_line":"            raise"},{"line_number":1205,"context_line":"        policy.authorize(\u0027baremetal:node:list\u0027, cdict, cdict)"},{"line_number":1206,"context_line":"        return project_owner"}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_166fe128","line":1203,"range":{"start_line":1203,"start_character":34,"end_line":1203,"end_character":39},"in_reply_to":"3fa7e38b_46be0e01","updated":"2019-11-12 15:48:37.000000000","message":"Yep - if the owner is set and doesn\u0027t equal the project owner, then we raise an error as someone is trying to bypass their project. However, if the owner is *not* set, then we can simply use the project_owner value as the owner (and so we return project_owner)","commit_id":"a3e2d206647b45be70435452bbba4b1ce7128f53"}],"ironic/common/policy.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":64,"context_line":"                       \u0027rule:admin_api or (rule:is_member and role:baremetal_admin)\u0027,  # noqa"},{"line_number":65,"context_line":"                       description\u003d\u0027Full read/write API access\u0027),"},{"line_number":66,"context_line":"    policy.RuleDefault(\u0027is_node_owner\u0027,"},{"line_number":67,"context_line":"                       \u0027project_id:%(node.owner)s\u0027,  # noqa"},{"line_number":68,"context_line":"                       description\u003d\u0027Owner of node\u0027),"},{"line_number":69,"context_line":"]"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_75882b70","line":67,"updated":"2019-10-29 14:46:49.000000000","message":"nit: noqa not needed, this line is not long","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":64,"context_line":"                       \u0027rule:admin_api or (rule:is_member and role:baremetal_admin)\u0027,  # noqa"},{"line_number":65,"context_line":"                       description\u003d\u0027Full read/write API access\u0027),"},{"line_number":66,"context_line":"    policy.RuleDefault(\u0027is_node_owner\u0027,"},{"line_number":67,"context_line":"                       \u0027project_id:%(node.owner)s\u0027,  # noqa"},{"line_number":68,"context_line":"                       description\u003d\u0027Owner of node\u0027),"},{"line_number":69,"context_line":"]"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_f323d3bc","line":67,"in_reply_to":"3fa7e38b_75882b70","updated":"2019-10-29 20:59:47.000000000","message":"Ah, right. Removed!","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"554146813ea35a225103c315c5fdd970ea690c4b","unresolved":false,"context_lines":[{"line_number":223,"context_line":""},{"line_number":224,"context_line":"port_policies \u003d ["},{"line_number":225,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":226,"context_line":"        \u0027baremetal:port:get\u0027,"},{"line_number":227,"context_line":"        \u0027rule:is_admin or rule:is_observer\u0027,"},{"line_number":228,"context_line":"        \u0027Retrieve Port records\u0027,"},{"line_number":229,"context_line":"        [{\u0027path\u0027: \u0027/ports\u0027, \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_1579b780","line":226,"updated":"2019-10-29 14:46:49.000000000","message":"What about ports and other resources? The ability to see (maybe even modify) ports can be quite important. I\u0027m fine if you\u0027re planning on a follow-up.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"838d9d1bbed83eae80ca60beb968f63b5b3ad417","unresolved":false,"context_lines":[{"line_number":223,"context_line":""},{"line_number":224,"context_line":"port_policies \u003d ["},{"line_number":225,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":226,"context_line":"        \u0027baremetal:port:get\u0027,"},{"line_number":227,"context_line":"        \u0027rule:is_admin or rule:is_observer\u0027,"},{"line_number":228,"context_line":"        \u0027Retrieve Port records\u0027,"},{"line_number":229,"context_line":"        [{\u0027path\u0027: \u0027/ports\u0027, \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_2e1d8461","line":226,"in_reply_to":"3fa7e38b_1579b780","updated":"2019-10-29 20:59:47.000000000","message":"My plan was to handle those in a follow-up - to have this PR establish the method for exposing the API through policies, and leave changes that require a database update for successive patches.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"3eee61cae3e86d384597d153031f87b8dc17db3e","unresolved":false,"context_lines":[{"line_number":223,"context_line":""},{"line_number":224,"context_line":"port_policies \u003d ["},{"line_number":225,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":226,"context_line":"        \u0027baremetal:port:get\u0027,"},{"line_number":227,"context_line":"        \u0027rule:is_admin or rule:is_observer\u0027,"},{"line_number":228,"context_line":"        \u0027Retrieve Port records\u0027,"},{"line_number":229,"context_line":"        [{\u0027path\u0027: \u0027/ports\u0027, \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_688a421b","line":226,"in_reply_to":"3fa7e38b_2e1d8461","updated":"2019-11-05 10:41:37.000000000","message":"I don\u0027t think port will require DB updates, they\u0027re still bound to node owner. I\u0027m fine with a follow-up.","commit_id":"3a533a46e7581d704c4f3174e20716232dd3f73b"}]}