)]}'
{"ironic/common/policy.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f3e2d7bd97102607f7f906501810b9bc6d089f2d","unresolved":false,"context_lines":[{"line_number":50,"context_line":"# project they belong to)."},{"line_number":51,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"# This check string is reserved for actions that require the highest level of"},{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d \u0027role:admin and project_id:%(project_id)s\u0027"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."},{"line_number":61,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"# This check string should only be used to protect read-only project-specific"},{"line_number":64,"context_line":"# resources. It should not be used to protect APIs that make writable changes"},{"line_number":65,"context_line":"# (e.g., updating a volume or deleting a backup)."},{"line_number":66,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"# The following are common composite check strings that are useful for"},{"line_number":69,"context_line":"# protecting APIs designed to operate with multiple scopes (e.g., a system"}],"source_content_type":"text/x-python","patch_set":1,"id":"fffc6b78_d8180577","line":66,"range":{"start_line":53,"start_character":0,"end_line":66,"end_character":60},"updated":"2020-11-18 21:30:02.000000000","message":"So project level would make a lot of sense to just map to owner if populated, which makes me wonder if we just make that able to be toggled by config file from admin only usage.","commit_id":"176e4fdb9c5440e82d32dfa11f7a455af0ef1338"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"0046a684c06366b5e8467694c9c33e4ecc9b06d8","unresolved":true,"context_lines":[{"line_number":53,"context_line":"# This check string is reserved for actions that require the highest level of"},{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d \u0027role:admin and project_id:%(project_id)s\u0027"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."},{"line_number":61,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"# This check string should only be used to protect read-only project-specific"},{"line_number":64,"context_line":"# resources. It should not be used to protect APIs that make writable changes"},{"line_number":65,"context_line":"# (e.g., updating a volume or deleting a backup)."},{"line_number":66,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"# The following are common composite check strings that are useful for"},{"line_number":69,"context_line":"# protecting APIs designed to operate with multiple scopes (e.g., a system"}],"source_content_type":"text/x-python","patch_set":2,"id":"ea93f506_c85fb700","line":66,"range":{"start_line":56,"start_character":0,"end_line":66,"end_character":60},"updated":"2021-01-11 20:10:06.000000000","message":"we don\u0027t run with a project ID field, we have owner and lessee, so we\u0027ll need to revamp that. :\\","commit_id":"9a29539352d2e2a99edb3265ec7272a4bb5822ce"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"efe95269b2ca2e7492fc6811a24a5617ca54e5ea","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d (\u0027(role:admin and project_id:%(owner)s or \u0027"},{"line_number":57,"context_line":"                 \u0027(role:admin and project_id:%(lessee)\u0027)"},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":3,"id":"8c7886e1_fd54a56d","line":57,"updated":"2021-01-08 22:19:14.000000000","message":"Are owner and lessee always going to be supplied in the policy target? Or does ironic have some code somewhere that ensures those values are present for project-scoped tokens?\n\nIf so - you can shorten the check string to:\n\n  (role:admin and (project_id:%(owner)s or project_id:%(lessee)s)\n\nDepending on the code calling enforcement, you may be able to do:\n\n  target \u003d {\u0027project_id\u0027: lessee.project_id}\n  policy.enforce(policy_name, target, context)\n\nWhich could make the check string even simpler:\n\n  (role:admin and project_id:%(project_id)s)","commit_id":"c74edebca76c2dd5b5bae2fac9261a9f87705ff6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"14eb6253aabb4b82bbf350edba5886f4287e47ad","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d (\u0027(role:admin and project_id:%(owner)s or \u0027"},{"line_number":57,"context_line":"                 \u0027(role:admin and project_id:%(lessee)\u0027)"},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":3,"id":"fce6c4a5_f81856ad","line":57,"in_reply_to":"5268fcb2_0a8bd330","updated":"2021-01-11 20:31:13.000000000","message":"I guess changing things up to pass a dictionary values as expected makes sense.","commit_id":"c74edebca76c2dd5b5bae2fac9261a9f87705ff6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"0046a684c06366b5e8467694c9c33e4ecc9b06d8","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d (\u0027(role:admin and project_id:%(owner)s or \u0027"},{"line_number":57,"context_line":"                 \u0027(role:admin and project_id:%(lessee)\u0027)"},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":3,"id":"5268fcb2_0a8bd330","line":57,"in_reply_to":"8c7886e1_fd54a56d","updated":"2021-01-11 20:10:06.000000000","message":"They exist only on the node objects, but I guess we need to cross-reference. I guess the question ends up being is there a simple way to effecitvely join the logic and check two values.","commit_id":"c74edebca76c2dd5b5bae2fac9261a9f87705ff6"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"eae66cc169ad2f530d125856481dfe24edc8e014","unresolved":true,"context_lines":[{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."},{"line_number":61,"context_line":"PROJECT_MEMBER \u003d (\u0027(role:member and project_id:%(owner)s) or \u0027"},{"line_number":62,"context_line":"                  \u0027(role:member and project_id:%(lessee)s)\u0027)"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"# This check string should only be used to protect read-only project-specific"},{"line_number":65,"context_line":"# resources. It should not be used to protect APIs that make writable changes"}],"source_content_type":"text/x-python","patch_set":3,"id":"8cd841f8_4e8f7db7","line":62,"updated":"2021-01-11 22:24:15.000000000","message":"Ah, I think seeing this clarifies some lingering questions I had about how this rbac change would work. Essentially: node owner and node lessee no longer trickle down to the policy as a level of permission; instead, the role does. More concretely, if we previously had:\n\n`\"baremetal:node:update\": \"rule:is_admin or rule:is_node_owner\"`\n\nWe\u0027d now have (this may not be the correct syntax):\n\n`\"baremetal:node:update\": \"rule:PROJECT_ADMIN\"`\n\nBoth an owner and a lessee with an `admin` role would match this new rule, so we would have to ensure that owners had the `admin` role while a lessee would be limited to a `member` role.\n\nIs that correct? If so, would we be able to handle the case where an owner of one node wants to become the lessee of another node?","commit_id":"c74edebca76c2dd5b5bae2fac9261a9f87705ff6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"06c6a02b1bd9788524a0956ef40a190b4fc17008","unresolved":true,"context_lines":[{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."},{"line_number":61,"context_line":"PROJECT_MEMBER \u003d (\u0027(role:member and project_id:%(owner)s) or \u0027"},{"line_number":62,"context_line":"                  \u0027(role:member and project_id:%(lessee)s)\u0027)"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"# This check string should only be used to protect read-only project-specific"},{"line_number":65,"context_line":"# resources. It should not be used to protect APIs that make writable changes"}],"source_content_type":"text/x-python","patch_set":3,"id":"969c3b59_0ce16cd7","line":62,"in_reply_to":"8cd841f8_4e8f7db7","updated":"2021-01-14 23:02:12.000000000","message":"Going in reverse. I don\u0027t think there would be an issue of owner becoming the lessee of another node. They are two separate objects and would be two different evaluations.\n\nAs for what we would functionally have, I *think* so, but all negotiable. We could attempt to endevour to keep them separate. That being said I don\u0027t see another way to implement any native project support with the primarily system scoped model.","commit_id":"c74edebca76c2dd5b5bae2fac9261a9f87705ff6"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"b140915236f35e731e1243ee2b24a5dc58a3b041","unresolved":true,"context_lines":[{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."},{"line_number":61,"context_line":"PROJECT_MEMBER \u003d (\u0027(role:member and project_id:%(owner)s) or \u0027"},{"line_number":62,"context_line":"                  \u0027(role:member and project_id:%(lessee)s)\u0027)"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"# This check string should only be used to protect read-only project-specific"},{"line_number":65,"context_line":"# resources. It should not be used to protect APIs that make writable changes"}],"source_content_type":"text/x-python","patch_set":3,"id":"fae28aa9_cdc8aaba","line":62,"in_reply_to":"969c3b59_0ce16cd7","updated":"2021-01-15 03:04:21.000000000","message":"I think that\u0027s what doesn\u0027t make sense to me about defining PROJECT_ADMIN as:\n\nPROJECT_ADMIN \u003d (\u0027(role:admin and project_id:%(owner)s or \u0027\n                 \u0027(role:admin and project_id:%(lessee)\u0027)\n\nThat means if a user has the admin role in project A and leases another node, then they\u0027d have PROJECT_ADMIN access to the leased node, correct? If so, I don\u0027t know if that\u0027s what we want.","commit_id":"c74edebca76c2dd5b5bae2fac9261a9f87705ff6"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"65c76f17967cfc4bb36dd1aa40ffb86867f22446","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d (\u0027role:admin and \u0027"},{"line_number":57,"context_line":"                 \u0027(project_id:%(node.owner)s or project_id:%(node.lessee)s)\u0027)"},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":6,"id":"222fbd47_4a3dd0fa","line":57,"updated":"2021-01-18 16:17:28.000000000","message":"I still have some pretty big concerns regarding this. As I see it, if I own a node and want to lease it to user A, then I don\u0027t actually know what level of access I\u0027m granting that user, since (if I understand this correctly), it depends entirely on user A\u0027s role within their own project. I don\u0027t think we ever want a lessee to have project admin access.","commit_id":"6c7a4cb2e45223f4f54f8f4c3365e83e28caf0dd"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"8099fc943ebb4aa023f7fe80b807a2209359b8a0","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d (\u0027role:admin and \u0027"},{"line_number":57,"context_line":"                 \u0027(project_id:%(node.owner)s or project_id:%(node.lessee)s)\u0027)"},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":6,"id":"2c0e1d7d_90589fe4","line":57,"in_reply_to":"222fbd47_4a3dd0fa","updated":"2021-01-19 00:35:05.000000000","message":"My take is that being project-admin applies only to this node, and being a lessee of a node means its yours to do any operation for the duration of the lease.","commit_id":"6c7a4cb2e45223f4f54f8f4c3365e83e28caf0dd"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"b368dbf97611cc2ccdb854944540e548a75a1fcf","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d (\u0027role:admin and \u0027"},{"line_number":57,"context_line":"                 \u0027(project_id:%(node.owner)s or project_id:%(node.lessee)s)\u0027)"},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":6,"id":"6299b649_2a57c075","line":57,"in_reply_to":"2c0e1d7d_90589fe4","updated":"2021-01-19 01:28:30.000000000","message":"Ah, I think that\u0027s my concern - when lessees were created, it was so that they would explicitly have less permissions on a node than an owner. For example, a lessee should never be able to arbitrarily update any attribute on a node; otherwise, they could just change the owner to themselves.\n\nI think it\u0027d be a mistake to potentially allow PROJECT_ADMIN access to a lessee.","commit_id":"6c7a4cb2e45223f4f54f8f4c3365e83e28caf0dd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"325804906f03c5a2fb62acebb64957715335b522","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":55,"context_line":"# default volume type for a project)"},{"line_number":56,"context_line":"PROJECT_ADMIN \u003d (\u0027role:admin and \u0027"},{"line_number":57,"context_line":"                 \u0027(project_id:%(node.owner)s or project_id:%(node.lessee)s)\u0027)"},{"line_number":58,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":59,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":60,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":6,"id":"92675028_ac8ba046","line":57,"in_reply_to":"6299b649_2a57c075","updated":"2021-01-20 00:29:55.000000000","message":"So turns out, I wasn\u0027t completely grasping what the concern was. Makes total sense to not have it now that I think about it. I\u0027ve removed it for now, hopefully it makes sense now.","commit_id":"6c7a4cb2e45223f4f54f8f4c3365e83e28caf0dd"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"c4de2e4bd4d5668b86660643e3e7340a9c9b611c","unresolved":false,"context_lines":[{"line_number":103,"context_line":"                       \u0027!\u0027,"},{"line_number":104,"context_line":"                       description\u003d\u0027Show or mask secrets within instance information in API responses\u0027),  # noqa"},{"line_number":105,"context_line":"    # Roles likely to be overridden by operator"},{"line_number":106,"context_line":"    # TODO(TheJulia): Lets nuke demo from high orbit."},{"line_number":107,"context_line":"    policy.RuleDefault(\u0027is_member\u0027,"},{"line_number":108,"context_line":"                       \u0027(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)\u0027,  # noqa"},{"line_number":109,"context_line":"                       description\u003d\u0027May be used to restrict access to specific projects\u0027),  # noqa"}],"source_content_type":"text/x-python","patch_set":6,"id":"ab92966f_eed8d818","line":106,"updated":"2021-01-18 16:11:38.000000000","message":"++ it\u0027s devstack specific","commit_id":"6c7a4cb2e45223f4f54f8f4c3365e83e28caf0dd"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"8f76649ddf3de104be9341bd53f615ff42500ed8","unresolved":true,"context_lines":[{"line_number":62,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":63,"context_line":"# default volume type for a project)"},{"line_number":64,"context_line":"PROJECT_ADMIN \u003d (\u0027role:admin and \u0027"},{"line_number":65,"context_line":"                 \u0027(project_id:%(node.owner)s\u0027)"},{"line_number":66,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":67,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":68,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":10,"id":"1924be60_87b4fd55","line":65,"updated":"2021-02-09 18:14:34.000000000","message":"Missing ) ?","commit_id":"9f884439d268c5a4d429b9f59ae17b995698535e"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa641789a6739814595123fc544a6effc9c474db","unresolved":false,"context_lines":[{"line_number":62,"context_line":"# authorization on a project or resources within the project (e.g., setting the"},{"line_number":63,"context_line":"# default volume type for a project)"},{"line_number":64,"context_line":"PROJECT_ADMIN \u003d (\u0027role:admin and \u0027"},{"line_number":65,"context_line":"                 \u0027(project_id:%(node.owner)s\u0027)"},{"line_number":66,"context_line":"# This check string is the primary use case for typical end-users, who are"},{"line_number":67,"context_line":"# working with resources that belong to a project (e.g., creating volumes and"},{"line_number":68,"context_line":"# backups)."}],"source_content_type":"text/x-python","patch_set":10,"id":"f9cb1f83_151e3db6","line":65,"in_reply_to":"1924be60_87b4fd55","updated":"2021-02-11 18:22:15.000000000","message":"Good catch! Fixing.","commit_id":"9f884439d268c5a4d429b9f59ae17b995698535e"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"37514117c4f99575e9b7b25da2f2a4a1dca7cd4a","unresolved":false,"context_lines":[{"line_number":78,"context_line":"# The following are common composite check strings that are useful for"},{"line_number":79,"context_line":"# protecting APIs designed to operate with multiple scopes (e.g., a system"},{"line_number":80,"context_line":"# administrator should be able to delete any baremetal host in the deployment,"},{"line_number":81,"context_line":"# a project member should only be able to delete hosts in their project)."},{"line_number":82,"context_line":"SYSTEM_ADMIN_OR_PROJECT_MEMBER \u003d ("},{"line_number":83,"context_line":"    \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or (\u0027 + PROJECT_MEMBER + \u0027)\u0027"},{"line_number":84,"context_line":")"}],"source_content_type":"text/x-python","patch_set":12,"id":"9c121cc4_ee0a86d9","line":81,"updated":"2021-02-12 12:47:59.000000000","message":"Shouldn\u0027t this include PROJECT_ADMIN as well? Also, PROJECT_MEMBER can be a lessee and definitely should NOT remove nodes.","commit_id":"7610a10d04dfbdf15c704015393bee1fc9755469"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"cab95230ab7d426fbbf040a0e511f553149d1205","unresolved":false,"context_lines":[{"line_number":78,"context_line":"# The following are common composite check strings that are useful for"},{"line_number":79,"context_line":"# protecting APIs designed to operate with multiple scopes (e.g., a system"},{"line_number":80,"context_line":"# administrator should be able to delete any baremetal host in the deployment,"},{"line_number":81,"context_line":"# a project member should only be able to delete hosts in their project)."},{"line_number":82,"context_line":"SYSTEM_ADMIN_OR_PROJECT_MEMBER \u003d ("},{"line_number":83,"context_line":"    \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or (\u0027 + PROJECT_MEMBER + \u0027)\u0027"},{"line_number":84,"context_line":")"}],"source_content_type":"text/x-python","patch_set":12,"id":"efefedcb_2317fbca","line":81,"in_reply_to":"9c121cc4_ee0a86d9","updated":"2021-02-12 14:59:05.000000000","message":"I\u0027m fairly sure that combination gets added later on.\n\nhttps://review.opendev.org/c/openstack/ironic/+/773924/7/ironic/common/policy.py\n\nLessee admins have even less rights, so the matrix ends up being a little different. *shrugs*","commit_id":"7610a10d04dfbdf15c704015393bee1fc9755469"}]}