)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Julia Kreger \u003cjuliaashleykreger@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2021-02-01 13:05:06 -0800"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Implement secure RBAC for baremetal nodes"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This commit updates the policies for baremetal nodes to understand"},{"line_number":10,"context_line":"scope checking and account for a member or read-only role."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":13,"id":"47d3d9dd_d7a544cb","line":7,"updated":"2021-02-11 21:11:12.000000000","message":"change subjects to state they are system scoped.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"}],"ironic/common/policy.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a80db0c7a9c63625491697d8f2d23c9f580dcdbe","unresolved":true,"context_lines":[{"line_number":616,"context_line":"        deprecated_reason\u003ddeprecated_node_reason,"},{"line_number":617,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY"},{"line_number":618,"context_line":"    ),"},{"line_number":619,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":620,"context_line":"        \u0027baremetal:node:disable_cleaning\u0027,"},{"line_number":621,"context_line":"        \u0027rule:baremetal:node:update\u0027,"},{"line_number":622,"context_line":"        \u0027Disable Node disk cleaning\u0027,"},{"line_number":623,"context_line":"        operations\u003d["},{"line_number":624,"context_line":"            {\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027PATCH\u0027}"},{"line_number":625,"context_line":"        ],"},{"line_number":626,"context_line":"        deprecated_rule\u003ddeprecated_node_bios_get,"},{"line_number":627,"context_line":"        deprecated_reason\u003ddeprecated_node_reason,"},{"line_number":628,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY"},{"line_number":629,"context_line":"    ),"},{"line_number":630,"context_line":"]"},{"line_number":631,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"314b6ee4_9a38bd30","line":628,"range":{"start_line":619,"start_character":5,"end_line":628,"end_character":56},"updated":"2021-01-08 19:36:30.000000000","message":"This was a merge conflict from the change and it is ultimately wrong. I copied/pasted without fixing it.","commit_id":"f737684fbb8b7b3255ca13086f2fee438f1a355d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"887934ae385346f4d4f51a16cae6766341150a72","unresolved":true,"context_lines":[{"line_number":281,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":282,"context_line":"        name\u003d\u0027baremetal:node:get\u0027,"},{"line_number":283,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":284,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":285,"context_line":"        description\u003d\u0027Retrieve a single Node record\u0027,"},{"line_number":286,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027GET\u0027}],"},{"line_number":287,"context_line":"        deprecated_rule\u003ddeprecated_node_get,"}],"source_content_type":"text/x-python","patch_set":12,"id":"7476d178_2848d3db","line":284,"updated":"2021-02-01 19:19:54.000000000","message":"Lets turn project on in a later patch, this will change the return codes though but doesn\u0027t open things up in the intermediate time as we\u0027re trying to get all of this sorted.","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42a954ccf381c9b78fc80096bc98945fb200fecc","unresolved":true,"context_lines":[{"line_number":281,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":282,"context_line":"        name\u003d\u0027baremetal:node:get\u0027,"},{"line_number":283,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":284,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":285,"context_line":"        description\u003d\u0027Retrieve a single Node record\u0027,"},{"line_number":286,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027GET\u0027}],"},{"line_number":287,"context_line":"        deprecated_rule\u003ddeprecated_node_get,"}],"source_content_type":"text/x-python","patch_set":12,"id":"c975b4e5_4c7588d7","line":284,"in_reply_to":"7476d178_2848d3db","updated":"2021-02-01 19:32:25.000000000","message":"Yeah - that\u0027s probably a safe path forward.\n\nTo clarify, I included project scope because I thought the rule:is_observer was meant for project users, but I think it\u0027s really a project check geared for system users, right?","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a4a1378475635c227e6cfee32f335d6a9f2e7e51","unresolved":true,"context_lines":[{"line_number":281,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":282,"context_line":"        name\u003d\u0027baremetal:node:get\u0027,"},{"line_number":283,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":284,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":285,"context_line":"        description\u003d\u0027Retrieve a single Node record\u0027,"},{"line_number":286,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027GET\u0027}],"},{"line_number":287,"context_line":"        deprecated_rule\u003ddeprecated_node_get,"}],"source_content_type":"text/x-python","patch_set":12,"id":"7720dc89_9df25011","line":284,"in_reply_to":"c975b4e5_4c7588d7","updated":"2021-02-01 20:08:51.000000000","message":"Yeah, it was intended to meet the exact need of \"reader\"","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"887934ae385346f4d4f51a16cae6766341150a72","unresolved":true,"context_lines":[{"line_number":291,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":292,"context_line":"        name\u003d\u0027baremetal:node:list\u0027,"},{"line_number":293,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":294,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":295,"context_line":"        description\u003d\u0027Retrieve multiple Node records, filtered by owner\u0027,"},{"line_number":296,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes\u0027, \u0027method\u0027: \u0027GET\u0027},"},{"line_number":297,"context_line":"                    {\u0027path\u0027: \u0027/nodes/detail\u0027, \u0027method\u0027: \u0027GET\u0027}],"}],"source_content_type":"text/x-python","patch_set":12,"id":"d6fc447b_d614ab9c","line":294,"updated":"2021-02-01 19:19:54.000000000","message":"Ditto","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"887934ae385346f4d4f51a16cae6766341150a72","unresolved":true,"context_lines":[{"line_number":302,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":303,"context_line":"        name\u003d\u0027baremetal:node:list_all\u0027,"},{"line_number":304,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":305,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":306,"context_line":"        description\u003d\u0027Retrieve multiple Node records\u0027,"},{"line_number":307,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes\u0027, \u0027method\u0027: \u0027GET\u0027},"},{"line_number":308,"context_line":"                    {\u0027path\u0027: \u0027/nodes/detail\u0027, \u0027method\u0027: \u0027GET\u0027}],"}],"source_content_type":"text/x-python","patch_set":12,"id":"49bd7529_ae03777f","line":305,"updated":"2021-02-01 19:19:54.000000000","message":"ditto","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"887934ae385346f4d4f51a16cae6766341150a72","unresolved":true,"context_lines":[{"line_number":439,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":440,"context_line":"        name\u003d\u0027baremetal:node:get_indicator_state\u0027,"},{"line_number":441,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":442,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":443,"context_line":"        description\u003d\u0027Retrieve Node indicators and their states\u0027,"},{"line_number":444,"context_line":"        operations\u003d["},{"line_number":445,"context_line":"            {\u0027path\u0027: \u0027/nodes/{node_ident}/management/indicators/\u0027"}],"source_content_type":"text/x-python","patch_set":12,"id":"2c26b785_e3d29eb0","line":442,"updated":"2021-02-01 19:19:54.000000000","message":"system only?","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"887934ae385346f4d4f51a16cae6766341150a72","unresolved":true,"context_lines":[{"line_number":484,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":485,"context_line":"        name\u003d\u0027baremetal:node:get_states\u0027,"},{"line_number":486,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":487,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":488,"context_line":"        description\u003d\u0027View Node power and provision state\u0027,"},{"line_number":489,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}/states\u0027, \u0027method\u0027: \u0027GET\u0027}],"},{"line_number":490,"context_line":"        deprecated_rule\u003ddeprecated_node_get_states,"}],"source_content_type":"text/x-python","patch_set":12,"id":"76613e65_672639b9","line":487,"updated":"2021-02-01 19:19:54.000000000","message":"project later?","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"887934ae385346f4d4f51a16cae6766341150a72","unresolved":true,"context_lines":[{"line_number":589,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":590,"context_line":"        name\u003d\u0027baremetal:node:traits:list\u0027,"},{"line_number":591,"context_line":"        check_str\u003dSYSTEM_OR_PROJECT_READER,"},{"line_number":592,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":593,"context_line":"        description\u003d\u0027List node traits\u0027,"},{"line_number":594,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}/traits\u0027, \u0027method\u0027: \u0027GET\u0027}],"},{"line_number":595,"context_line":"        deprecated_rule\u003ddeprecated_node_traits_list,"}],"source_content_type":"text/x-python","patch_set":12,"id":"da3704ac_ed3bf54a","line":592,"updated":"2021-02-01 19:19:54.000000000","message":"Project later","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"887934ae385346f4d4f51a16cae6766341150a72","unresolved":true,"context_lines":[{"line_number":640,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":641,"context_line":"        name\u003d\u0027baremetal:node:disable_cleaning\u0027,"},{"line_number":642,"context_line":"        check_str\u003d\u0027rule:baremetal:node:update\u0027,"},{"line_number":643,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":644,"context_line":"        description\u003d\u0027Disable Node disk cleaning\u0027,"},{"line_number":645,"context_line":"        operations\u003d["},{"line_number":646,"context_line":"            {\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027PATCH\u0027}"}],"source_content_type":"text/x-python","patch_set":12,"id":"08474941_78d60522","line":643,"updated":"2021-02-01 19:19:54.000000000","message":"project later","commit_id":"5da8c042de1e645045cc80d027834f90cd4d78be"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"ead14fe45bf87f58ea96a3ac21836872aef71a47","unresolved":true,"context_lines":[{"line_number":263,"context_line":"    check_str\u003d\u0027rule:baremetal:node:update\u0027,"},{"line_number":264,"context_line":")"},{"line_number":265,"context_line":"deprecated_node_reason \u003d \"\"\""},{"line_number":266,"context_line":"The baremetal node API is now aware of system scope and default roles."},{"line_number":267,"context_line":"\"\"\""},{"line_number":268,"context_line":""},{"line_number":269,"context_line":""}],"source_content_type":"text/x-python","patch_set":13,"id":"4b5b7e07_6745bc8b","line":266,"updated":"2021-02-09 19:55:30.000000000","message":"This reason message is a bit terse, and should be improved. I think minimally this could link to the Ironic \"Secure RBAC\" spec.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":true,"context_lines":[{"line_number":263,"context_line":"    check_str\u003d\u0027rule:baremetal:node:update\u0027,"},{"line_number":264,"context_line":")"},{"line_number":265,"context_line":"deprecated_node_reason \u003d \"\"\""},{"line_number":266,"context_line":"The baremetal node API is now aware of system scope and default roles."},{"line_number":267,"context_line":"\"\"\""},{"line_number":268,"context_line":""},{"line_number":269,"context_line":""}],"source_content_type":"text/x-python","patch_set":13,"id":"f44a5f94_997c15ea","line":266,"in_reply_to":"4b5b7e07_6745bc8b","updated":"2021-02-11 21:11:12.000000000","message":"This ends up getting embedded in the API response so I\u0027m not entirely sure we want to embed the URL. Anyway, I\u0027ve updated the message.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"ead14fe45bf87f58ea96a3ac21836872aef71a47","unresolved":true,"context_lines":[{"line_number":274,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":275,"context_line":"        description\u003d\u0027Create Node records\u0027,"},{"line_number":276,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes\u0027, \u0027method\u0027: \u0027POST\u0027}],"},{"line_number":277,"context_line":"        deprecated_rule\u003ddeprecated_node_create,"},{"line_number":278,"context_line":"        deprecated_reason\u003ddeprecated_node_reason,"},{"line_number":279,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY"},{"line_number":280,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":13,"id":"899566b2_0755decd","line":277,"updated":"2021-02-09 19:55:30.000000000","message":"The interaction between \"deprecated_rule\" and \"enforce_new_defaults\" appears to have the effect that the default behavior is ~inexpressible via the policy file, and in particular setting the generated default values in the policy file will result in different behavior from the in-code default behavior.\n\nThis isn\u0027t a particularly bad thing, but might be surprising for operators. Words to the effect of \"the default behavior is inexpressible via the policy file\" should at least be very clearly and visibly explained in release notes.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":true,"context_lines":[{"line_number":274,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":275,"context_line":"        description\u003d\u0027Create Node records\u0027,"},{"line_number":276,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes\u0027, \u0027method\u0027: \u0027POST\u0027}],"},{"line_number":277,"context_line":"        deprecated_rule\u003ddeprecated_node_create,"},{"line_number":278,"context_line":"        deprecated_reason\u003ddeprecated_node_reason,"},{"line_number":279,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY"},{"line_number":280,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":13,"id":"3b460d1d_233764b7","line":277,"in_reply_to":"899566b2_0755decd","updated":"2021-02-11 21:11:12.000000000","message":"Went ahead and added a release note to try and capture this and point back to the prior documentation as a resource.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"463e0921c4fb0794aab55ddba1eb64607898b62b","unresolved":true,"context_lines":[{"line_number":345,"context_line":"    # TODO(TheJulia): Explicit RBAC testing needed for this."},{"line_number":346,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":347,"context_line":"        name\u003d\u0027baremetal:node:update_owner_provisioned\u0027,"},{"line_number":348,"context_line":"        check_str\u003dSYSTEM_MEMBER,"},{"line_number":349,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":350,"context_line":"        description\u003d\u0027Update Node owner even when Node is provisioned\u0027,"},{"line_number":351,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027PATCH\u0027}],"}],"source_content_type":"text/x-python","patch_set":13,"id":"73ac9a2c_00cb6789","line":348,"range":{"start_line":348,"start_character":18,"end_line":348,"end_character":31},"updated":"2021-02-03 20:51:24.000000000","message":"This seems like a special case which should be only done by a SYSTEM_ADMIN. This is not a strong opinion, I just want to start the discussion.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":true,"context_lines":[{"line_number":345,"context_line":"    # TODO(TheJulia): Explicit RBAC testing needed for this."},{"line_number":346,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":347,"context_line":"        name\u003d\u0027baremetal:node:update_owner_provisioned\u0027,"},{"line_number":348,"context_line":"        check_str\u003dSYSTEM_MEMBER,"},{"line_number":349,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":350,"context_line":"        description\u003d\u0027Update Node owner even when Node is provisioned\u0027,"},{"line_number":351,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027PATCH\u0027}],"}],"source_content_type":"text/x-python","patch_set":13,"id":"e5727357_92aaa2f8","line":348,"range":{"start_line":348,"start_character":18,"end_line":348,"end_character":31},"in_reply_to":"73ac9a2c_00cb6789","updated":"2021-02-11 21:11:12.000000000","message":"I guess while provisioned can make sense. In project scoping I\u0027m adding a second parameter as well for general catching.\n\nAt the same time, from the standpoint of \"a do-er\", system-member is the \"do-er\", where as the admin is the \"creator\". I don\u0027t have strong feelings either way, but I think it being system scoped is kind of special as well.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"463e0921c4fb0794aab55ddba1eb64607898b62b","unresolved":true,"context_lines":[{"line_number":639,"context_line":"    ),"},{"line_number":640,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":641,"context_line":"        name\u003d\u0027baremetal:node:disable_cleaning\u0027,"},{"line_number":642,"context_line":"        check_str\u003d\u0027rule:baremetal:node:update\u0027,"},{"line_number":643,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":644,"context_line":"        description\u003d\u0027Disable Node disk cleaning\u0027,"},{"line_number":645,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":13,"id":"c1c0f636_58a375da","line":642,"updated":"2021-02-03 20:51:24.000000000","message":"This rule is the same as the deprecated one, it should be SYSTEM_MEMBER","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":false,"context_lines":[{"line_number":639,"context_line":"    ),"},{"line_number":640,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":641,"context_line":"        name\u003d\u0027baremetal:node:disable_cleaning\u0027,"},{"line_number":642,"context_line":"        check_str\u003d\u0027rule:baremetal:node:update\u0027,"},{"line_number":643,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":644,"context_line":"        description\u003d\u0027Disable Node disk cleaning\u0027,"},{"line_number":645,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":13,"id":"8155a1b2_282d3cba","line":642,"in_reply_to":"c1c0f636_58a375da","updated":"2021-02-11 21:11:12.000000000","message":"Done.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cc9dc2c68610a33a67eadff2b8ee467427e133a7","unresolved":true,"context_lines":[{"line_number":272,"context_line":"node_policies \u003d ["},{"line_number":273,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":274,"context_line":"        name\u003d\u0027baremetal:node:create\u0027,"},{"line_number":275,"context_line":"        check_str\u003dSYSTEM_ADMIN,"},{"line_number":276,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":277,"context_line":"        description\u003d\u0027Create Node records\u0027,"},{"line_number":278,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes\u0027, \u0027method\u0027: \u0027POST\u0027}],"}],"source_content_type":"text/x-python","patch_set":16,"id":"19014124_8c451a96","line":275,"range":{"start_line":275,"start_character":18,"end_line":275,"end_character":30},"updated":"2021-02-15 15:30:43.000000000","message":"Just so I understand things correctly, we\u0027re reserving create and delete operations for system-admins. But, we\u0027re allowing system-members to update and manage those baremetal nodes as the default, correct?","commit_id":"1bfefae05e226db3e7ef6b2f4a1c8df07fe7d739"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bf30fd9985dc1d6b5f6a6a846eda440e3a358238","unresolved":true,"context_lines":[{"line_number":272,"context_line":"node_policies \u003d ["},{"line_number":273,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":274,"context_line":"        name\u003d\u0027baremetal:node:create\u0027,"},{"line_number":275,"context_line":"        check_str\u003dSYSTEM_ADMIN,"},{"line_number":276,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":277,"context_line":"        description\u003d\u0027Create Node records\u0027,"},{"line_number":278,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes\u0027, \u0027method\u0027: \u0027POST\u0027}],"}],"source_content_type":"text/x-python","patch_set":16,"id":"60ab4edd_4268cb48","line":275,"range":{"start_line":275,"start_character":18,"end_line":275,"end_character":30},"in_reply_to":"19014124_8c451a96","updated":"2021-02-15 17:14:55.000000000","message":"Correct. The number one problem we see with people trying to escape hatch themselves out of problems is just deleting/re-adding the node, so this also helps discourage that as well. Keep in mind these are finite resources that are being managed and this allows operators to restrict down the rights of say nova-compute.","commit_id":"1bfefae05e226db3e7ef6b2f4a1c8df07fe7d739"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1893b0f61a3058ada9da1db9b6f4867bd37302e6","unresolved":false,"context_lines":[{"line_number":272,"context_line":"node_policies \u003d ["},{"line_number":273,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":274,"context_line":"        name\u003d\u0027baremetal:node:create\u0027,"},{"line_number":275,"context_line":"        check_str\u003dSYSTEM_ADMIN,"},{"line_number":276,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":277,"context_line":"        description\u003d\u0027Create Node records\u0027,"},{"line_number":278,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes\u0027, \u0027method\u0027: \u0027POST\u0027}],"}],"source_content_type":"text/x-python","patch_set":16,"id":"ef8b1a41_7739eea1","line":275,"range":{"start_line":275,"start_character":18,"end_line":275,"end_character":30},"in_reply_to":"60ab4edd_4268cb48","updated":"2021-02-16 05:51:46.000000000","message":"Ack, thanks for the clarification.","commit_id":"1bfefae05e226db3e7ef6b2f4a1c8df07fe7d739"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"6d66898cff6ee72ec35d9908c997bfea6170434f","unresolved":true,"context_lines":[{"line_number":347,"context_line":"    # TODO(TheJulia): Explicit RBAC testing needed for this."},{"line_number":348,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":349,"context_line":"        name\u003d\u0027baremetal:node:update_owner_provisioned\u0027,"},{"line_number":350,"context_line":"        check_str\u003dSYSTEM_MEMBER,"},{"line_number":351,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":352,"context_line":"        description\u003d\u0027Update Node owner even when Node is provisioned\u0027,"},{"line_number":353,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/nodes/{node_ident}\u0027, \u0027method\u0027: \u0027PATCH\u0027}],"}],"source_content_type":"text/x-python","patch_set":17,"id":"55a4d97b_3f4d5381","line":350,"updated":"2021-02-22 14:14:16.000000000","message":"This likely should be ADMIN, it\u0027s a dangerous operation","commit_id":"b0d8d14065ba5495c5f5b6b811d55a99b5a11cb5"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"6d66898cff6ee72ec35d9908c997bfea6170434f","unresolved":true,"context_lines":[{"line_number":641,"context_line":"    ),"},{"line_number":642,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":643,"context_line":"        name\u003d\u0027baremetal:node:disable_cleaning\u0027,"},{"line_number":644,"context_line":"        check_str\u003dSYSTEM_MEMBER,"},{"line_number":645,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":646,"context_line":"        description\u003d\u0027Disable Node disk cleaning\u0027,"},{"line_number":647,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":17,"id":"4872619b_698a35e1","line":644,"updated":"2021-02-22 14:14:16.000000000","message":"Same, should be ADMIN by default.","commit_id":"b0d8d14065ba5495c5f5b6b811d55a99b5a11cb5"}],"ironic/tests/unit/api/test_acl.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"50d78b8f82139525254bf455e42648456f0cc3eb","unresolved":true,"context_lines":[{"line_number":245,"context_line":"    @ddt.unpack"},{"line_number":246,"context_line":"    def test_rbac_legacy(self, **kwargs):"},{"line_number":247,"context_line":"        self._check_skip(**kwargs)"},{"line_number":248,"context_line":"        self._test_request(**kwargs)"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"@ddt.ddt"}],"source_content_type":"text/x-python","patch_set":13,"id":"98c0758e_1b111e49","side":"PARENT","line":248,"updated":"2021-02-09 19:12:32.000000000","message":"Source of confusion here, External reviewers don\u0027t know these values are false by default, at least for now. So we need to explicitly state/run these tests with false. We also need a note in here explaining that the oslo policy defaults are likely to change which is why we\u0027re testing the default.","commit_id":"9f884439d268c5a4d429b9f59ae17b995698535e"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":false,"context_lines":[{"line_number":245,"context_line":"    @ddt.unpack"},{"line_number":246,"context_line":"    def test_rbac_legacy(self, **kwargs):"},{"line_number":247,"context_line":"        self._check_skip(**kwargs)"},{"line_number":248,"context_line":"        self._test_request(**kwargs)"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"@ddt.ddt"}],"source_content_type":"text/x-python","patch_set":13,"id":"69daeabb_0cee38a7","side":"PARENT","line":248,"in_reply_to":"98c0758e_1b111e49","updated":"2021-02-11 21:11:12.000000000","message":"Done","commit_id":"9f884439d268c5a4d429b9f59ae17b995698535e"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c8da59be65f0f57eb635cb6c56923a19948c9ae4","unresolved":true,"context_lines":[{"line_number":146,"context_line":"            # NOTE(TheJulia): Everything, once migrated, should"},{"line_number":147,"context_line":"            # return a 403."},{"line_number":148,"context_line":"            print(\u0027response\u0027)"},{"line_number":149,"context_line":"            print(response.status)"},{"line_number":150,"context_line":"            self.assertEqual(assert_status, response.status_int)"},{"line_number":151,"context_line":"        if bool(deprecated):"},{"line_number":152,"context_line":"            return"}],"source_content_type":"text/x-python","patch_set":13,"id":"fc69074a_9a169e5e","line":149,"updated":"2021-02-09 19:04:02.000000000","message":"We should be checking the else case for the conditional.","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":false,"context_lines":[{"line_number":146,"context_line":"            # NOTE(TheJulia): Everything, once migrated, should"},{"line_number":147,"context_line":"            # return a 403."},{"line_number":148,"context_line":"            print(\u0027response\u0027)"},{"line_number":149,"context_line":"            print(response.status)"},{"line_number":150,"context_line":"            self.assertEqual(assert_status, response.status_int)"},{"line_number":151,"context_line":"        if bool(deprecated):"},{"line_number":152,"context_line":"            return"}],"source_content_type":"text/x-python","patch_set":13,"id":"1117e0c5_4cddd202","line":149,"in_reply_to":"fc69074a_9a169e5e","updated":"2021-02-11 21:11:12.000000000","message":"Done","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"bb3230cdad96bb820d17a02827201f25e8b08101","unresolved":true,"context_lines":[{"line_number":97,"context_line":"        if headers:"},{"line_number":98,"context_line":"            for k, v in headers.items():"},{"line_number":99,"context_line":"                rheaders[k] \u003d v.format(**self.format_data)"},{"line_number":100,"context_line":"        print(rheaders)"},{"line_number":101,"context_line":"        if method \u003d\u003d \u0027get\u0027:"},{"line_number":102,"context_line":"            response \u003d self.get_json("},{"line_number":103,"context_line":"                path,"}],"source_content_type":"text/x-python","patch_set":15,"id":"5884097c_9b390de8","line":100,"updated":"2021-02-11 23:24:23.000000000","message":"Intended to leave this here? The other prints() have had additional text alongside the test data.","commit_id":"3883216a160cbe2a4532d3d491cfbdb08f6eb5b8"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"fc6cd05b1b6064ffa064ec859a599110080bb8d5","unresolved":false,"context_lines":[{"line_number":97,"context_line":"        if headers:"},{"line_number":98,"context_line":"            for k, v in headers.items():"},{"line_number":99,"context_line":"                rheaders[k] \u003d v.format(**self.format_data)"},{"line_number":100,"context_line":"        print(rheaders)"},{"line_number":101,"context_line":"        if method \u003d\u003d \u0027get\u0027:"},{"line_number":102,"context_line":"            response \u003d self.get_json("},{"line_number":103,"context_line":"                path,"}],"source_content_type":"text/x-python","patch_set":15,"id":"1c3e15eb_4f8c8bba","line":100,"in_reply_to":"5884097c_9b390de8","updated":"2021-02-12 15:26:58.000000000","message":"I\u0027m nuking these, basically we don\u0027t seem to need them now.","commit_id":"3883216a160cbe2a4532d3d491cfbdb08f6eb5b8"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"bb3230cdad96bb820d17a02827201f25e8b08101","unresolved":true,"context_lines":[{"line_number":150,"context_line":"                and cfg.CONF.oslo_policy.enforce_new_defaults):"},{"line_number":151,"context_line":"            # NOTE(TheJulia): Everything, once migrated, should"},{"line_number":152,"context_line":"            # return a 403."},{"line_number":153,"context_line":"            print(\u0027response\u0027)"},{"line_number":154,"context_line":"            print(response.status)"},{"line_number":155,"context_line":"            self.assertEqual(assert_status, response.status_int)"},{"line_number":156,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":15,"id":"59a3eded_c1fc5c92","line":153,"updated":"2021-02-11 23:24:23.000000000","message":"same as above","commit_id":"3883216a160cbe2a4532d3d491cfbdb08f6eb5b8"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"fc6cd05b1b6064ffa064ec859a599110080bb8d5","unresolved":false,"context_lines":[{"line_number":150,"context_line":"                and cfg.CONF.oslo_policy.enforce_new_defaults):"},{"line_number":151,"context_line":"            # NOTE(TheJulia): Everything, once migrated, should"},{"line_number":152,"context_line":"            # return a 403."},{"line_number":153,"context_line":"            print(\u0027response\u0027)"},{"line_number":154,"context_line":"            print(response.status)"},{"line_number":155,"context_line":"            self.assertEqual(assert_status, response.status_int)"},{"line_number":156,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":15,"id":"7b3a613e_8a3a5735","line":153,"in_reply_to":"59a3eded_c1fc5c92","updated":"2021-02-12 15:26:58.000000000","message":"Same as above *2 :)","commit_id":"3883216a160cbe2a4532d3d491cfbdb08f6eb5b8"}],"ironic/tests/unit/api/test_rbac_system_scoped.yaml":[{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"463e0921c4fb0794aab55ddba1eb64607898b62b","unresolved":true,"context_lines":[{"line_number":41,"context_line":"  body: \u0026node_post_body"},{"line_number":42,"context_line":"    name: node"},{"line_number":43,"context_line":"    driver: fake-driverz"},{"line_number":44,"context_line":"  assert_status: 503 "},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"nodes_post_member:"},{"line_number":47,"context_line":"  path: \u0027/v1/nodes\u0027"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"5a05db56_b187622f","line":44,"range":{"start_line":44,"start_character":20,"end_line":44,"end_character":21},"updated":"2021-02-03 20:51:24.000000000","message":"nit: whitespace","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":false,"context_lines":[{"line_number":41,"context_line":"  body: \u0026node_post_body"},{"line_number":42,"context_line":"    name: node"},{"line_number":43,"context_line":"    driver: fake-driverz"},{"line_number":44,"context_line":"  assert_status: 503 "},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"nodes_post_member:"},{"line_number":47,"context_line":"  path: \u0027/v1/nodes\u0027"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"503fb45a_75686114","line":44,"range":{"start_line":44,"start_character":20,"end_line":44,"end_character":21},"in_reply_to":"5a05db56_b187622f","updated":"2021-02-11 21:11:12.000000000","message":"Done","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"7d89e6fd97a751434bbc1f3b662da4de14f43672","unresolved":true,"context_lines":[{"line_number":2093,"context_line":"  assert_status: 403"},{"line_number":2094,"context_line":"  skip_reason: not updated for scope testing"},{"line_number":2095,"context_line":""},{"line_number":2096,"context_line":"chassis_post_member:"},{"line_number":2097,"context_line":"  path: \u0027/v1/chassis\u0027"},{"line_number":2098,"context_line":"  method: post"},{"line_number":2099,"context_line":"  headers: *observer_headers"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"5a055e72_cc861cba","line":2096,"range":{"start_line":2096,"start_character":0,"end_line":2096,"end_character":19},"updated":"2021-02-03 21:17:05.000000000","message":"chassis_post_observer","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c4600c2379dc3816ac942e854d1645f09e3e387a","unresolved":false,"context_lines":[{"line_number":2093,"context_line":"  assert_status: 403"},{"line_number":2094,"context_line":"  skip_reason: not updated for scope testing"},{"line_number":2095,"context_line":""},{"line_number":2096,"context_line":"chassis_post_member:"},{"line_number":2097,"context_line":"  path: \u0027/v1/chassis\u0027"},{"line_number":2098,"context_line":"  method: post"},{"line_number":2099,"context_line":"  headers: *observer_headers"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"6663d243_4c5ee10a","line":2096,"range":{"start_line":2096,"start_character":0,"end_line":2096,"end_character":19},"in_reply_to":"5a055e72_cc861cba","updated":"2021-02-11 21:11:12.000000000","message":"Done","commit_id":"adab329fef25ba32b82085f05843951fbeab775a"}],"releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"bb3230cdad96bb820d17a02827201f25e8b08101","unresolved":true,"context_lines":[{"line_number":5,"context_line":"    ``system`` scoped ``keystone`` authentication for the node endpoint."},{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    Deprecated policy rules are not expressed via a default policy file"},{"line_number":9,"context_line":"    generation from the source code. The generated default policy file"},{"line_number":10,"context_line":"    indicates the new default policies with notes on the deprecation"},{"line_number":11,"context_line":"    to which ``oslo.policy`` falls back to, until the"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"4594b410_fbb90e91","line":8,"updated":"2021-02-11 23:24:23.000000000","message":"Is this OK? This seems like a regression for operator documentation.\n\nIs this some limitation we imposed, or just part of the larger oslo_policy changes?","commit_id":"3883216a160cbe2a4532d3d491cfbdb08f6eb5b8"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"33ade1cc3d2027610c37834c0a10f390761bf96e","unresolved":true,"context_lines":[{"line_number":5,"context_line":"    ``system`` scoped ``keystone`` authentication for the node endpoint."},{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    Deprecated policy rules are not expressed via a default policy file"},{"line_number":9,"context_line":"    generation from the source code. The generated default policy file"},{"line_number":10,"context_line":"    indicates the new default policies with notes on the deprecation"},{"line_number":11,"context_line":"    to which ``oslo.policy`` falls back to, until the"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"9e6d679f_1e77a289","line":8,"in_reply_to":"4594b410_fbb90e91","updated":"2021-02-12 15:21:44.000000000","message":"It does, if I remember correctly detail it, but it doesn\u0027t detail the entire rule that is effectively parsed. This is part of the larger set of oslo.policy changes since the older rule is being deprecated at the same time. This is exactly what it spits out from the sample policy file generator:\n\n# DEPRECATED\n# \"baremetal:node:list\":\"rule:baremetal:node:get\" has been deprecated\n# since W in favor of \"baremetal:node:list\":\"role:reader and\n# system_scope:all\".\n# The baremetal node API is now aware of system scope and default\n# roles. Capability to fallback to legacy admin project policy\n# configuration will be removed in the Xena release of Ironic.\n\n# Retrieve multiple Node records\n# GET  /nodes\n# GET  /nodes/detail\n# Intended scope(s): system\n#\"baremetal:node:list_all\": \"role:reader and system_scope:all\"","commit_id":"3883216a160cbe2a4532d3d491cfbdb08f6eb5b8"}]}