)]}'
{"doc/source/admin/secure-rbac.rst":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"7e2233dee41963c9fe8bb89397df81c4e503877c","unresolved":true,"context_lines":[{"line_number":5,"context_line":"System Scoped"},{"line_number":6,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":".. todo: Need to be filled out in an earlier patch most likely."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"Project Scoped"},{"line_number":11,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4b8a79fe_49042550","line":8,"updated":"2021-02-26 16:38:00.000000000","message":"Those earlier patches have landed at this point... this might just need to be filled in for one of these later patches.","commit_id":"eb0b675f65e67ad6f7d9a542c505f60f714374ff"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dea09115e6a2b9ce6c3ddd1dda945efaf19cd85f","unresolved":true,"context_lines":[{"line_number":5,"context_line":"System Scoped"},{"line_number":6,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":".. todo: Need to be filled out in an earlier patch most likely."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"Project Scoped"},{"line_number":11,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f3f5b840_2344b2ca","line":8,"in_reply_to":"4b8a79fe_49042550","updated":"2021-03-01 17:49:52.000000000","message":"Yeah, I meant to do it in one of the prior patches but never really got to it :)  I\u0027ll do a separate follow-up patch for it.","commit_id":"eb0b675f65e67ad6f7d9a542c505f60f714374ff"}],"ironic/api/controllers/v1/node.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c3168ee699dfd923917ad7245b0c9b9c4a3c3b18","unresolved":true,"context_lines":[{"line_number":1304,"context_line":"                            target_dict, cdict):"},{"line_number":1305,"context_line":"            # Guard the last error from being visible as it can contain"},{"line_number":1306,"context_line":"            # hostnames revealing infrastucture internal details."},{"line_number":1307,"context_line":"            node[\u0027last_error\u0027] \u003d None"},{"line_number":1308,"context_line":"        if not policy.check(\"baremetal:node:get:reservation\","},{"line_number":1309,"context_line":"                            target_dict, cdict):"},{"line_number":1310,"context_line":"            # Guard conductor names from being visible."}],"source_content_type":"text/x-python","patch_set":8,"id":"830311c3_3ad61624","line":1307,"updated":"2021-02-15 18:25:37.000000000","message":"\"** last_error redacted **\"","commit_id":"bf494c876e4d558d1e8f824e528a30ad2a4bd036"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c3168ee699dfd923917ad7245b0c9b9c4a3c3b18","unresolved":true,"context_lines":[{"line_number":1308,"context_line":"        if not policy.check(\"baremetal:node:get:reservation\","},{"line_number":1309,"context_line":"                            target_dict, cdict):"},{"line_number":1310,"context_line":"            # Guard conductor names from being visible."},{"line_number":1311,"context_line":"            node[\u0027reservation\u0027] \u003d None"},{"line_number":1312,"context_line":"        if not policy.check(\"baremetal:node:get:driver_internal_info\","},{"line_number":1313,"context_line":"                            target_dict, cdict):"},{"line_number":1314,"context_line":"            # Guard conductor names from being visible."}],"source_content_type":"text/x-python","patch_set":8,"id":"31d5ede3_38cba7a3","line":1311,"range":{"start_line":1311,"start_character":0,"end_line":1311,"end_character":38},"updated":"2021-02-15 18:25:37.000000000","message":"Suggestion \"** reservation value redacted **\"","commit_id":"bf494c876e4d558d1e8f824e528a30ad2a4bd036"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c3168ee699dfd923917ad7245b0c9b9c4a3c3b18","unresolved":true,"context_lines":[{"line_number":1316,"context_line":"        if not policy.check(\"baremetal:node:get:driver_info\","},{"line_number":1317,"context_line":"                            target_dict, cdict):"},{"line_number":1318,"context_line":"            # Guard infrastructure intenral details from being visible."},{"line_number":1319,"context_line":"            node[\u0027driver_info\u0027] \u003d {}"},{"line_number":1320,"context_line":""},{"line_number":1321,"context_line":"    if not show_driver_secrets and node.get(\u0027driver_info\u0027):"},{"line_number":1322,"context_line":"        node[\u0027driver_info\u0027] \u003d strutils.mask_dict_password("}],"source_content_type":"text/x-python","patch_set":8,"id":"0798f5be_c09291f8","line":1319,"updated":"2021-02-15 18:25:37.000000000","message":"Under discussion is possibly providing some insight into this field... possibly. TBD.","commit_id":"bf494c876e4d558d1e8f824e528a30ad2a4bd036"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"7e2233dee41963c9fe8bb89397df81c4e503877c","unresolved":true,"context_lines":[{"line_number":1359,"context_line":"        # NOTE(TheJulia): The net effect of this is that by default,"},{"line_number":1360,"context_line":"        # at least matching common/policy.py defaults. is these should"},{"line_number":1361,"context_line":"        # be stripped out."},{"line_number":1362,"context_line":"        if not policy.check(\"baremetal:node:get:last_error\","},{"line_number":1363,"context_line":"                            target_dict, cdict):"},{"line_number":1364,"context_line":"            # Guard the last error from being visible as it can contain"},{"line_number":1365,"context_line":"            # hostnames revealing infrastucture internal details."}],"source_content_type":"text/x-python","patch_set":11,"id":"88542bee_bbcb7a35","line":1362,"updated":"2021-02-26 16:38:00.000000000","message":"Have we performed performance testing on these kind of checks?","commit_id":"eb0b675f65e67ad6f7d9a542c505f60f714374ff"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ac2a9555745e7e3dd27b3ae462a5136053049713","unresolved":true,"context_lines":[{"line_number":1359,"context_line":"        # NOTE(TheJulia): The net effect of this is that by default,"},{"line_number":1360,"context_line":"        # at least matching common/policy.py defaults. is these should"},{"line_number":1361,"context_line":"        # be stripped out."},{"line_number":1362,"context_line":"        if not policy.check(\"baremetal:node:get:last_error\","},{"line_number":1363,"context_line":"                            target_dict, cdict):"},{"line_number":1364,"context_line":"            # Guard the last error from being visible as it can contain"},{"line_number":1365,"context_line":"            # hostnames revealing infrastucture internal details."}],"source_content_type":"text/x-python","patch_set":11,"id":"edf6a84e_f3f50f3d","line":1362,"in_reply_to":"88542bee_bbcb7a35","updated":"2021-03-01 14:27:15.000000000","message":"We\u0027ve not in ironic, but Neutron runs something like 400k policy checks to list 4000 node in ~40 seconds. The double db hit for looking up the node will be the major thing, but not for the node itself since we already get it.","commit_id":"eb0b675f65e67ad6f7d9a542c505f60f714374ff"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"dea09115e6a2b9ce6c3ddd1dda945efaf19cd85f","unresolved":true,"context_lines":[{"line_number":1359,"context_line":"        # NOTE(TheJulia): The net effect of this is that by default,"},{"line_number":1360,"context_line":"        # at least matching common/policy.py defaults. is these should"},{"line_number":1361,"context_line":"        # be stripped out."},{"line_number":1362,"context_line":"        if not policy.check(\"baremetal:node:get:last_error\","},{"line_number":1363,"context_line":"                            target_dict, cdict):"},{"line_number":1364,"context_line":"            # Guard the last error from being visible as it can contain"},{"line_number":1365,"context_line":"            # hostnames revealing infrastucture internal details."}],"source_content_type":"text/x-python","patch_set":11,"id":"fc377199_b8992562","line":1362,"in_reply_to":"edf6a84e_f3f50f3d","updated":"2021-03-01 17:49:52.000000000","message":"s/node/port.\n\nAlso, fwiw, we already have the node so know the owner/project and target data.","commit_id":"eb0b675f65e67ad6f7d9a542c505f60f714374ff"}],"ironic/api/controllers/v1/utils.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"82bf409d80b0ae95e772219f8d34afa81bb06d9f","unresolved":true,"context_lines":[{"line_number":1511,"context_line":"    except exception.NodeNotFound:"},{"line_number":1512,"context_line":"        # don\u0027t expose non-existence of node unless requester"},{"line_number":1513,"context_line":"        # has generic access to policy"},{"line_number":1514,"context_line":"        if CONF.api.prefer_notfound_when_node_exists:"},{"line_number":1515,"context_line":"            raise"},{"line_number":1516,"context_line":"        cdict \u003d api.request.context.to_policy_values()"},{"line_number":1517,"context_line":"        policy.authorize(policy_name, cdict, api.request.context)"}],"source_content_type":"text/x-python","patch_set":4,"id":"45bf5e3f_73d1ef56","line":1514,"updated":"2021-02-09 19:28:32.000000000","message":"So this linkage is a little concerning and confusing and without seeing the other side of it it is hard to make a sense of the connection, why.","commit_id":"c0bf0004200e265667019b7909d0dc603ab0b302"}],"ironic/common/policy.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"c3168ee699dfd923917ad7245b0c9b9c4a3c3b18","unresolved":true,"context_lines":[{"line_number":572,"context_line":""},{"line_number":573,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":574,"context_line":"        name\u003d\u0027baremetal:node:set_maintenance\u0027,"},{"line_number":575,"context_line":"        check_str\u003dSYSTEM_OR_OWNER_MEMBER_AND_LESSEE_ADMIN,"},{"line_number":576,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":577,"context_line":"        description\u003d\u0027Set maintenance flag, taking a Node out of service\u0027,"},{"line_number":578,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":8,"id":"9a7bdb7a_7fc4007a","line":575,"updated":"2021-02-15 18:25:37.000000000","message":"should this be owners only?","commit_id":"bf494c876e4d558d1e8f824e528a30ad2a4bd036"}],"ironic/conf/api.py":[{"author":{"_account_id":32592,"name":"Zachary Buhman","email":"zachary.buhman@verizonmedia.com"},"change_message_id":"4ada1a7c88af12d2859d696ee4a5ea0b27b838e9","unresolved":true,"context_lines":[{"line_number":71,"context_line":"                mutable\u003dTrue,"},{"line_number":72,"context_line":"                help\u003d_(\u0027Setting to allow an operator to determine if they \u0027"},{"line_number":73,"context_line":"                       \u0027want the ironic API to prefer responses to objects \u0027"},{"line_number":74,"context_line":"                       \u0027as not found when the API user cannot interact with \u0027"},{"line_number":75,"context_line":"                       \u0027them.\u0027)),"},{"line_number":76,"context_line":"]"},{"line_number":77,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"3befcb9b_49808dbd","line":74,"updated":"2021-02-09 20:21:19.000000000","message":"I think the terminology \"API user\" is a bit overly-broad, and the option name is confusing.\n\nAssuming this actually matches the implementation, I suggest ~\"notfound_requires_system_scoped_authorization\", default\u003dFalse.\n\nI think this is deserving of several paragraphs of operator-facing explanation. Improved text might be:\n\n\"\"\"\nWhen a resource does not exist, it is impossible to determine if a project-scoped request is has a relation to that non-existent of a resource.\n\nWhen this value is set to False, project-scoped requests will receive \"404\" responses for nonexistent resources. This is considered \"less secure\" behavior, in that it may leak non-existence information, but it is the currently the default for backwards-compatibility.\n\nWhen this value is set to True, project-scoped requests will receive \"403\" responses for nonexistent resources. This is considered \"more secure\", in that it is not possible to evaluate a project relation to a nonexistent resource in a project-scoped request.\n\nThis setting does not affect system-scoped requests--in either case, system-scoped requests are given nonexistence data when applicable.\n\"\"\"\n\n... as written I think my suggestion may be slightly wordy, but I think some text to that effect and level of explicitness is desirable.","commit_id":"c0bf0004200e265667019b7909d0dc603ab0b302"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"09fe44de4eea2b0a78bad5785a37de67b301b57b","unresolved":true,"context_lines":[{"line_number":71,"context_line":"                mutable\u003dTrue,"},{"line_number":72,"context_line":"                help\u003d_(\u0027Setting to allow an operator to determine if they \u0027"},{"line_number":73,"context_line":"                       \u0027want the ironic API to prefer responses to objects \u0027"},{"line_number":74,"context_line":"                       \u0027as not found when the API user cannot interact with \u0027"},{"line_number":75,"context_line":"                       \u0027them.\u0027)),"},{"line_number":76,"context_line":"]"},{"line_number":77,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"43a50e44_9d4e1383","line":74,"in_reply_to":"3befcb9b_49808dbd","updated":"2021-02-09 23:57:00.000000000","message":"So I looked at the code and in the process of putting a ton of in-line comments through it a little more and the proposed name doesn\u0027t exactly match. It is kind of the inverse and more along the lines of \"please default to 404 instead of 403 if there is not access to a node.\"\n\nIn essence, system scoped users would always have access to see the node doesn\u0027t exist. It would or would not be in a list, where as project scoped users would see an empty list as we can\u0027t determine access without a node.\n\nMaybe this could be in concert with new default enforcement, I don\u0027t know. Anyway, next rev should have more commenting so you can see what is going on and the through process there.","commit_id":"c0bf0004200e265667019b7909d0dc603ab0b302"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e90d3b01e8b5a2f72e80a71fe3cb28128520720c","unresolved":true,"context_lines":[{"line_number":67,"context_line":"               mutable\u003dTrue,"},{"line_number":68,"context_line":"               help\u003d_(\u0027Maximum interval (in seconds) for agent heartbeats.\u0027)),"},{"line_number":69,"context_line":"    cfg.BoolOpt(\u0027prefer_notfound_when_node_exists\u0027,"},{"line_number":70,"context_line":"                default\u003dFalse,"},{"line_number":71,"context_line":"                mutable\u003dTrue,"},{"line_number":72,"context_line":"                help\u003d_(\u0027Sets the default behavior if the API should respond \u0027"},{"line_number":73,"context_line":"                       \u0027to authenticated, but unauthorized rquests with an \u0027"}],"source_content_type":"text/x-python","patch_set":8,"id":"737259ba_0c8cd208","line":70,"updated":"2021-02-17 22:15:35.000000000","message":"Discussed this with JayF and stevebaker. The consensus is that we should not make this configurable. The item just doesn\u0027t exist in the user\u0027s perception of the universe, so we\u0027ll want to update tests accordingly as we move the policy work forward.","commit_id":"bf494c876e4d558d1e8f824e528a30ad2a4bd036"}]}
