)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"cf479068db606ded2c07e4d3c210c341a128b450","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"fde0429d_2937c762","updated":"2021-10-15 15:46:39.000000000","message":"Hi! I\u0027ve changed the default baremetal:allocation:create to be more restrictive and added an additional test. Notably some of the ACL tests started failing - but I think properly so, since negative tests that were returning 400s now return 403s. Let me know if I\u0027m misunderstanding this though!","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"c34bef456b5d95e81bb8e0174df346ac00304ff1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"651701b9_fdba70ad","updated":"2021-10-19 03:09:48.000000000","message":"recheck","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":7386,"name":"Tzu-Mainn Chen","email":"tzumainn@redhat.com","username":"tzumainn"},"change_message_id":"bddf588068c666ca218e953852ef751a0f385700","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a893058f_ea976a37","updated":"2021-10-25 19:16:21.000000000","message":"Thanks for the clarifications! I\u0027ve reduced the patch to fix issues specifically for the non-secure RBAC case. I\u0027ve added a test that fails pre-code changes and passes post.\n\nI also removed a test case that I can\u0027t quite wrap my head around; I\u0027m not sure why it\u0027s supposed to fail. I might be missing something there... ?","commit_id":"2e7f54d4afdb0c087612d2f8c76e32e4e95fc818"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e6f498cccd30eb2d1328548983b3324cec97076b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ab462efd_9bbf5bcb","updated":"2021-12-06 17:18:08.000000000","message":"I think this works","commit_id":"42b03703af02277e63c6f62378b27258ed240191"}],"ironic/api/controllers/v1/allocation.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":323,"context_line":"        except exception.HTTPForbidden:"},{"line_number":324,"context_line":"            cdict \u003d api.request.context.to_policy_values()"},{"line_number":325,"context_line":"            project \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":326,"context_line":"            if project and project !\u003d allocation.get(\u0027owner\u0027):"},{"line_number":327,"context_line":"                raise"},{"line_number":328,"context_line":"            if project and not CONF.oslo_policy.enforce_new_defaults:"},{"line_number":329,"context_line":"                api_utils.check_policy(\u0027baremetal:allocation:create_pre_rbac\u0027)"}],"source_content_type":"text/x-python","patch_set":2,"id":"7b284940_233611d7","side":"PARENT","line":326,"updated":"2021-10-25 16:34:08.000000000","message":"so... \n\nIf the requestor has a project id. i.e. *any* project scoped request and that project does not equal the requested optional owner of the allocation.","commit_id":"b33783281b14d2c371c4d32d20077489aad2dd78"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":324,"context_line":"            cdict \u003d api.request.context.to_policy_values()"},{"line_number":325,"context_line":"            project \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":326,"context_line":"            if project and project !\u003d allocation.get(\u0027owner\u0027):"},{"line_number":327,"context_line":"                raise"},{"line_number":328,"context_line":"            if project and not CONF.oslo_policy.enforce_new_defaults:"},{"line_number":329,"context_line":"                api_utils.check_policy(\u0027baremetal:allocation:create_pre_rbac\u0027)"},{"line_number":330,"context_line":"            api_utils.check_policy(\u0027baremetal:allocation:create_restricted\u0027)"}],"source_content_type":"text/x-python","patch_set":2,"id":"1fe55f12_680d044e","side":"PARENT","line":327,"updated":"2021-10-25 16:34:08.000000000","message":"Then raise the not authorized error.","commit_id":"b33783281b14d2c371c4d32d20077489aad2dd78"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":357,"context_line":"        # just modifying/assembling the allocation. Given that, it seems"},{"line_number":358,"context_line":"        # not great to try for a full method rewrite at the same time as"},{"line_number":359,"context_line":"        # RBAC work, so the complexity limit is being raised. :("},{"line_number":360,"context_line":"        if (CONF.oslo_policy.enforce_new_defaults"},{"line_number":361,"context_line":"                and cdict.get(\u0027system_scope\u0027) !\u003d \u0027all\u0027):"},{"line_number":362,"context_line":"            # if not a system scope originated request, we need to check/apply"},{"line_number":363,"context_line":"            # an owner - But we can only do this with when new defaults are"},{"line_number":364,"context_line":"            # enabled."}],"source_content_type":"text/x-python","patch_set":2,"id":"f680b90a_3c4325d7","side":"PARENT","line":361,"range":{"start_line":360,"start_character":0,"end_line":361,"end_character":56},"updated":"2021-10-25 16:34:08.000000000","message":"we\u0027re locked into the new defaults \\o/, and the request is explicitly project scoped.","commit_id":"b33783281b14d2c371c4d32d20077489aad2dd78"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":364,"context_line":"            # enabled."},{"line_number":365,"context_line":"            project_id \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":366,"context_line":"            req_alloc_owner \u003d allocation.get(\u0027owner\u0027)"},{"line_number":367,"context_line":"            if req_alloc_owner:"},{"line_number":368,"context_line":"                if not api_utils.check_policy_true("},{"line_number":369,"context_line":"                        \u0027baremetal:allocation:create_restricted\u0027):"},{"line_number":370,"context_line":"                    if req_alloc_owner !\u003d project_id:"}],"source_content_type":"text/x-python","patch_set":2,"id":"eef83ff7_076de5df","side":"PARENT","line":367,"range":{"start_line":367,"start_character":0,"end_line":367,"end_character":31},"updated":"2021-10-25 16:34:08.000000000","message":"The requester has defined an explicit owner on the request.... or the policy check said access was granted and added an owner.","commit_id":"b33783281b14d2c371c4d32d20077489aad2dd78"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":365,"context_line":"            project_id \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":366,"context_line":"            req_alloc_owner \u003d allocation.get(\u0027owner\u0027)"},{"line_number":367,"context_line":"            if req_alloc_owner:"},{"line_number":368,"context_line":"                if not api_utils.check_policy_true("},{"line_number":369,"context_line":"                        \u0027baremetal:allocation:create_restricted\u0027):"},{"line_number":370,"context_line":"                    if req_alloc_owner !\u003d project_id:"},{"line_number":371,"context_line":"                        msg \u003d _(\"Cannot create allocation with an owner \""},{"line_number":372,"context_line":"                                \"Project ID value %(req_owner)s not matching \""}],"source_content_type":"text/x-python","patch_set":2,"id":"387ca969_7e6427dd","side":"PARENT","line":369,"range":{"start_line":368,"start_character":0,"end_line":369,"end_character":66},"updated":"2021-10-25 16:34:08.000000000","message":"If they are not allowed to create a specific overriding owner on the allocation....","commit_id":"b33783281b14d2c371c4d32d20077489aad2dd78"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":367,"context_line":"            if req_alloc_owner:"},{"line_number":368,"context_line":"                if not api_utils.check_policy_true("},{"line_number":369,"context_line":"                        \u0027baremetal:allocation:create_restricted\u0027):"},{"line_number":370,"context_line":"                    if req_alloc_owner !\u003d project_id:"},{"line_number":371,"context_line":"                        msg \u003d _(\"Cannot create allocation with an owner \""},{"line_number":372,"context_line":"                                \"Project ID value %(req_owner)s not matching \""},{"line_number":373,"context_line":"                                \"the requestor Project ID %(project)s. \""},{"line_number":374,"context_line":"                                \"Policy baremetal:allocation:create_restricted\""},{"line_number":375,"context_line":"                                \" is required for this capability.\""},{"line_number":376,"context_line":"                                ) % {\u0027req_owner\u0027: req_alloc_owner,"},{"line_number":377,"context_line":"                                     \u0027project\u0027: project_id}"},{"line_number":378,"context_line":"                        raise exception.NotAuthorized(msg)"},{"line_number":379,"context_line":"                # NOTE(TheJulia): IF not restricted, i.e. else above,"},{"line_number":380,"context_line":"                # their supplied allocation owner is okay, they are allowed"}],"source_content_type":"text/x-python","patch_set":2,"id":"0c1b618f_b7852b0d","side":"PARENT","line":377,"range":{"start_line":370,"start_character":19,"end_line":377,"end_character":59},"updated":"2021-10-25 16:34:08.000000000","message":"if they don\u0027t match, kaboom. Error out.\n\nIn this case, the user was *otherwise authorized* to create an allocation, and we\u0027re erroring here because they simply were not in the group allowed to define whatever they wanted.","commit_id":"b33783281b14d2c371c4d32d20077489aad2dd78"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":306,"context_line":"        try:"},{"line_number":307,"context_line":"            # PRE-RBAC this rule was logically restricted, it is more-unlocked"},{"line_number":308,"context_line":"            # post RBAC, but we need to ensure it is not abused."},{"line_number":309,"context_line":"            api_utils.check_policy(\u0027baremetal:allocation:create\u0027)"},{"line_number":310,"context_line":"            self._check_allowed_allocation_fields(allocation)"},{"line_number":311,"context_line":"            if (not CONF.oslo_policy.enforce_new_defaults"},{"line_number":312,"context_line":"                    and not allocation.get(\u0027owner\u0027)):"}],"source_content_type":"text/x-python","patch_set":2,"id":"85ec48a5_51e10f61","line":309,"updated":"2021-10-25 16:34:08.000000000","message":"Why is this failing? Do we know?\n\nIs the issue here that they are not definign an owner and this is failing? I *guess* if there is no allocation.owner being provided, then this would never be permitted unless the requestor was a system scoped user.","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":313,"context_line":"                # Even if permitted, we need to go ahead and check if this is"},{"line_number":314,"context_line":"                # restricted for now until scoped interaction is the default"},{"line_number":315,"context_line":"                # interaction."},{"line_number":316,"context_line":"                api_utils.check_policy(\u0027baremetal:allocation:create_pre_rbac\u0027)"},{"line_number":317,"context_line":"                # TODO(TheJulia): This can be removed later once we"},{"line_number":318,"context_line":"                # move entirely to scope based checking. This requires"},{"line_number":319,"context_line":"                # that if the scope enforcement is not enabled, that"}],"source_content_type":"text/x-python","patch_set":2,"id":"fd2620dc_69b4457f","line":316,"updated":"2021-10-25 16:34:08.000000000","message":"Or is this failing? The whole purpose here is the overall unlock of the feature from the previous policy.","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":323,"context_line":"        except exception.HTTPForbidden:"},{"line_number":324,"context_line":"            cdict \u003d api.request.context.to_policy_values()"},{"line_number":325,"context_line":"            project \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":326,"context_line":"            if allocation.get(\u0027owner\u0027) and project !\u003d allocation.get(\u0027owner\u0027):"},{"line_number":327,"context_line":"                msg \u003d _(\"Cannot create allocation with an owner \""},{"line_number":328,"context_line":"                        \"Project ID value %(req_owner)s not matching \""},{"line_number":329,"context_line":"                        \"the requestor Project ID %(project)s. \""}],"source_content_type":"text/x-python","patch_set":2,"id":"7554e1a6_694f5cad","line":326,"range":{"start_line":326,"start_character":6,"end_line":326,"end_character":78},"updated":"2021-10-25 16:34:08.000000000","message":"A system scoped operator is *always* going to fall into this as project will be None. This check makes no sense for system scoped requests, which is why it was formatted the way it was originally.\n\nif project and allocation.get(\u0027owner\u0027) and project !\u003d allocation.get(\u0027owner\u0027) (since, I seem to remember owner was optional.....)","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":324,"context_line":"            cdict \u003d api.request.context.to_policy_values()"},{"line_number":325,"context_line":"            project \u003d cdict.get(\u0027project_id\u0027)"},{"line_number":326,"context_line":"            if allocation.get(\u0027owner\u0027) and project !\u003d allocation.get(\u0027owner\u0027):"},{"line_number":327,"context_line":"                msg \u003d _(\"Cannot create allocation with an owner \""},{"line_number":328,"context_line":"                        \"Project ID value %(req_owner)s not matching \""},{"line_number":329,"context_line":"                        \"the requestor Project ID %(project)s. \""},{"line_number":330,"context_line":"                        \"Policy baremetal:allocation:create_restricted\""},{"line_number":331,"context_line":"                        \" is required for this capability.\""},{"line_number":332,"context_line":"                        ) % {\u0027req_owner\u0027: allocation.get(\u0027owner\u0027),"},{"line_number":333,"context_line":"                             \u0027project\u0027: project}"},{"line_number":334,"context_line":"                raise exception.NotAuthorized(msg)"},{"line_number":335,"context_line":"            if project and not CONF.oslo_policy.enforce_new_defaults:"}],"source_content_type":"text/x-python","patch_set":2,"id":"6cb9dfd8_0221d43f","line":332,"range":{"start_line":327,"start_character":2,"end_line":332,"end_character":66},"updated":"2021-10-25 16:34:08.000000000","message":"I am semi-concerned by a verbose error message because if the first check failed, then they simply have no access to the API, and we\u0027re changing the response based upon potential payload data which may be present.\n\nI guess we just don\u0027t know *which* check failed here.","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":333,"context_line":"                             \u0027project\u0027: project}"},{"line_number":334,"context_line":"                raise exception.NotAuthorized(msg)"},{"line_number":335,"context_line":"            if project and not CONF.oslo_policy.enforce_new_defaults:"},{"line_number":336,"context_line":"                api_utils.check_policy(\u0027baremetal:allocation:create_pre_rbac\u0027)"},{"line_number":337,"context_line":"            api_utils.check_policy(\u0027baremetal:allocation:create_restricted\u0027)"},{"line_number":338,"context_line":"            self._check_allowed_allocation_fields(allocation)"},{"line_number":339,"context_line":"            allocation[\u0027owner\u0027] \u003d project"}],"source_content_type":"text/x-python","patch_set":2,"id":"8eedaba1_6bfc3156","line":336,"range":{"start_line":336,"start_character":16,"end_line":336,"end_character":78},"updated":"2021-10-25 16:34:08.000000000","message":"So we fall back to here, in this case since everything *was* project scoped in the before times, and run it against the prior policy.","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":334,"context_line":"                raise exception.NotAuthorized(msg)"},{"line_number":335,"context_line":"            if project and not CONF.oslo_policy.enforce_new_defaults:"},{"line_number":336,"context_line":"                api_utils.check_policy(\u0027baremetal:allocation:create_pre_rbac\u0027)"},{"line_number":337,"context_line":"            api_utils.check_policy(\u0027baremetal:allocation:create_restricted\u0027)"},{"line_number":338,"context_line":"            self._check_allowed_allocation_fields(allocation)"},{"line_number":339,"context_line":"            allocation[\u0027owner\u0027] \u003d project"},{"line_number":340,"context_line":"        return allocation"}],"source_content_type":"text/x-python","patch_set":2,"id":"0bae60d3_d0e96c98","line":337,"range":{"start_line":337,"start_character":0,"end_line":337,"end_character":76},"updated":"2021-10-25 16:34:08.000000000","message":"Still attempt to ensure access is restricted since the deployment is not purely on a new model.","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1939f99c1def4ec3fc7ba5b8e4f4108743d5889d","unresolved":true,"context_lines":[{"line_number":387,"context_line":"                # their supplied allocation owner is okay, they are allowed"},{"line_number":388,"context_line":"                # to provide an override by policy."},{"line_number":389,"context_line":"            else:"},{"line_number":390,"context_line":"                # An allocation owner was not supplied, we need to save one."},{"line_number":391,"context_line":"                allocation[\u0027owner\u0027] \u003d project_id"},{"line_number":392,"context_line":"        node \u003d None"},{"line_number":393,"context_line":"        if allocation.get(\u0027node\u0027):"},{"line_number":394,"context_line":"            if api_utils.allow_allocation_backfill():"}],"source_content_type":"text/x-python","patch_set":2,"id":"a2baed3c_da419486","line":391,"range":{"start_line":390,"start_character":0,"end_line":391,"end_character":48},"updated":"2021-10-25 16:34:08.000000000","message":"an \"if all else fails\" save the owner.","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"}],"ironic/common/policy.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bba7d94f226b6a9201438094a0876eea13b881f4","unresolved":true,"context_lines":[{"line_number":133,"context_line":")"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"ALLOCATION_CREATOR \u003d ("},{"line_number":136,"context_line":"    \u0027(\u0027 + SYSTEM_MEMBER + \u0027) or (role:member)\u0027"},{"line_number":137,"context_line":")"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"# Special purpose aliases for things like \"ability to access the API"}],"source_content_type":"text/x-python","patch_set":2,"id":"a9b7fbad_900601f5","side":"PARENT","line":136,"range":{"start_line":136,"start_character":32,"end_line":136,"end_character":46},"updated":"2021-10-25 16:51:31.000000000","message":"What this is basically saying is \"Any member, regardless of scope\", and maybe that is what is going on here?","commit_id":"b33783281b14d2c371c4d32d20077489aad2dd78"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"98c7f267eb727833e4f756f6433f202fe23b9058","unresolved":true,"context_lines":[{"line_number":133,"context_line":")"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"ALLOCATION_CREATOR \u003d ("},{"line_number":136,"context_line":"    \u0027(\u0027 + SYSTEM_MEMBER + \u0027) or (\u0027 + SYSTEM_ADMIN + \u0027)\u0027"},{"line_number":137,"context_line":")"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"# Special purpose aliases for things like \"ability to access the API"}],"source_content_type":"text/x-python","patch_set":2,"id":"33f628a8_c0b48d91","line":136,"range":{"start_line":136,"start_character":32,"end_line":136,"end_character":55},"updated":"2021-10-25 16:49:16.000000000","message":"SYSTEM_ADMIN has SYSTEM_MEMBER automatically.\n\nAll Admins have members, all members have readers.","commit_id":"b41e14ed2bbe75efee52f6ddf70caa494b2405e0"}]}
