)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d9d6b0db773dadada9c01f57f3a22466d218a835","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"bb08c4c0_cea0b461","updated":"2024-01-05 20:38:21.000000000","message":"recheck need updated logs","commit_id":"a76c2a05df0a0f6d349738e010155f28c9f8ce40"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"87edd113373e986ec7d9178aaa8ab4e2efde57d2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"03598aca_e33af635","updated":"2024-01-09 14:35:25.000000000","message":"We need to change at least one job so it explicitly is not enforcing the new policy, until we drop it.\n\nWe know it works now, so changing ironic-tempest-ramdisk-bios-snmp-pxe seems like the best job to change as it is","commit_id":"2e597340e6b4e197a743d6c648d4590a3defd3dc"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"4bd185b36acafb05ab42066da01684ffe62f9a3c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"fe9ba1d2_a5f81dd0","updated":"2024-01-11 22:45:10.000000000","message":"recheck","commit_id":"0d3631fbf1c96bc40181b001e0ee657b1f6e14ff"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"143f57b29aaccb98fa5a4646ab0508c0e574481a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"bf2b6273_1207f8a5","updated":"2024-01-23 18:30:52.000000000","message":"recheck CI is green now","commit_id":"4359323558403b2e9b02ae3d20aea96ce56f5639"}],"releasenotes/notes/change-default-rbac-policy-f2f154043910f26a.yaml":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6d6e50ae00f9cbfa6a0f01ccfa77dbd405de08b5","unresolved":false,"context_lines":[{"line_number":40,"context_line":"    .. _`Secure Role Based Access Control`: https://specs.openstack.org/openstack/ironic-specs/specs/17.0/secure-rbac.html"},{"line_number":41,"context_line":"    .. _`Ironic API Policy`: https://docs.openstack.org/ironic/latest/configuration/sample-policy.html"},{"line_number":42,"context_line":"    .. _`Consistent and Secure RBAC`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html"},{"line_number":43,"context_line":"    .. _`2024.1-Release Timeline`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id3"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"befb9fdc_d145c049","line":43,"range":{"start_line":43,"start_character":9,"end_line":43,"end_character":32},"updated":"2024-01-09 19:44:39.000000000","message":"we should note this in the last paragraph.","commit_id":"2e597340e6b4e197a743d6c648d4590a3defd3dc"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"7a163cc90dba79a8f161b90b43ea3847c5944aea","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Ironic service API Role Based Access Control policy has been updated"},{"line_number":5,"context_line":"    to disable the legacy RBAC policy by default. The effect of this is that"},{"line_number":6,"context_line":"    deprecated legacy roles of ``baremetal_admin`` and ``baremetal_observer``"},{"line_number":7,"context_line":"    are no longer functional by default, and policy checks may prevent actions"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"7470ff55_6e79eed3","line":4,"updated":"2024-01-19 21:21:51.000000000","message":"It seems like it may be valuable to add here -- or elsewhere -- some kind of caveat about how running mixed installations (some services configured with enforce_scope\u003dTrue and enforce_scope\u003dFalse) may lead to strange behaviors and interactions.\n\nWe call out specifically Nova, but what about our interactions with Cinder? Neutron? Swift? Are those going to be impacted if they are configured inconsistently?","commit_id":"205d8781bfea6a8a43b8a9a5301b072bb22a5533"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"9232eff5bf4819ecb68f5c095a6f0d3eb91bc2d4","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Ironic service API Role Based Access Control policy has been updated"},{"line_number":5,"context_line":"    to disable the legacy RBAC policy by default. The effect of this is that"},{"line_number":6,"context_line":"    deprecated legacy roles of ``baremetal_admin`` and ``baremetal_observer``"},{"line_number":7,"context_line":"    are no longer functional by default, and policy checks may prevent actions"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"c28cde37_fa7688de","line":4,"in_reply_to":"7470ff55_6e79eed3","updated":"2024-01-22 10:09:00.000000000","message":"+1 (can be done in a follow-up)","commit_id":"205d8781bfea6a8a43b8a9a5301b072bb22a5533"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5a99edf8ba0772109306a6cae781c33fb59734c9","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Ironic service API Role Based Access Control policy has been updated"},{"line_number":5,"context_line":"    to disable the legacy RBAC policy by default. The effect of this is that"},{"line_number":6,"context_line":"    deprecated legacy roles of ``baremetal_admin`` and ``baremetal_observer``"},{"line_number":7,"context_line":"    are no longer functional by default, and policy checks may prevent actions"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"b92173a1_48ca136c","line":4,"in_reply_to":"c28cde37_fa7688de","updated":"2024-01-22 18:36:04.000000000","message":"Well, enforce_scope doesn\u0027t matter as much as it has been yanked out other service\u0027s policies AFAIK. And really, mixed state is not a huge issue. As long as the account and state configuration is appropriate, and that is all cloud operator supplied through config.\n\nOur change doesn\u0027t change the behavior of Cinder, Neutron, Swift. Those are remote APIs we communicate with utilizing the credentials the operator/user supplies into our config, and thus our API surface policy is not involved. Heat, *can* be invoked to communicate with Ironic via the service catalog, which will use the end user\u0027s context for making the request, which means baremetal_admin most likely if they are not using the newer policy.... OR they were running with custom policy.","commit_id":"205d8781bfea6a8a43b8a9a5301b072bb22a5533"}],"zuul.d/ironic-jobs.yaml":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"03b78cc982c7c719a7281ff8a99c5fdb05bdf071","unresolved":true,"context_lines":[{"line_number":976,"context_line":"          CIRROS_VERSION: 0.6.1"},{"line_number":977,"context_line":"          # Required as different access rights are used by default"},{"line_number":978,"context_line":"          # and the classic devstack config which is defaulted doesn\u0027t work."},{"line_number":979,"context_line":"          IRONIC_ENFORCE_SCOPE: True"},{"line_number":980,"context_line":"        old:"},{"line_number":981,"context_line":"          IRONIC_VM_LOG_DIR: \u0027{{ devstack_bases.old }}/ironic-bm-logs\u0027"},{"line_number":982,"context_line":"      grenade_localrc:"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"9708c084_81b57367","line":979,"updated":"2024-01-09 01:10:59.000000000","message":"This is sort of like not reading your own docs and failing to update devstack...","commit_id":"2e597340e6b4e197a743d6c648d4590a3defd3dc"}]}