)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"f67e7ec67177bebcabd5c670e7d31aff186ae1ff","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"56e093e6_40ed6831","updated":"2024-01-31 01:50:43.000000000","message":"Looks good to me, just minor doc and comment changes","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"1a322a79f559b74200b77a3188f03d33d763b11d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"a580c8b8_04f0df61","updated":"2024-01-31 20:29:40.000000000","message":"I\u0027m confused; I thought the some of value of adding the extra boolean config was being able to default this off while still having a reasonable default for service project name?","commit_id":"4d2bc051315fd2e83f5a9f6f5a7a40c41bf459c1"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5b0fb91886813a271cd580beb142efbd26262f09","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"34debc52_15795295","in_reply_to":"a580c8b8_04f0df61","updated":"2024-02-06 14:25:10.000000000","message":"Done","commit_id":"4d2bc051315fd2e83f5a9f6f5a7a40c41bf459c1"}],"ironic/common/policy.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"86efd9ed30ec2a68ac57fdf3b9187ae9c26d73a6","unresolved":true,"context_lines":[{"line_number":54,"context_line":"# system administrator to system members"},{"line_number":55,"context_line":"# NOTE(TheJulia): This is done *very* early, and not mutable settings"},{"line_number":56,"context_line":"# because this gets handled as how control logic gets applied with policies."},{"line_number":57,"context_line":"if (CONF.rbac_project_service_role_access_elevated"},{"line_number":58,"context_line":"    and CONF.rbac_service_project_name):"},{"line_number":59,"context_line":"    # If Ironic is configured for elevated service role access where openstack"},{"line_number":60,"context_line":"    # services inherently grant elevated access to a \u0027service\u0027 role under"},{"line_number":61,"context_line":"    # revised rbac modeling instead of using system scope."}],"source_content_type":"text/x-python","patch_set":1,"id":"670f95c4_0378fab8","line":58,"range":{"start_line":57,"start_character":0,"end_line":58,"end_character":40},"updated":"2024-01-30 14:45:03.000000000","message":"This won\u0027t work at all with the way wsgi app loads work, since we don\u0027t load configuration until it \"initializes\" which is after importing everything for runtime.","commit_id":"65e3a43bf543818ae1959b09a8556cd182b67b71"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"562bd731b550a1baddac139ea9e3e20fabf59d3c","unresolved":false,"context_lines":[{"line_number":54,"context_line":"# system administrator to system members"},{"line_number":55,"context_line":"# NOTE(TheJulia): This is done *very* early, and not mutable settings"},{"line_number":56,"context_line":"# because this gets handled as how control logic gets applied with policies."},{"line_number":57,"context_line":"if (CONF.rbac_project_service_role_access_elevated"},{"line_number":58,"context_line":"    and CONF.rbac_service_project_name):"},{"line_number":59,"context_line":"    # If Ironic is configured for elevated service role access where openstack"},{"line_number":60,"context_line":"    # services inherently grant elevated access to a \u0027service\u0027 role under"},{"line_number":61,"context_line":"    # revised rbac modeling instead of using system scope."}],"source_content_type":"text/x-python","patch_set":1,"id":"84a01422_824fed79","line":58,"range":{"start_line":57,"start_character":0,"end_line":58,"end_character":40},"in_reply_to":"670f95c4_0378fab8","updated":"2024-02-05 15:37:21.000000000","message":"Done","commit_id":"65e3a43bf543818ae1959b09a8556cd182b67b71"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a05573688873817978a8c699de3f62255193a502","unresolved":false,"context_lines":[{"line_number":105,"context_line":"# administrator should be able to delete any baremetal host in the deployment,"},{"line_number":106,"context_line":"# a project member should only be able to delete hosts in their project)."},{"line_number":107,"context_line":"SYSTEM_OR_PROJECT_MEMBER \u003d ("},{"line_number":108,"context_line":"    \u0027(\u0027 + SYSTEM_MEMBER + \u0027) or (\u0027 + PROJECT_MEMBER + \u0027) or (\u0027 + SYSTEM_SERVICE + \u0027)\u0027  # noqa"},{"line_number":109,"context_line":")"},{"line_number":110,"context_line":"SYSTEM_OR_PROJECT_READER \u003d ("},{"line_number":111,"context_line":"    \u0027(\u0027 + SYSTEM_READER + \u0027) or (\u0027 + PROJECT_READER + \u0027) or (\u0027 + PROJECT_SERVICE + \u0027)\u0027  # noqa"}],"source_content_type":"text/x-python","patch_set":2,"id":"93822c58_2e93f654","line":108,"updated":"2024-01-31 01:02:53.000000000","message":"This was an oversight originally, some of the added tests related to this.","commit_id":"4e2c192a281ffc53eae6ed8e2fb399f752049e59"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a05573688873817978a8c699de3f62255193a502","unresolved":false,"context_lines":[{"line_number":221,"context_line":"    # service role check. The config.service_project_name is a reserved"},{"line_number":222,"context_line":"    # target check field which is loaded from configuration."},{"line_number":223,"context_line":"    policy.RuleDefault(\u0027service_role\u0027,"},{"line_number":224,"context_line":"                       \u0027role:service and project_name:%(config.service_project_name)s\u0027,  # noqa"},{"line_number":225,"context_line":"                       # \u0027role:service and project_name:service\u0027,"},{"line_number":226,"context_line":"                       description\u003d\u0027Rule to match service role usage with a service project, delineated as a separate rule to enable customization.\u0027),  # noqa"},{"line_number":227,"context_line":"    # Roles likely to be overridden by operator"}],"source_content_type":"text/x-python","patch_set":2,"id":"23bda808_35365443","line":224,"updated":"2024-01-31 01:02:53.000000000","message":"Just as a note to highlight now, no project in openstack makes this configurable. Every project just assumes if a user has a service role, that an admin gave it to them and they should have full access.\n\nJulia has a soap box for this, but she is fairly sure nobody wants her to stand on it and explain why that is not a great idea.\n\nFurthermore, an operator *can* just override this rule with custom policy.","commit_id":"4e2c192a281ffc53eae6ed8e2fb399f752049e59"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"f67e7ec67177bebcabd5c670e7d31aff186ae1ff","unresolved":true,"context_lines":[{"line_number":52,"context_line":"# check string, typically isn\u0027t used by default, but it\u0027s existence it useful"},{"line_number":53,"context_line":"# in the event a deployment wants to offload some administrative action from"},{"line_number":54,"context_line":"# system administrator to system members."},{"line_number":55,"context_line":"# The rule:service_role match here is to enable elevated an elevated level"},{"line_number":56,"context_line":"# of API access for a specialized service role and users with appropriate"},{"line_number":57,"context_line":"# service role access."},{"line_number":58,"context_line":"SYSTEM_MEMBER \u003d \u0027(role:member and system_scope:all) or rule:service_role\u0027  # noqa"}],"source_content_type":"text/x-python","patch_set":3,"id":"3d76ffe5_79fd78e9","line":55,"range":{"start_line":55,"start_character":48,"end_line":55,"end_character":56},"updated":"2024-01-31 01:50:43.000000000","message":"duplicate \"elevated\"","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"562bd731b550a1baddac139ea9e3e20fabf59d3c","unresolved":false,"context_lines":[{"line_number":52,"context_line":"# check string, typically isn\u0027t used by default, but it\u0027s existence it useful"},{"line_number":53,"context_line":"# in the event a deployment wants to offload some administrative action from"},{"line_number":54,"context_line":"# system administrator to system members."},{"line_number":55,"context_line":"# The rule:service_role match here is to enable elevated an elevated level"},{"line_number":56,"context_line":"# of API access for a specialized service role and users with appropriate"},{"line_number":57,"context_line":"# service role access."},{"line_number":58,"context_line":"SYSTEM_MEMBER \u003d \u0027(role:member and system_scope:all) or rule:service_role\u0027  # noqa"}],"source_content_type":"text/x-python","patch_set":3,"id":"65b3713b_0e4213ec","line":55,"range":{"start_line":55,"start_character":48,"end_line":55,"end_character":56},"in_reply_to":"3d76ffe5_79fd78e9","updated":"2024-02-05 15:37:21.000000000","message":"Done","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"f67e7ec67177bebcabd5c670e7d31aff186ae1ff","unresolved":true,"context_lines":[{"line_number":62,"context_line":"# for auditing or even support. These uses are also able to view"},{"line_number":63,"context_line":"# project-specific resources where applicable (e.g., listing all"},{"line_number":64,"context_line":"# volumes in the deployment, regardless of the project they belong to)."},{"line_number":65,"context_line":"# The rule:service_role match here is to enable elevated an elevated level"},{"line_number":66,"context_line":"# of API access for a specialized service role and users with appropriate"},{"line_number":67,"context_line":"# role access, specifically because \u0027service\" role is outside of the RBAC"},{"line_number":68,"context_line":"# model defaults and does not imply reader access."}],"source_content_type":"text/x-python","patch_set":3,"id":"b3107625_dc16eaa6","line":65,"range":{"start_line":65,"start_character":48,"end_line":65,"end_character":56},"updated":"2024-01-31 01:50:43.000000000","message":"ditto","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"562bd731b550a1baddac139ea9e3e20fabf59d3c","unresolved":false,"context_lines":[{"line_number":62,"context_line":"# for auditing or even support. These uses are also able to view"},{"line_number":63,"context_line":"# project-specific resources where applicable (e.g., listing all"},{"line_number":64,"context_line":"# volumes in the deployment, regardless of the project they belong to)."},{"line_number":65,"context_line":"# The rule:service_role match here is to enable elevated an elevated level"},{"line_number":66,"context_line":"# of API access for a specialized service role and users with appropriate"},{"line_number":67,"context_line":"# role access, specifically because \u0027service\" role is outside of the RBAC"},{"line_number":68,"context_line":"# model defaults and does not imply reader access."}],"source_content_type":"text/x-python","patch_set":3,"id":"805e00a8_96e24f38","line":65,"range":{"start_line":65,"start_character":48,"end_line":65,"end_character":56},"in_reply_to":"b3107625_dc16eaa6","updated":"2024-02-05 15:37:21.000000000","message":"Done","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"f67e7ec67177bebcabd5c670e7d31aff186ae1ff","unresolved":true,"context_lines":[{"line_number":222,"context_line":"    # target check field which is loaded from configuration."},{"line_number":223,"context_line":"    policy.RuleDefault(\u0027service_role\u0027,"},{"line_number":224,"context_line":"                       \u0027role:service and project_name:%(config.service_project_name)s\u0027,  # noqa"},{"line_number":225,"context_line":"                       # \u0027role:service and project_name:service\u0027,"},{"line_number":226,"context_line":"                       description\u003d\u0027Rule to match service role usage with a service project, delineated as a separate rule to enable customization.\u0027),  # noqa"},{"line_number":227,"context_line":"    # Roles likely to be overridden by operator"},{"line_number":228,"context_line":"    # TODO(TheJulia): Lets nuke demo from high orbit."}],"source_content_type":"text/x-python","patch_set":3,"id":"a4cb3ad5_0df5198d","line":225,"updated":"2024-01-31 01:50:43.000000000","message":"It looks like this commented out line can be removed","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"562bd731b550a1baddac139ea9e3e20fabf59d3c","unresolved":false,"context_lines":[{"line_number":222,"context_line":"    # target check field which is loaded from configuration."},{"line_number":223,"context_line":"    policy.RuleDefault(\u0027service_role\u0027,"},{"line_number":224,"context_line":"                       \u0027role:service and project_name:%(config.service_project_name)s\u0027,  # noqa"},{"line_number":225,"context_line":"                       # \u0027role:service and project_name:service\u0027,"},{"line_number":226,"context_line":"                       description\u003d\u0027Rule to match service role usage with a service project, delineated as a separate rule to enable customization.\u0027),  # noqa"},{"line_number":227,"context_line":"    # Roles likely to be overridden by operator"},{"line_number":228,"context_line":"    # TODO(TheJulia): Lets nuke demo from high orbit."}],"source_content_type":"text/x-python","patch_set":3,"id":"9ff1ba6a_2ac557a4","line":225,"in_reply_to":"a4cb3ad5_0df5198d","updated":"2024-02-05 15:37:21.000000000","message":"Done","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"}],"ironic/conf/default.py":[{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"1e0c3503b006efbb2cabde14c4a144492b9cfc53","unresolved":true,"context_lines":[{"line_number":452,"context_line":"                # it to false in backports."},{"line_number":453,"context_line":"                default\u003dTrue,"},{"line_number":454,"context_line":"                help\u003d_(\u0027If a project scoped service role user should \u0027"},{"line_number":455,"context_line":"                       \u0027have elevated elevated API access to perform actions \u0027"},{"line_number":456,"context_line":"                       \u0027such as listing and deploying nodes.\u0027)),"},{"line_number":457,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":458,"context_line":"               default\u003d\u0027service\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"bb3990fd_5db69886","line":455,"updated":"2024-01-30 10:53:34.000000000","message":"NIT: double elevated seems stylistically confusing, maybe `elevated system API access`?","commit_id":"65e3a43bf543818ae1959b09a8556cd182b67b71"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce6e564549a4545f328c7a17630b860ca93b7f83","unresolved":false,"context_lines":[{"line_number":452,"context_line":"                # it to false in backports."},{"line_number":453,"context_line":"                default\u003dTrue,"},{"line_number":454,"context_line":"                help\u003d_(\u0027If a project scoped service role user should \u0027"},{"line_number":455,"context_line":"                       \u0027have elevated elevated API access to perform actions \u0027"},{"line_number":456,"context_line":"                       \u0027such as listing and deploying nodes.\u0027)),"},{"line_number":457,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":458,"context_line":"               default\u003d\u0027service\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"ca28f6d6_48eea60f","line":455,"in_reply_to":"0997cd28_b40d8273","updated":"2024-01-31 00:57:21.000000000","message":"I ended up simplifying the model of configuration because I had to change how this would get tested/leveraged a little so it would work as a WSGI app.","commit_id":"65e3a43bf543818ae1959b09a8556cd182b67b71"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"86efd9ed30ec2a68ac57fdf3b9187ae9c26d73a6","unresolved":true,"context_lines":[{"line_number":452,"context_line":"                # it to false in backports."},{"line_number":453,"context_line":"                default\u003dTrue,"},{"line_number":454,"context_line":"                help\u003d_(\u0027If a project scoped service role user should \u0027"},{"line_number":455,"context_line":"                       \u0027have elevated elevated API access to perform actions \u0027"},{"line_number":456,"context_line":"                       \u0027such as listing and deploying nodes.\u0027)),"},{"line_number":457,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":458,"context_line":"               default\u003d\u0027service\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"0997cd28_b40d8273","line":455,"in_reply_to":"bb3990fd_5db69886","updated":"2024-01-30 14:45:03.000000000","message":"Ahh, I got interrupted while typing it out, Thanks! Will fix shortly.","commit_id":"65e3a43bf543818ae1959b09a8556cd182b67b71"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"69271d6b7ad601650c3e1f5d1f096df04d82c6bb","unresolved":true,"context_lines":[{"line_number":447,"context_line":""},{"line_number":448,"context_line":"rbac_opts \u003d ["},{"line_number":449,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":450,"context_line":"               default\u003d\u0027service\u0027,"},{"line_number":451,"context_line":"               help\u003d_(\u0027The project name utilized for Role Based Access \u0027"},{"line_number":452,"context_line":"                      \u0027Control checks for the reserved `service` project.\u0027"},{"line_number":453,"context_line":"                      \u0027This project is utilized for services to have \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"029091f9_62a3b18a","line":450,"updated":"2024-01-31 03:38:56.000000000","message":"Is this a default adopted from somewhere else in OpenStack? Just making sure we\u0027re not going to create a CVE where some random cloud has a user named \"service\" who can now list lots of things :D","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a5d21611ac23e8e9e3d40e63e4907e40a9bad1ec","unresolved":true,"context_lines":[{"line_number":447,"context_line":""},{"line_number":448,"context_line":"rbac_opts \u003d ["},{"line_number":449,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":450,"context_line":"               default\u003d\u0027service\u0027,"},{"line_number":451,"context_line":"               help\u003d_(\u0027The project name utilized for Role Based Access \u0027"},{"line_number":452,"context_line":"                      \u0027Control checks for the reserved `service` project.\u0027"},{"line_number":453,"context_line":"                      \u0027This project is utilized for services to have \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"b2b5af16_1cef2093","line":450,"in_reply_to":"029091f9_62a3b18a","updated":"2024-01-31 15:20:06.000000000","message":"Eh, that is where this gets a little hairy.\n\nRequired reading:\n- https://github.com/openstack/keystone/blob/master/doc/source/admin/service-api-protection.rst#service\n\nThe keystone bootstrap *does* create the service role, but it is not assigned:\n- https://github.com/openstack/keystone/blob/5a97b7d847d5471d91b7e41ab0acf65974419c44/keystone/cmd/bootstrap.py#L171\n\nBut it never gets assigned:\n- https://github.com/openstack/keystone/blob/5a97b7d847d5471d91b7e41ab0acf65974419c44/keystone/cmd/bootstrap.py#L257\n\nKeystone\u0027s own policy is *just* \"role:service\":\n- https://github.com/openstack/keystone/blob/5a97b7d847d5471d91b7e41ab0acf65974419c44/keystone/common/policies/base.py#L69\n\n\nA translation to this point is: Service role access is defaulted, but not explicitly to a specific project because you have to explicitly *add* it as an admin.\n\nBut if we look at conventions:\n\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/aodh/templates/aodh.conf.j2#L47\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/nova-cell/templates/nova.conf.j2#L222\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/neutron/templates/neutron.conf.j2#L192\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/sahara/templates/sahara.conf.j2#L23\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/ironic/templates/ironic.conf.j2#L126\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/ironic/templates/ironic.conf.j2#L141\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/ironic/templates/ironic.conf.j2#L155\nhttps://github.com/openstack/kolla-ansible/blob/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/ironic/templates/ironic.conf.j2#L169\nhttps://opendev.org/airship/drydock/src/branch/master/charts/drydock/values.yaml#L287\nhttps://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/cinder/cinder-base.yaml#L161\nhttps://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/cinder/cinder-base.yaml#L167\nhttps://opendev.org/openstack/openstack-helm/src/branch/master/neutron/values.yaml#L2342\nhttps://opendev.org/openstack/openstack-helm/src/branch/master/neutron/values.yaml#L2349\n\nBut then there is some additional slight variation, for example puppet-keystone\u0027s bootstrap invocation defaults to \"services\".\n\nhttps://opendev.org/openstack/puppet-keystone/src/branch/master/manifests/bootstrap.pp#L66\n\nBut realistically, an operator manually installing can just use admin.\n\nMaybe the path is just a binary option, \"role:service\" and and reply upon the operator flow.\n\nBut FWIW, Most services already have some sort of \"role:service\" matching by default, I was just hoping to be able to scope limit it.","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5b0fb91886813a271cd580beb142efbd26262f09","unresolved":false,"context_lines":[{"line_number":447,"context_line":""},{"line_number":448,"context_line":"rbac_opts \u003d ["},{"line_number":449,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":450,"context_line":"               default\u003d\u0027service\u0027,"},{"line_number":451,"context_line":"               help\u003d_(\u0027The project name utilized for Role Based Access \u0027"},{"line_number":452,"context_line":"                      \u0027Control checks for the reserved `service` project.\u0027"},{"line_number":453,"context_line":"                      \u0027This project is utilized for services to have \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"1bae98cb_00f4d181","line":450,"in_reply_to":"b2b5af16_1cef2093","updated":"2024-02-06 14:25:10.000000000","message":"Done","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"f67e7ec67177bebcabd5c670e7d31aff186ae1ff","unresolved":true,"context_lines":[{"line_number":449,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":450,"context_line":"               default\u003d\u0027service\u0027,"},{"line_number":451,"context_line":"               help\u003d_(\u0027The project name utilized for Role Based Access \u0027"},{"line_number":452,"context_line":"                      \u0027Control checks for the reserved `service` project.\u0027"},{"line_number":453,"context_line":"                      \u0027This project is utilized for services to have \u0027"},{"line_number":454,"context_line":"                      \u0027accounts for cross-service communication. Often \u0027"},{"line_number":455,"context_line":"                      \u0027these accounts require higher levels of access, and \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"c1c94077_78bf0da2","line":452,"range":{"start_line":452,"start_character":72,"end_line":452,"end_character":73},"updated":"2024-01-31 01:50:43.000000000","message":"need trailing space","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"562bd731b550a1baddac139ea9e3e20fabf59d3c","unresolved":false,"context_lines":[{"line_number":449,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":450,"context_line":"               default\u003d\u0027service\u0027,"},{"line_number":451,"context_line":"               help\u003d_(\u0027The project name utilized for Role Based Access \u0027"},{"line_number":452,"context_line":"                      \u0027Control checks for the reserved `service` project.\u0027"},{"line_number":453,"context_line":"                      \u0027This project is utilized for services to have \u0027"},{"line_number":454,"context_line":"                      \u0027accounts for cross-service communication. Often \u0027"},{"line_number":455,"context_line":"                      \u0027these accounts require higher levels of access, and \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"397d9567_1a14a8f9","line":452,"range":{"start_line":452,"start_character":72,"end_line":452,"end_character":73},"in_reply_to":"c1c94077_78bf0da2","updated":"2024-02-05 15:37:21.000000000","message":"Done","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"1a322a79f559b74200b77a3188f03d33d763b11d","unresolved":true,"context_lines":[{"line_number":447,"context_line":""},{"line_number":448,"context_line":"rbac_opts \u003d ["},{"line_number":449,"context_line":"    cfg.BoolOpt(\u0027rbac_service_role_elevated_access\u0027,"},{"line_number":450,"context_line":"                default\u003dTrue,"},{"line_number":451,"context_line":"                help\u003d_(\u0027If we should enable population of the \u0027"},{"line_number":452,"context_line":"                       \u0027\\\u0027rbac_service_project_name\\\u0027 name setting into \u0027"},{"line_number":453,"context_line":"                       \u0027the internal variables for consideration when \u0027"}],"source_content_type":"text/x-python","patch_set":4,"id":"9b409897_522adaf4","line":450,"updated":"2024-01-31 20:29:40.000000000","message":"I thought the idea was to default this to false, so people wouldn\u0027t get extra access enabled when upgrading?","commit_id":"4d2bc051315fd2e83f5a9f6f5a7a40c41bf459c1"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5b0fb91886813a271cd580beb142efbd26262f09","unresolved":false,"context_lines":[{"line_number":447,"context_line":""},{"line_number":448,"context_line":"rbac_opts \u003d ["},{"line_number":449,"context_line":"    cfg.BoolOpt(\u0027rbac_service_role_elevated_access\u0027,"},{"line_number":450,"context_line":"                default\u003dTrue,"},{"line_number":451,"context_line":"                help\u003d_(\u0027If we should enable population of the \u0027"},{"line_number":452,"context_line":"                       \u0027\\\u0027rbac_service_project_name\\\u0027 name setting into \u0027"},{"line_number":453,"context_line":"                       \u0027the internal variables for consideration when \u0027"}],"source_content_type":"text/x-python","patch_set":4,"id":"925315e5_d02904b3","line":450,"in_reply_to":"9b409897_522adaf4","updated":"2024-02-06 14:25:10.000000000","message":"Done","commit_id":"4d2bc051315fd2e83f5a9f6f5a7a40c41bf459c1"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c4789466f934d57540ce4110f1adde68c6804c6d","unresolved":true,"context_lines":[{"line_number":458,"context_line":"                       \u0027When set to True, the configured (or default) \u0027"},{"line_number":459,"context_line":"                       \u0027service project is populated in for the \u0027"},{"line_number":460,"context_line":"                       \u0027\"service_role\" policy rule to consult if elevated \u0027"},{"line_number":461,"context_line":"                       \u0027access should be granted.\u0027)),"},{"line_number":462,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":463,"context_line":"               default\u003d\u0027service\u0027,"},{"line_number":464,"context_line":"               help\u003d_(\u0027The project name utilized for Role Based Access \u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"75697b8b_df9dcabf","line":461,"updated":"2024-01-31 23:18:32.000000000","message":"A suggestion for the description (and maybe also just validation I grok it)?\n\n\"Enable elevated access for users with service role belonging to the rbac_service_project_name project when using default policy. The default setting of disabled causes all service role requests to be scoped to the project the service account belongs to. Please consult service_role RBAC policy configuration to customize behavior further.\"\n\nI don\u0027t love the last sentence there, but I think getting too much in the weeds about what this means in terms of RBAC policy is going to be more confusing than being explicit about behavior changes.","commit_id":"142e4ddbbdae4b02ac202a073477d6dd3182feee"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5b0fb91886813a271cd580beb142efbd26262f09","unresolved":false,"context_lines":[{"line_number":458,"context_line":"                       \u0027When set to True, the configured (or default) \u0027"},{"line_number":459,"context_line":"                       \u0027service project is populated in for the \u0027"},{"line_number":460,"context_line":"                       \u0027\"service_role\" policy rule to consult if elevated \u0027"},{"line_number":461,"context_line":"                       \u0027access should be granted.\u0027)),"},{"line_number":462,"context_line":"    cfg.StrOpt(\u0027rbac_service_project_name\u0027,"},{"line_number":463,"context_line":"               default\u003d\u0027service\u0027,"},{"line_number":464,"context_line":"               help\u003d_(\u0027The project name utilized for Role Based Access \u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"d517f22d_cf81ff84","line":461,"in_reply_to":"75697b8b_df9dcabf","updated":"2024-02-06 14:25:10.000000000","message":"Done","commit_id":"142e4ddbbdae4b02ac202a073477d6dd3182feee"}],"releasenotes/notes/service-project-service-role-fix-e4d1a8c23856926a.yaml":[{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"f67e7ec67177bebcabd5c670e7d31aff186ae1ff","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    ML2 plugin to perform actions across the whole of an Ironic"},{"line_number":13,"context_line":"    deployment, if desirable where a \"System\" scoped user is also"},{"line_number":14,"context_line":"    undesirable."},{"line_number":15,"context_line":"    "},{"line_number":16,"context_line":"    This functionality can be disabled by setting the"},{"line_number":17,"context_line":"    ``[DEFAULT] rbac_service_project_name`` setting to no value"},{"line_number":18,"context_line":"    in ``ironic.conf``, upon which all queries and interactions"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"ca573cfd_89286a9a","line":15,"updated":"2024-01-31 01:50:43.000000000","message":"remove indentation spaces","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5b0fb91886813a271cd580beb142efbd26262f09","unresolved":false,"context_lines":[{"line_number":12,"context_line":"    ML2 plugin to perform actions across the whole of an Ironic"},{"line_number":13,"context_line":"    deployment, if desirable where a \"System\" scoped user is also"},{"line_number":14,"context_line":"    undesirable."},{"line_number":15,"context_line":"    "},{"line_number":16,"context_line":"    This functionality can be disabled by setting the"},{"line_number":17,"context_line":"    ``[DEFAULT] rbac_service_project_name`` setting to no value"},{"line_number":18,"context_line":"    in ``ironic.conf``, upon which all queries and interactions"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"e86fea0b_9fb05526","line":15,"in_reply_to":"ca573cfd_89286a9a","updated":"2024-02-06 14:25:10.000000000","message":"Done","commit_id":"38192840160666ce4920e8b52ebcc8ca1f80c27d"}]}